Move coredomain seapp contexts to system_ext am: ac8048a4f7

Original change: https://googleplex-android-review.googlesource.com/c/device/google/zuma-sepolicy/+/24354514 Change-Id: I94af7d6ba7a52b5747781bb763f05e5c05b65715 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-08-09 03:56:23 +00:00 · 2023-08-09 03:56:23 +00:00 · 5eb322b197
commit 5eb322b197
parent e93cda1238 ac8048a4f7
13 changed files with 61 additions and 60 deletions
--- a/private/debug_camera_app.te
+++ b/private/debug_camera_app.te
@ -0,0 +1,16 @@
+typeattribute debug_camera_app coredomain;
+
+userdebug_or_eng(`
+	app_domain(debug_camera_app)
+	net_domain(debug_camera_app)
+
+	allow debug_camera_app app_api_service:service_manager find;
+	allow debug_camera_app audioserver_service:service_manager find;
+	allow debug_camera_app cameraserver_service:service_manager find;
+	allow debug_camera_app mediaextractor_service:service_manager find;
+	allow debug_camera_app mediametrics_service:service_manager find;
+	allow debug_camera_app mediaserver_service:service_manager find;
+
+	# Allows GCA_Eng & GCA-Next to access the PowerHAL.
+	hal_client_domain(debug_camera_app, hal_power)
+')
--- a/private/google_camera_app.te
+++ b/private/google_camera_app.te
@ -0,0 +1,16 @@
+typeattribute google_camera_app coredomain;
+app_domain(google_camera_app)
+net_domain(google_camera_app)
+
+allow google_camera_app app_api_service:service_manager find;
+allow google_camera_app audioserver_service:service_manager find;
+allow google_camera_app cameraserver_service:service_manager find;
+allow google_camera_app mediaextractor_service:service_manager find;
+allow google_camera_app mediametrics_service:service_manager find;
+allow google_camera_app mediaserver_service:service_manager find;
+
+# Allows GCA to access the PowerHAL.
+hal_client_domain(google_camera_app, hal_power)
+
+# Library code may try to access vendor properties, but should be denied
+dontaudit google_camera_app vendor_default_prop:file { getattr map open };
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@ -0,0 +1,11 @@
+# Google Camera
+user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
+
+# Google Camera Eng
+user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
+
+# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
+user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
+
+# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
+user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
--- a/public/debug_camera_app.te
+++ b/public/debug_camera_app.te
@ -0,0 +1 @@
+type debug_camera_app, domain;
--- a/public/google_camera_app.te
+++ b/public/google_camera_app.te
@ -0,0 +1 @@
+type google_camera_app, domain;
--- a/system_ext/private/pixeldisplayservice_app.te
+++ b/system_ext/private/pixeldisplayservice_app.te
@ -0,0 +1,11 @@
+typeattribute pixeldisplayservice_app coredomain;
+
+app_domain(pixeldisplayservice_app);
+
+allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms;
+allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms;
+
+# Standard system services
+allow pixeldisplayservice_app app_api_service:service_manager find;
+
+allow pixeldisplayservice_app cameraserver_service:service_manager find;
--- a/system_ext/private/seapp_contexts
+++ b/system_ext/private/seapp_contexts
@ -1,3 +1,6 @@
 # SystemUI
 user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all
 user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all
+
+# PixelDisplayService
+user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all
--- a/system_ext/public/pixeldisplayservice_app.te
+++ b/system_ext/public/pixeldisplayservice_app.te
@ -0,0 +1 @@
+type pixeldisplayservice_app, domain;
--- a/vendor/debug_camera_app.te
+++ b/vendor/debug_camera_app.te
@ -1,16 +1,4 @@
-type debug_camera_app, domain, coredomain;
-
 userdebug_or_eng(`
-	app_domain(debug_camera_app)
-	net_domain(debug_camera_app)
-
-	allow debug_camera_app app_api_service:service_manager find;
-	allow debug_camera_app audioserver_service:service_manager find;
-	allow debug_camera_app cameraserver_service:service_manager find;
-	allow debug_camera_app mediaextractor_service:service_manager find;
-	allow debug_camera_app mediametrics_service:service_manager find;
-	allow debug_camera_app mediaserver_service:service_manager find;
-
 	# Allows GCA-Eng & GCA-Next access the GXP device and properties.
 	allow debug_camera_app gxp_device:chr_file rw_file_perms;
 	get_prop(debug_camera_app, vendor_gxp_prop)
@ -19,9 +7,6 @@ userdebug_or_eng(`
 	allow debug_camera_app edgetpu_app_service:service_manager find;
 	allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };

-	# Allows GCA_Eng & GCA-Next to access the PowerHAL.
-	hal_client_domain(debug_camera_app, hal_power)
-
 	# Allows  GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12.
 	allow debug_camera_app hw_jpg_device:chr_file rw_file_perms;
 ')
--- a/vendor/google_camera_app.te
+++ b/vendor/google_camera_app.te
@ -1,26 +1,9 @@
-type google_camera_app, domain, coredomain;
-app_domain(google_camera_app)
-net_domain(google_camera_app)
-
-allow google_camera_app app_api_service:service_manager find;
-allow google_camera_app audioserver_service:service_manager find;
-allow google_camera_app cameraserver_service:service_manager find;
-allow google_camera_app mediaextractor_service:service_manager find;
-allow google_camera_app mediametrics_service:service_manager find;
-allow google_camera_app mediaserver_service:service_manager find;
-
 # Allows GCA to acccess the GXP device.
 allow google_camera_app gxp_device:chr_file rw_file_perms;

 # Allow GCA to access the GXP properies.
 get_prop(google_camera_app, vendor_gxp_prop)

-# Allows GCA to access the PowerHAL.
-hal_client_domain(google_camera_app, hal_power)
-
 # Allows GCA to find and access the EdgeTPU.
 allow google_camera_app edgetpu_app_service:service_manager find;
 allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
-
-# Library code may try to access vendor properties, but should be denied
-dontaudit google_camera_app vendor_default_prop:file { getattr map open };
--- a/vendor/pixeldisplayservice_app.te
+++ b/vendor/pixeldisplayservice_app.te
@ -1,14 +1,2 @@
-type pixeldisplayservice_app, domain, coredomain;
-
-app_domain(pixeldisplayservice_app);
-
-allow pixeldisplayservice_app proc_vendor_sched:dir r_dir_perms;
-allow pixeldisplayservice_app proc_vendor_sched:file w_file_perms;
-
 allow pixeldisplayservice_app hal_pixel_display_service:service_manager find;
 binder_call(pixeldisplayservice_app, hal_graphics_composer_default)
-
-# Standard system services
-allow pixeldisplayservice_app app_api_service:service_manager find;
-
-allow pixeldisplayservice_app cameraserver_service:service_manager find;
--- a/vendor/seapp_contexts
+++ b/vendor/seapp_contexts
@ -7,25 +7,9 @@ user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_d
 # Domain for connectivity monitor
 user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all

-# PixelDisplayService
-user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldisplayservice_app type=app_data_file levelFrom=all
-
-# Google Camera
-user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
-
-# Google Camera Eng
-user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
-
-# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
-user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
-
-# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
-user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
-
 # Qorvo UWB system app
 # TODO(b/222204912): Should this run under uwb user?
 user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all

 # CccDkTimeSyncService
 user=_app isPrivApp=true name=com.google.pixel.digitalkey.timesync domain=vendor_cccdktimesync_app type=app_data_file levelFrom=all
-
--- a/zuma-sepolicy.mk
+++ b/zuma-sepolicy.mk
@ -6,6 +6,7 @@ PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/radio/private
 # unresolved SELinux error log with bug tracking
 BOARD_SEPOLICY_DIRS += device/google/zuma-sepolicy/tracking_denials

+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/zuma-sepolicy/public
 PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/zuma-sepolicy/private

 # system_ext