Add video12 as hw_jpg_device and enable it for debug_camera_app

Test: 05-05 05:07:06.652 4616 4616 W FinishThread: type=1400 audit(0.0:24): avc: denied { read write } for name="video12" dev="tmpfs" ino=646 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=0 app=com.google.android.GoogleCameraEng 05-08 22:00:59.000 7323 7323 I FinishThread: type=1400 audit(0.0:36): avc: denied { read } for name="lib_jpg_encoder.so" dev="dm-45" ino=25639 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera_data_file:s0 tcl ass=file permissive=1 app=com.google.android.GoogleCameraEng 05-08 22:00:59.000 7323 7323 I FinishThread: type=1400 audit(0.0:37): avc: denied { open } for path="/vendor/lib64/lib_j pg_encoder.so" dev="dm-45" ino=25639 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera_da ta_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng 05-08 22:46:00.260 4784 4784 I FinishThread: type=1400 audit(0.0:29): avc: denied { execute } for path="/vendor/lib64/ libhwjpeg.so" dev="dm-50" ino=55596 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera_d ata_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng 05-08 22:33:30.504 7436 7436 I FinishThread: type=1400 audit(0.0:36): avc: denied { getattr } for path="/vendor/lib64/ lib_jpg_encoder.so" dev="dm-50" ino=53765 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_ca mera_data_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng 05-08 22:33:30.504 7436 7436 I FinishThread: type=1400 audit(0.0:37): avc: denied { map } for path="/vendor/lib64/lib_ jpg_encoder.so" dev="dm-50" ino=53765 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera _data_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng binder:7312_2: type=1400 audit(0.0:18): avc: denied { read write } for name="video12" dev="tmpfs" ino=680 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hw_jpg_device:s0 tclass=chr_file permissive=1 05-08 22:28:37.692 7312 7312 I binder:7312_2: type=1400 audit(0.0:19): avc: denied { open } for path="/dev/video12" dev="tmpfs" ino=680 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hw_jpg_device:s0 tclass=chr_file permissive=1 05-08 22:28:37.692 7312 7312 I binder:7312_2: type=1400 audit(0.0:20): avc: denied { ioctl } for path="/dev/video12" dev="tmpfs" ino=680 ioctlcmd=0x5600 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hw_jpg_device:s0 tclass=chr_file permissive=1 05-08 22:28:37.700 7312 7312 I binder:7312_2: type=1400 audit(0.0:21): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=167 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=1 Bug: 267820687 Change-Id: I69f502d721f683d3532038d618f5fafc83f38b6b
2023-04-12 09:24:53 +00:00 · 2023-04-12 09:24:53 +00:00 · 51c91e5bdf
commit 51c91e5bdf
parent 23440aa9df
4 changed files with 13 additions and 0 deletions
--- a/vendor/debug_camera_app.te
+++ b/vendor/debug_camera_app.te
@ -20,4 +20,7 @@ userdebug_or_eng(`

 	# Allows GCA_Eng & GCA-Next to access the PowerHAL.
 	hal_client_domain(debug_camera_app, hal_power)
+
+	# Allows  GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12.
+	allow debug_camera_app hw_jpg_device:chr_file rw_file_perms;
 ')
--- a/vendor/device.te
+++ b/vendor/device.te
@ -6,6 +6,10 @@ type mfg_data_block_device, dev_type;
 type ufs_internal_block_device, dev_type;
 type logbuffer_device, dev_type;
 type gxp_device, dev_type, mlstrustedobject;
+type hw_jpg_device, dev_type;
+userdebug_or_eng(`
+  typeattribute hw_jpg_device mlstrustedobject;
+')
 type fingerprint_device, dev_type;
 type uci_device, dev_type;

--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -37,6 +37,8 @@
 # Vendor libraries
 /vendor/lib(64)?/libgxp\.so                                                 u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/gxp_metrics_logger\.so                                     u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/lib_jpg_encoder\.so                                        u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libhwjpeg\.so                                              u:object_r:same_process_hal_file:s0

 # Vendor
 /data/vendor/bluetooth(/.*)?                                                u:object_r:vendor_bt_data_file:s0
@ -198,6 +200,7 @@
 /dev/dma_heap/vscaler-secure                                                u:object_r:vscaler_secure_heap_device:s0
 /dev/dma_heap/vstream-secure                                                u:object_r:dmabuf_system_secure_heap_device:s0
 /dev/uci                                                                    u:object_r:uci_device:s0
+/dev/video12                                                                u:object_r:hw_jpg_device:s0

 # Raw HID device
 /dev/hidraw[0-9]*                                                           u:object_r:hidraw_device:s0
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@ -80,6 +80,9 @@ allow hal_camera_default sysfs_leds:file r_file_perms;
 allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
 binder_call(hal_camera_default, hal_radioext_default);

+# Allows camera HAL to access the hw_jpeg /dev/video12.
+allow hal_camera_default hw_jpg_device:chr_file rw_file_perms;
+
 # For camera hal to talk with rlsservice
 allow hal_camera_default rls_service:service_manager find;
 binder_call(hal_camera_default, rlsservice)