Evolution-X-Tensor/device_google_gs201
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
device_google_gs201/whitechapel_pro/hal_camera_default.te
Michael Eastwood 07bf62c387 Update SELinux policy to allow camera HAL to send Perfetto trace packets 
Example denials:

03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:31): avc: denied { use } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:r:tr
aced:s0 tclass=fd permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:32): avc: denied { read write } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext
=u:object_r:traced_tmpfs:s0 tclass=file permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:33): avc: denied { getattr } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:
object_r:traced_tmpfs:s0 tclass=file permissive=1
03-04 04:25:37.524   823   823 I TracingMuxer: type=1400 audit(0.0:34): avc: denied { map } for path=2F6D656D66643A706572666574746F5F73686D656D202864656C6574656429 dev="tmpfs" ino=20229 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:traced_tmpfs:s0 tclass=file permissive=1

Bug: 222684359
Test: Build and push new SELinux policy. Verify that trace packets are received by Perfetto.
Change-Id: I443e84c5bcc701c1c983db19280719655ff02080
2022-03-09 01:29:20 +00:00

93 lines
3.9 KiB
Text
Raw Blame History

type hal_camera_default_tmpfs, file_type;
allow hal_camera_default self:global_capability_class_set sys_nice;
allow hal_camera_default kernel:process setsched;
binder_use(hal_camera_default);
vndbinder_use(hal_camera_default);
allow hal_camera_default lwis_device:chr_file rw_file_perms;
allow hal_camera_default gpu_device:chr_file rw_file_perms;
allow hal_camera_default sysfs_chip_id:file r_file_perms;
# Face authentication code that is part of the camera HAL needs to allocate
# dma_bufs and access the Trusted Execution Environment device node
allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms;
allow hal_camera_default tee_device:chr_file rw_file_perms;
# Allow the camera hal to access the EdgeTPU service and the
# Android shared memory allocated by the EdgeTPU service for
# on-device compilation.
allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
allow hal_camera_default sysfs_edgetpu:file r_file_perms;
allow hal_camera_default edgetpu_vendor_service:service_manager find;
binder_call(hal_camera_default, edgetpu_vendor_server)
# Allow the camera hal to access the GXP device.
allow hal_camera_default gxp_device:chr_file rw_file_perms;
# Allow access to data files used by the camera HAL
allow hal_camera_default mnt_vendor_file:dir search;
allow hal_camera_default persist_file:dir search;
allow hal_camera_default persist_camera_file:dir rw_dir_perms;
allow hal_camera_default persist_camera_file:file create_file_perms;
allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
allow hal_camera_default vendor_camera_data_file:file create_file_perms;
# Allow creating dump files for debugging in non-release builds
userdebug_or_eng(`
allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;
allow hal_camera_default vendor_camera_data_file:file create_file_perms;
')
# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files
# compiled into the shared libraries with cc_embed_data rules
tmpfs_domain(hal_camera_default);
# Allow access to camera-related system properties
set_prop(hal_camera_default, vendor_camera_prop);
set_prop(hal_camera_default, log_tag_prop);
get_prop(hal_camera_default, vendor_camera_debug_prop);
userdebug_or_eng(`
set_prop(hal_camera_default, vendor_camera_fatp_prop);
set_prop(hal_camera_default, vendor_camera_debug_prop);
')
# For camera hal to talk with rlsservice
allow hal_camera_default rls_service:service_manager find;
binder_call(hal_camera_default, rlsservice)
hal_client_domain(hal_camera_default, hal_graphics_allocator);
hal_client_domain(hal_camera_default, hal_graphics_composer)
hal_client_domain(hal_camera_default, hal_power);
hal_client_domain(hal_camera_default, hal_thermal);
# Allow access to sensor service for sensor_listener
binder_call(hal_camera_default, system_server);
# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
allow hal_camera_default eco_service:service_manager find;
binder_call(hal_camera_default, mediacodec);
binder_call(hal_camera_default, mediacodec_samsung);
# Allow camera HAL to query preferred camera frequencies from the radio HAL
# extensions to avoid interference with cellular antennas.
allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
binder_call(hal_camera_default, hal_radioext_default);
# Allow camera HAL to connect to the stats service.
allow hal_camera_default fwk_stats_service:service_manager find;
# For observing apex file changes
allow hal_camera_default apex_info_file:file r_file_perms;
# Allow camera HAL to query current device clock frequencies.
allow hal_camera_default sysfs_devfreq_cur:file r_file_perms;
# Allow camera HAL to read backlight of display
allow hal_camera_default sysfs_leds:dir r_dir_perms;
allow hal_camera_default sysfs_leds:file r_file_perms;
# Allow camera HAL to send trace packets to Perfetto
userdebug_or_eng(`perfetto_producer(hal_camera_default)')
Reference in a new issue View git blame Copy permalink