From 84aa699ac89d0cde0645e58da85fd1bba772ff63 Mon Sep 17 00:00:00 2001
From: Dinesh Yadav <dkyadav@google.com>
Date: Fri, 24 Mar 2023 04:37:15 +0000
Subject: [PATCH] Add certificate & label for GCA-ENG & GCA-Next

This commit makes following changes:
- Add selinux policies for GCA-Eng & GCA-Next to access GXP device &
edgetpu services.
- Refactor code to push policies for Google Camera app from
legacy/whitechapel_pro/* to vendor/*

Tested:
- flashed both GCA-Eng & GCA-Next apps and observed no crashes due to gxp or edgetpu.
- scontext changed from "untrusted_app_32" to "debug_camera_app" in both cases.

Bug: 264490031
Change-Id: I51f69168eebd6c7e54e512b7abde8dd6bbe7c443
Signed-off-by: Dinesh Yadav <dkyadav@google.com>
---
 legacy/whitechapel_pro/keys.conf              |  3 --
 legacy/whitechapel_pro/mac_permissions.xml    |  3 --
 .../certs/app.x509.pem                        |  0
 vendor/certs/camera_eng.x509.pem              | 17 ++++++++++
 vendor/certs/camera_fishfood.x509.pem         | 15 +++++++++
 vendor/debug_camera_app.te                    | 23 +++++++++++++
 vendor/keys.conf                              |  8 +++++
 vendor/mac_permissions.xml                    | 33 +++++++++++++++++++
 vendor/seapp_contexts                         |  9 +++++
 9 files changed, 105 insertions(+), 6 deletions(-)
 rename {legacy/whitechapel_pro => vendor}/certs/app.x509.pem (100%)
 create mode 100644 vendor/certs/camera_eng.x509.pem
 create mode 100644 vendor/certs/camera_fishfood.x509.pem
 create mode 100644 vendor/debug_camera_app.te
 create mode 100644 vendor/keys.conf
 create mode 100644 vendor/mac_permissions.xml

diff --git a/legacy/whitechapel_pro/keys.conf b/legacy/whitechapel_pro/keys.conf
index 9766e571..acc82e47 100644
--- a/legacy/whitechapel_pro/keys.conf
+++ b/legacy/whitechapel_pro/keys.conf
@@ -1,6 +1,3 @@
-[@GOOGLE]
-ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/app.x509.pem
-
 [@UWB]
 ALL : device/google/zuma-sepolicy/legacy/whitechapel_pro/certs/com_qorvo_uwb.x509.pem
 
diff --git a/legacy/whitechapel_pro/mac_permissions.xml b/legacy/whitechapel_pro/mac_permissions.xml
index da4dc908..956da955 100644
--- a/legacy/whitechapel_pro/mac_permissions.xml
+++ b/legacy/whitechapel_pro/mac_permissions.xml
@@ -21,9 +21,6 @@
       - The default tag is consulted last if needed.
 -->
     <!-- google apps key -->
-    <signer signature="@GOOGLE" >
-      <seinfo value="google" />
-    </signer>
     <signer signature="@UWB" >
         <seinfo value="uwb" />
     </signer>
diff --git a/legacy/whitechapel_pro/certs/app.x509.pem b/vendor/certs/app.x509.pem
similarity index 100%
rename from legacy/whitechapel_pro/certs/app.x509.pem
rename to vendor/certs/app.x509.pem
diff --git a/vendor/certs/camera_eng.x509.pem b/vendor/certs/camera_eng.x509.pem
new file mode 100644
index 00000000..011a9ec4
--- /dev/null
+++ b/vendor/certs/camera_eng.x509.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICpzCCAmWgAwIBAgIEUAV8QjALBgcqhkjOOAQDBQAwNzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJvaWQgRGVidWcwHhcNMTIw
+NzE3MTQ1MjUwWhcNMjIwNzE1MTQ1MjUwWjA3MQswCQYDVQQGEwJVUzEQMA4GA1UE
+ChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZzCCAbcwggEsBgcqhkjO
+OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR
++1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb
++DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg
+UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX
+TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj
+rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB
+TDv+z0kqA4GEAAKBgGrRG9fVZtJ69DnALkForP1FtL6FvJmMe5uOHHdUaT+MDUKK
+pPzhEISBOEJPpozRMFJO7/bxNzhjgi+mNymL/k1GoLhmZe7wQRc5AQNbHIBqoxgY
+DTA6qMyeWSPgam+r+nVoPEU7sgd3fPL958+xmxQwOBSqHfe0PVsiK1cGtIuUMAsG
+ByqGSM44BAMFAAMvADAsAhQJ0tGwRwIptb7SkCZh0RLycMXmHQIUZ1ACBqeAULp4
+rscXTxYEf4Tqovc=
+-----END CERTIFICATE-----
diff --git a/vendor/certs/camera_fishfood.x509.pem b/vendor/certs/camera_fishfood.x509.pem
new file mode 100644
index 00000000..fb11572f
--- /dev/null
+++ b/vendor/certs/camera_fishfood.x509.pem
@@ -0,0 +1,15 @@
+-----BEGIN CERTIFICATE-----
+MIICUjCCAbsCBEk0mH4wDQYJKoZIhvcNAQEEBQAwcDELMAkGA1UEBhMCVVMxCzAJ
+BgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29n
+bGUsIEluYzEUMBIGA1UECxMLR29vZ2xlLCBJbmMxEDAOBgNVBAMTB1Vua25vd24w
+HhcNMDgxMjAyMDIwNzU4WhcNMzYwNDE5MDIwNzU4WjBwMQswCQYDVQQGEwJVUzEL
+MAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dv
+b2dsZSwgSW5jMRQwEgYDVQQLEwtHb29nbGUsIEluYzEQMA4GA1UEAxMHVW5rbm93
+bjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn0gDGZD5sUcmOE4EU9GPjAu/
+jcd7JQSksSB8TGxEurwArcZhD6a2qy2oDjPy7vFrJqP2uFua+sqQn/u+s/TJT36B
+IqeY4OunXO090in6c2X0FRZBWqnBYX3Vg84Zuuigu9iF/BeptL0mQIBRIarbk3fe
+tAATOBQYiC7FIoL8WA0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQBAhmae1jHaQ4Td
+0GHSJuBzuYzEuZ34teS+njy+l1Aeg98cb6lZwM5gXE/SrG0chM7eIEdsurGb6PIg
+Ov93F61lLY/MiQcI0SFtqERXWSZJ4OnTxLtM9Y2hnbHU/EG8uVhPZOZfQQ0FKf1b
+aIOMFB0Km9HbEZHLKg33kOoMsS2zpA==
+-----END CERTIFICATE-----
diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te
new file mode 100644
index 00000000..4199b078
--- /dev/null
+++ b/vendor/debug_camera_app.te
@@ -0,0 +1,23 @@
+type debug_camera_app, domain, coredomain;
+
+userdebug_or_eng(`
+	app_domain(debug_camera_app)
+	net_domain(debug_camera_app)
+
+	allow debug_camera_app app_api_service:service_manager find;
+	allow debug_camera_app audioserver_service:service_manager find;
+	allow debug_camera_app cameraserver_service:service_manager find;
+	allow debug_camera_app mediaextractor_service:service_manager find;
+	allow debug_camera_app mediametrics_service:service_manager find;
+	allow debug_camera_app mediaserver_service:service_manager find;
+
+	# Allows GCA-Eng & GCA-Next access the GXP device.
+	allow debug_camera_app gxp_device:chr_file rw_file_perms;
+
+	# Allows GCA-Eng & GCA-Next to find and access the EdgeTPU.
+	allow debug_camera_app edgetpu_app_service:service_manager find;
+	allow debug_camera_app edgetpu_device:chr_file { getattr read write ioctl map };
+
+	# Allows GCA_Eng & GCA-Next to access the PowerHAL.
+	hal_client_domain(debug_camera_app, hal_power)
+')
diff --git a/vendor/keys.conf b/vendor/keys.conf
new file mode 100644
index 00000000..290a62b5
--- /dev/null
+++ b/vendor/keys.conf
@@ -0,0 +1,8 @@
+[@GOOGLE]
+ALL : device/google/zuma-sepolicy/vendor/certs/app.x509.pem
+
+[@CAMERAENG]
+ALL : device/google/zuma-sepolicy/vendor/certs/camera_eng.x509.pem
+
+[@CAMERAFISHFOOD]
+ALL : device/google/zuma-sepolicy/vendor/certs/camera_fishfood.x509.pem
diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml
new file mode 100644
index 00000000..8e8c3c23
--- /dev/null
+++ b/vendor/mac_permissions.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <!-- google apps key -->
+    <signer signature="@GOOGLE" >
+      <seinfo value="google" />
+    </signer>
+    <signer signature="@CAMERAENG" >
+      <seinfo value="CameraEng" />
+    </signer>
+    <signer signature="@CAMERAFISHFOOD" >
+      <seinfo value="CameraFishFood" />
+    </signer>
+</policy>
diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts
index 9ed2e666..8f5eea15 100644
--- a/vendor/seapp_contexts
+++ b/vendor/seapp_contexts
@@ -16,6 +16,15 @@ user=_app seinfo=platform name=com.android.pixeldisplayservice domain=pixeldispl
 # Google Camera
 user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
 
+# Google Camera Eng
+user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
+
+# Also allow GoogleCameraNext, the fishfood version, the same access as GoogleCamera
+user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
+
+# Also label GoogleCameraNext, built with debug keys as debug_camera_app.
+user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
+
 # Qorvo UWB system app
 # TODO(b/222204912): Should this run under uwb user?
 user=_app isPrivApp=true seinfo=uwb name=com.qorvo.uwb.vendorservice domain=uwb_vendor_app type=uwb_vendor_data_file levelFrom=all