From 51c91e5bdf1e21b54a5c05635a7da08df3678294 Mon Sep 17 00:00:00 2001 From: Mark su Date: Wed, 12 Apr 2023 09:24:53 +0000 Subject: [PATCH] Add video12 as hw_jpg_device and enable it for debug_camera_app Test: 05-05 05:07:06.652 4616 4616 W FinishThread: type=1400 audit(0.0:24): avc: denied { read write } for name="video12" dev="tmpfs" ino=646 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=0 app=com.google.android.GoogleCameraEng 05-08 22:00:59.000 7323 7323 I FinishThread: type=1400 audit(0.0:36): avc: denied { read } for name="lib_jpg_encoder.so" dev="dm-45" ino=25639 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera_data_file:s0 tcl ass=file permissive=1 app=com.google.android.GoogleCameraEng 05-08 22:00:59.000 7323 7323 I FinishThread: type=1400 audit(0.0:37): avc: denied { open } for path="/vendor/lib64/lib_j pg_encoder.so" dev="dm-45" ino=25639 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera_da ta_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng 05-08 22:46:00.260 4784 4784 I FinishThread: type=1400 audit(0.0:29): avc: denied { execute } for path="/vendor/lib64/ libhwjpeg.so" dev="dm-50" ino=55596 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera_d ata_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng 05-08 22:33:30.504 7436 7436 I FinishThread: type=1400 audit(0.0:36): avc: denied { getattr } for path="/vendor/lib64/ lib_jpg_encoder.so" dev="dm-50" ino=53765 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_ca mera_data_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng 05-08 22:33:30.504 7436 7436 I FinishThread: type=1400 audit(0.0:37): avc: denied { map } for path="/vendor/lib64/lib_ jpg_encoder.so" dev="dm-50" ino=53765 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera _data_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng binder:7312_2: type=1400 audit(0.0:18): avc: denied { read write } for name="video12" dev="tmpfs" ino=680 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hw_jpg_device:s0 tclass=chr_file permissive=1 05-08 22:28:37.692 7312 7312 I binder:7312_2: type=1400 audit(0.0:19): avc: denied { open } for path="/dev/video12" dev="tmpfs" ino=680 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hw_jpg_device:s0 tclass=chr_file permissive=1 05-08 22:28:37.692 7312 7312 I binder:7312_2: type=1400 audit(0.0:20): avc: denied { ioctl } for path="/dev/video12" dev="tmpfs" ino=680 ioctlcmd=0x5600 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hw_jpg_device:s0 tclass=chr_file permissive=1 05-08 22:28:37.700 7312 7312 I binder:7312_2: type=1400 audit(0.0:21): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=167 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=1 Bug: 267820687 Change-Id: I69f502d721f683d3532038d618f5fafc83f38b6b --- vendor/debug_camera_app.te | 3 +++ vendor/device.te | 4 ++++ vendor/file_contexts | 3 +++ vendor/hal_camera_default.te | 3 +++ 4 files changed, 13 insertions(+) diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te index 4199b078..c55f64e3 100644 --- a/vendor/debug_camera_app.te +++ b/vendor/debug_camera_app.te @@ -20,4 +20,7 @@ userdebug_or_eng(` # Allows GCA_Eng & GCA-Next to access the PowerHAL. hal_client_domain(debug_camera_app, hal_power) + + # Allows GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12. + allow debug_camera_app hw_jpg_device:chr_file rw_file_perms; ') diff --git a/vendor/device.te b/vendor/device.te index 0c93859c..f63086db 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -6,6 +6,10 @@ type mfg_data_block_device, dev_type; type ufs_internal_block_device, dev_type; type logbuffer_device, dev_type; type gxp_device, dev_type, mlstrustedobject; +type hw_jpg_device, dev_type; +userdebug_or_eng(` + typeattribute hw_jpg_device mlstrustedobject; +') type fingerprint_device, dev_type; type uci_device, dev_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index ac2afaaf..aab91964 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -37,6 +37,8 @@ # Vendor libraries /vendor/lib(64)?/libgxp\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/gxp_metrics_logger\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/lib_jpg_encoder\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libhwjpeg\.so u:object_r:same_process_hal_file:s0 # Vendor /data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0 @@ -198,6 +200,7 @@ /dev/dma_heap/vscaler-secure u:object_r:vscaler_secure_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/uci u:object_r:uci_device:s0 +/dev/video12 u:object_r:hw_jpg_device:s0 # Raw HID device /dev/hidraw[0-9]* u:object_r:hidraw_device:s0 diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 56189163..92e5cd47 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -80,6 +80,9 @@ allow hal_camera_default sysfs_leds:file r_file_perms; allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; binder_call(hal_camera_default, hal_radioext_default); +# Allows camera HAL to access the hw_jpeg /dev/video12. +allow hal_camera_default hw_jpg_device:chr_file rw_file_perms; + # For camera hal to talk with rlsservice allow hal_camera_default rls_service:service_manager find; binder_call(hal_camera_default, rlsservice)