Add camera HAL sepolicy based on previous chip family.
The camera HAL code is reused from the previous chip and needs to
perform the same operations as previously, with the following
differences:
- The interrupt affinity workaround may no longer be necessary
due to image sensor changes, so the ability to set interrupt
affinity is removed.
- Access to some files that were only present before the APEX
migration is removed.
- vendor_camera_tuning_file is no longer needed.
- TEE access for face auth is removed for now.
Bug: 205904406
Bug: 205657132
Bug: 205780186
Bug: 205072921
Bug: 205657133
Bug: 205780065
Bug: 204718762
Bug: 207300298
Bug: 209889068
Bug: 210067468
Test: Ensure that the policy builds; I don't have access to target
hardware at the moment.
Change-Id: Ia70b98d4e1f3a156a5e719f0d069a90579b6a247
This commit is contained in:
Krzysztof Kosiński
parent
ef2c46c2f4
commit
b76b5e3872
4 changed files with 78 additions and 53 deletions
|
|
@ -1,54 +1,7 @@
|
|||
# b/204718762
|
||||
dontaudit hal_camera_default edgetpu_vendor_service:service_manager { find };
|
||||
dontaudit hal_camera_default hal_power_service:service_manager { find };
|
||||
# b/205072921
|
||||
dontaudit hal_camera_default kernel:process { setsched };
|
||||
dontaudit hal_camera_default vendor_camera_prop:file { getattr };
|
||||
dontaudit hal_camera_default vendor_camera_prop:file { map };
|
||||
dontaudit hal_camera_default vendor_camera_prop:file { open };
|
||||
dontaudit hal_camera_default vendor_camera_prop:file { read };
|
||||
dontaudit hal_camera_default vendor_camera_prop:property_service { set };
|
||||
# b/205657133
|
||||
dontaudit hal_camera_default edgetpu_device:chr_file { ioctl };
|
||||
dontaudit hal_camera_default edgetpu_device:chr_file { map };
|
||||
dontaudit hal_camera_default edgetpu_device:chr_file { open };
|
||||
dontaudit hal_camera_default edgetpu_device:chr_file { read write };
|
||||
dontaudit hal_camera_default gpu_device:chr_file { getattr };
|
||||
dontaudit hal_camera_default gpu_device:chr_file { ioctl };
|
||||
dontaudit hal_camera_default gpu_device:chr_file { map };
|
||||
dontaudit hal_camera_default gpu_device:chr_file { open };
|
||||
dontaudit hal_camera_default gpu_device:chr_file { read write };
|
||||
dontaudit hal_camera_default lwis_device:chr_file { ioctl };
|
||||
dontaudit hal_camera_default lwis_device:chr_file { open };
|
||||
dontaudit hal_camera_default lwis_device:chr_file { read };
|
||||
dontaudit hal_camera_default lwis_device:chr_file { write };
|
||||
dontaudit hal_camera_default vndbinder_device:chr_file { ioctl };
|
||||
dontaudit hal_camera_default vndbinder_device:chr_file { map };
|
||||
dontaudit hal_camera_default vndbinder_device:chr_file { open };
|
||||
dontaudit hal_camera_default vndbinder_device:chr_file { read };
|
||||
dontaudit hal_camera_default vndbinder_device:chr_file { write };
|
||||
# b/205780065
|
||||
dontaudit hal_camera_default apex_info_file:file { getattr };
|
||||
dontaudit hal_camera_default apex_info_file:file { open };
|
||||
dontaudit hal_camera_default apex_info_file:file { read };
|
||||
dontaudit hal_camera_default apex_info_file:file { watch };
|
||||
dontaudit hal_camera_default mnt_vendor_file:dir { search };
|
||||
dontaudit hal_camera_default persist_file:dir { search };
|
||||
dontaudit hal_camera_default system_data_file:dir { search };
|
||||
dontaudit hal_camera_default vendor_camera_data_file:dir { getattr };
|
||||
dontaudit hal_camera_default vendor_camera_data_file:dir { open };
|
||||
dontaudit hal_camera_default vendor_camera_data_file:dir { read };
|
||||
dontaudit hal_camera_default vendor_camera_data_file:dir { search };
|
||||
dontaudit hal_camera_default vendor_camera_data_file:file { open };
|
||||
dontaudit hal_camera_default vendor_camera_data_file:file { read };
|
||||
# b/205904406
|
||||
dontaudit hal_camera_default hal_camera_default:capability { sys_nice };
|
||||
dontaudit hal_camera_default hal_power_default:binder { call };
|
||||
dontaudit hal_camera_default hal_radioext_default:binder { call };
|
||||
dontaudit hal_camera_default init:unix_stream_socket { connectto };
|
||||
dontaudit hal_camera_default property_socket:sock_file { write };
|
||||
dontaudit hal_camera_default system_server:binder { call };
|
||||
# b/207300298
|
||||
dontaudit hal_camera_default vendor_camera_data_file:file { getattr };
|
||||
# b/210067468
|
||||
dontaudit hal_camera_default persist_camera_file:dir { search };
|
||||
|
|
|
|||
|
|
@ -1,13 +1,80 @@
|
|||
hal_client_domain(hal_camera_default, hal_power);
|
||||
type hal_camera_default_tmpfs, file_type;
|
||||
|
||||
allow hal_camera_default self:global_capability_class_set sys_nice;
|
||||
|
||||
binder_use(hal_camera_default);
|
||||
vndbinder_use(hal_camera_default);
|
||||
|
||||
allow hal_camera_default lwis_device:chr_file rw_file_perms;
|
||||
allow hal_camera_default gpu_device:chr_file rw_file_perms;
|
||||
allow hal_camera_default sysfs_chip_id:file r_file_perms;
|
||||
|
||||
# Allow the camera hal to access the EdgeTPU service and the
|
||||
# Android shared memory allocated by the EdgeTPU service for
|
||||
# on-device compilation.
|
||||
allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
|
||||
allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
|
||||
allow hal_camera_default sysfs_edgetpu:file r_file_perms;
|
||||
allow hal_camera_default edgetpu_vendor_service:service_manager find;
|
||||
binder_call(hal_camera_default, edgetpu_vendor_server)
|
||||
binder_use(hal_camera_default)
|
||||
|
||||
allow hal_camera_default fwk_stats_service:service_manager find;
|
||||
# Allow access to data files used by the camera HAL
|
||||
allow hal_camera_default mnt_vendor_file:dir search;
|
||||
allow hal_camera_default persist_file:dir search;
|
||||
allow hal_camera_default persist_camera_file:dir rw_dir_perms;
|
||||
allow hal_camera_default persist_camera_file:file create_file_perms;
|
||||
allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
|
||||
allow hal_camera_default vendor_camera_data_file:file create_file_perms;
|
||||
|
||||
# Allow camera HAL to query preferred camera frequencies from the radio HAL
|
||||
# extensions to avoid interference with cellular antennas.
|
||||
allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
|
||||
# Allow creating dump files for debugging in non-release builds
|
||||
userdebug_or_eng(`
|
||||
allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;
|
||||
allow hal_camera_default vendor_camera_data_file:file create_file_perms;
|
||||
')
|
||||
|
||||
# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files
|
||||
# compiled into the shared libraries with cc_embed_data rules
|
||||
tmpfs_domain(hal_camera_default);
|
||||
|
||||
# Allow access to camera-related system properties
|
||||
set_prop(hal_camera_default, vendor_camera_prop);
|
||||
set_prop(hal_camera_default, log_tag_prop);
|
||||
get_prop(hal_camera_default, vendor_camera_debug_prop);
|
||||
userdebug_or_eng(`
|
||||
set_prop(hal_camera_default, vendor_camera_fatp_prop);
|
||||
set_prop(hal_camera_default, vendor_camera_debug_prop);
|
||||
')
|
||||
|
||||
# For camera hal to talk with rlsservice
|
||||
allow hal_camera_default rls_service:service_manager find;
|
||||
binder_call(hal_camera_default, rlsservice)
|
||||
|
||||
hal_client_domain(hal_camera_default, hal_graphics_allocator);
|
||||
hal_client_domain(hal_camera_default, hal_graphics_composer)
|
||||
hal_client_domain(hal_camera_default, hal_power);
|
||||
hal_client_domain(hal_camera_default, hal_thermal);
|
||||
|
||||
# Allow access to sensor service for sensor_listener
|
||||
binder_call(hal_camera_default, system_server);
|
||||
|
||||
# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
|
||||
allow hal_camera_default eco_service:service_manager find;
|
||||
binder_call(hal_camera_default, mediacodec);
|
||||
|
||||
# Allow camera HAL to query preferred camera frequencies from the radio HAL
|
||||
# extensions to avoid interference with cellular antennas.
|
||||
allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
|
||||
binder_call(hal_camera_default, hal_radioext_default);
|
||||
|
||||
# Allow camera HAL to connect to the stats service.
|
||||
allow hal_camera_default fwk_stats_service:service_manager find;
|
||||
|
||||
# For observing apex file changes
|
||||
allow hal_camera_default apex_info_file:file r_file_perms;
|
||||
|
||||
# Allow camera HAL to query current device clock frequencies.
|
||||
allow hal_camera_default sysfs_devfreq_cur:file r_file_perms;
|
||||
|
||||
# allow camera HAL to read backlight of display
|
||||
allow hal_camera_default sysfs_leds:dir r_dir_perms;
|
||||
allow hal_camera_default sysfs_leds:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -12,6 +12,8 @@ vendor_internal_prop(vendor_secure_element_prop)
|
|||
vendor_internal_prop(vendor_battery_profile_prop)
|
||||
vendor_internal_prop(vendor_battery_defender_prop)
|
||||
vendor_internal_prop(vendor_camera_prop)
|
||||
vendor_internal_prop(vendor_camera_debug_prop)
|
||||
vendor_internal_prop(vendor_camera_fatp_prop)
|
||||
vendor_internal_prop(vendor_usb_config_prop)
|
||||
vendor_internal_prop(vendor_tcpdump_log_prop)
|
||||
vendor_internal_prop(vendor_device_prop)
|
||||
|
|
|
|||
|
|
@ -71,7 +71,10 @@ vendor.wlan.firmware.version u:object_r:vendor_wifi_version:s0
|
|||
ro.vendor.hwc.drm.device u:object_r:vendor_display_prop:s0
|
||||
|
||||
# Camera
|
||||
persist.vendor.camera. u:object_r:vendor_camera_prop:s0
|
||||
vendor.camera. u:object_r:vendor_camera_prop:s0
|
||||
vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0
|
||||
vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0
|
||||
|
||||
# for logger app
|
||||
persist.vendor.pixellogger. u:object_r:vendor_logger_prop:s0
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue