From b068bb3f643aa1b262c1cc5998de560028523939 Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Tue, 17 Jan 2023 03:15:28 +0000 Subject: [PATCH] Allow camera HAL and GCA to access GXP device. The camera HAL and Google Camera App need selinux permission to run workloads on Aurora DSP. This change adds the selinux rules too allow these clients to access the GXP device in order to execute workloads on DSP. Bug: 264321380 Test: Verified that the camera HAL service and GCA app is able to access the GXP device. Change-Id: I125650b4841b4cbdc50077a0d80b113b02699de8 --- legacy/whitechapel_pro/file_contexts | 2 -- tracking_denials/hal_camera_default.te | 4 ---- vendor/file_contexts | 4 ++++ vendor/google_camera_app.te | 2 ++ vendor/hal_camera_default.te | 3 +++ 5 files changed, 9 insertions(+), 6 deletions(-) diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index fd76aad0..dfaeeb9e 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -6,7 +6,6 @@ # Vendor Firmwares /vendor/firmware/mali_csffw\.bin u:object_r:same_process_hal_file:s0 -/vendor/firmware/gxp_fw_core[0-3] u:object_r:same_process_hal_file:s0 # Vendor libraries /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 @@ -20,7 +19,6 @@ /vendor/lib(64)?/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0 -/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 # Graphics /vendor/lib(64)?/hw/vulkan\.mali\.so u:object_r:same_process_hal_file:s0 diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te index 3ebc8e5e..abc4811d 100644 --- a/tracking_denials/hal_camera_default.te +++ b/tracking_denials/hal_camera_default.te @@ -1,7 +1,3 @@ -# b/264321380 -dontaudit hal_camera_default gxp_device:chr_file { ioctl }; -dontaudit hal_camera_default gxp_device:chr_file { open }; -dontaudit hal_camera_default gxp_device:chr_file { read write }; # b/264489778 userdebug_or_eng(` permissive hal_camera_default; diff --git a/vendor/file_contexts b/vendor/file_contexts index 91a43c96..5844226d 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -31,6 +31,10 @@ /vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0 /vendor/lib64/arm\.mali\.platform-V1-ndk\.so u:object_r:same_process_hal_file:s0 +# Vendor libraries +/vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 + + # persist /mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0 /mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0 diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index 0ab7b06a..a87b37c4 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,3 +1,5 @@ type google_camera_app, domain, coredomain; app_domain(google_camera_app) +# Allows camera app to access the GXP device. +allow google_camera_app gxp_device:chr_file rw_file_perms; diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index f59be53c..7acd698e 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -23,6 +23,9 @@ allow hal_camera_default persist_camera_file:file create_file_perms; allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; allow hal_camera_default vendor_camera_data_file:file create_file_perms; +# Allow the camera hal to access the GXP device. +allow hal_camera_default gxp_device:chr_file rw_file_perms; + # Allow creating dump files for debugging in non-release builds userdebug_or_eng(` allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;