Add hal_camera_default se linux file for zuma
Add hal_camera_default.te for zuma. Move referenced contexts and settings to new zuma-sepolicy folders. Add hal_camera_default type declaration to file.te Bug: 261651093, 260366029, 263185135 Test: Build and test for hal_camera_default denials Change-Id: Id0246f9ca8fd399853894e9e41548976ab44ccd0
This commit is contained in:
timmyli
parent
0faf3d2c7b
commit
8d061f7ebc
10 changed files with 148 additions and 120 deletions
1
vendor/device.te
vendored
1
vendor/device.te
vendored
|
|
@ -3,6 +3,7 @@ type custom_ab_block_device, dev_type;
|
|||
type devinfo_block_device, dev_type;
|
||||
type mfg_data_block_device, dev_type;
|
||||
type logbuffer_device, dev_type;
|
||||
type gxp_device, dev_type;
|
||||
|
||||
# SecureElement SPI device
|
||||
type st54spi_device, dev_type;
|
||||
|
|
|
|||
54
vendor/file_contexts
vendored
54
vendor/file_contexts
vendored
|
|
@ -26,6 +26,7 @@
|
|||
/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0
|
||||
|
||||
# persist
|
||||
/mnt/vendor/persist/camera(/.*)? u:object_r:persist_camera_file:s0
|
||||
/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0
|
||||
|
||||
# Devices
|
||||
|
|
@ -62,6 +63,8 @@
|
|||
/dev/block/platform/13200000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0
|
||||
/dev/block/platform/13200000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0
|
||||
/dev/block/platform/13200000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0
|
||||
/dev/gxp u:object_r:gxp_device:s0
|
||||
/dev/mali0 u:object_r:gpu_device:s0
|
||||
/dev/logbuffer_usbpd u:object_r:logbuffer_device:s0
|
||||
/dev/logbuffer_ssoc u:object_r:logbuffer_device:s0
|
||||
/dev/logbuffer_wireless u:object_r:logbuffer_device:s0
|
||||
|
|
@ -78,4 +81,55 @@
|
|||
/dev/logbuffer_maxfg_base_monitor u:object_r:logbuffer_device:s0
|
||||
/dev/logbuffer_maxfg_flip_monitor u:object_r:logbuffer_device:s0
|
||||
/dev/logbuffer_wc68 u:object_r:logbuffer_device:s0
|
||||
/dev/lwis-act-jotnar u:object_r:lwis_device:s0
|
||||
/dev/lwis-act-slenderman u:object_r:lwis_device:s0
|
||||
/dev/lwis-act-slenderman-sandworm u:object_r:lwis_device:s0
|
||||
/dev/lwis-act-cornerfolk u:object_r:lwis_device:s0
|
||||
/dev/lwis-act-cornerfolk-dokkaebi u:object_r:lwis_device:s0
|
||||
/dev/lwis-act-cornerfolk-oksoko u:object_r:lwis_device:s0
|
||||
/dev/lwis-be-core u:object_r:lwis_device:s0
|
||||
/dev/lwis-csi u:object_r:lwis_device:s0
|
||||
/dev/lwis-dpm u:object_r:lwis_device:s0
|
||||
/dev/lwis-eeprom-djinn u:object_r:lwis_device:s0
|
||||
/dev/lwis-eeprom-gargoyle u:object_r:lwis_device:s0
|
||||
/dev/lwis-eeprom-humbaba u:object_r:lwis_device:s0
|
||||
/dev/lwis-eeprom-jotnar u:object_r:lwis_device:s0
|
||||
/dev/lwis-eeprom-smaug-buraq u:object_r:lwis_device:s0
|
||||
/dev/lwis-eeprom-smaug-dokkaebi u:object_r:lwis_device:s0
|
||||
/dev/lwis-eeprom-smaug-sandworm u:object_r:lwis_device:s0
|
||||
/dev/lwis-flash-lm3644 u:object_r:lwis_device:s0
|
||||
/dev/lwis-g3aa u:object_r:lwis_device:s0
|
||||
/dev/lwis-gdc0 u:object_r:lwis_device:s0
|
||||
/dev/lwis-gdc1 u:object_r:lwis_device:s0
|
||||
/dev/lwis-gse u:object_r:lwis_device:s0
|
||||
/dev/lwis-gtnr-align u:object_r:lwis_device:s0
|
||||
/dev/lwis-gtnr-merge u:object_r:lwis_device:s0
|
||||
/dev/lwis-ipp u:object_r:lwis_device:s0
|
||||
/dev/lwis-itp u:object_r:lwis_device:s0
|
||||
/dev/lwis-isp-fe u:object_r:lwis_device:s0
|
||||
/dev/lwis-lme u:object_r:lwis_device:s0
|
||||
/dev/lwis-mcsc u:object_r:lwis_device:s0
|
||||
/dev/lwis-ois-gargoyle u:object_r:lwis_device:s0
|
||||
/dev/lwis-ois-humbaba u:object_r:lwis_device:s0
|
||||
/dev/lwis-ois-jotnar u:object_r:lwis_device:s0
|
||||
/dev/lwis-ois-djinn u:object_r:lwis_device:s0
|
||||
/dev/lwis-pdp u:object_r:lwis_device:s0
|
||||
/dev/lwis-scsc u:object_r:lwis_device:s0
|
||||
/dev/lwis-sensor-boitata u:object_r:lwis_device:s0
|
||||
/dev/lwis-sensor-buraq u:object_r:lwis_device:s0
|
||||
/dev/lwis-sensor-dokkaebi u:object_r:lwis_device:s0
|
||||
/dev/lwis-sensor-kraken u:object_r:lwis_device:s0
|
||||
/dev/lwis-sensor-lamassu u:object_r:lwis_device:s0
|
||||
/dev/lwis-sensor-nagual u:object_r:lwis_device:s0
|
||||
/dev/lwis-sensor-oksoko u:object_r:lwis_device:s0
|
||||
/dev/lwis-sensor-sandworm u:object_r:lwis_device:s0
|
||||
/dev/lwis-slc u:object_r:lwis_device:s0
|
||||
/dev/lwis-eeprom-smaug-oksoko u:object_r:lwis_device:s0
|
||||
/dev/lwis-top u:object_r:lwis_device:s0
|
||||
/dev/lwis-tof-vl53l8 u:object_r:lwis_device:s0
|
||||
/dev/lwis-votf u:object_r:lwis_device:s0
|
||||
/dev/st54spi u:object_r:st54spi_device:s0
|
||||
/dev/trusty-ipc-dev0 u:object_r:tee_device:s0
|
||||
|
||||
# Data
|
||||
/data/vendor/camera(/.*)? u:object_r:vendor_camera_data_file:s0
|
||||
|
|
|
|||
10
vendor/genfs_contexts
vendored
10
vendor/genfs_contexts
vendored
|
|
@ -1,3 +1,13 @@
|
|||
# Devfreq current frequency
|
||||
genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/cur_freq u:object_r:sysfs_devfreq_cur:s0
|
||||
genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/cur_freq u:object_r:sysfs_devfreq_cur:s0
|
||||
genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/cur_freq u:object_r:sysfs_devfreq_cur:s0
|
||||
genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/cur_freq u:object_r:sysfs_devfreq_cur:s0
|
||||
genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/cur_freq u:object_r:sysfs_devfreq_cur:s0
|
||||
genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/cur_freq u:object_r:sysfs_devfreq_cur:s0
|
||||
genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/cur_freq u:object_r:sysfs_devfreq_cur:s0
|
||||
genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/cur_freq u:object_r:sysfs_devfreq_cur:s0
|
||||
|
||||
# EdgeTPU
|
||||
genfscon sysfs /devices/platform/1ce00000.rio u:object_r:sysfs_edgetpu:s0
|
||||
|
||||
|
|
|
|||
78
vendor/hal_camera_default.te
vendored
Normal file
78
vendor/hal_camera_default.te
vendored
Normal file
|
|
@ -0,0 +1,78 @@
|
|||
allow hal_camera_default self:global_capability_class_set sys_nice;
|
||||
allow hal_camera_default kernel:process setsched;
|
||||
|
||||
vndbinder_use(hal_camera_default);
|
||||
|
||||
allow hal_camera_default lwis_device:chr_file rw_file_perms;
|
||||
|
||||
# Face authentication code that is part of the camera HAL needs to allocate
|
||||
# dma_bufs and access the Trusted Execution Environment device node
|
||||
|
||||
# Allow the camera hal to access the EdgeTPU service and the
|
||||
# Android shared memory allocated by the EdgeTPU service for
|
||||
# on-device compilation.
|
||||
allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
|
||||
allow hal_camera_default edgetpu_vendor_service:service_manager find;
|
||||
binder_call(hal_camera_default, edgetpu_vendor_server)
|
||||
|
||||
# Allow access to data files used by the camera HAL
|
||||
allow hal_camera_default mnt_vendor_file:dir search;
|
||||
allow hal_camera_default persist_file:dir search;
|
||||
allow hal_camera_default persist_camera_file:dir rw_dir_perms;
|
||||
allow hal_camera_default persist_camera_file:file create_file_perms;
|
||||
allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
|
||||
allow hal_camera_default vendor_camera_data_file:file create_file_perms;
|
||||
|
||||
# Allow creating dump files for debugging in non-release builds
|
||||
userdebug_or_eng(`
|
||||
allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;
|
||||
allow hal_camera_default vendor_camera_data_file:file create_file_perms;
|
||||
')
|
||||
|
||||
# Allow access to camera-related system properties
|
||||
set_prop(hal_camera_default, vendor_camera_prop);
|
||||
get_prop(hal_camera_default, vendor_camera_debug_prop);
|
||||
userdebug_or_eng(`
|
||||
set_prop(hal_camera_default, vendor_camera_fatp_prop);
|
||||
set_prop(hal_camera_default, vendor_camera_debug_prop);
|
||||
')
|
||||
|
||||
# For camera hal to talk with rlsservice
|
||||
allow hal_camera_default rls_service:service_manager find;
|
||||
binder_call(hal_camera_default, rlsservice)
|
||||
|
||||
hal_client_domain(hal_camera_default, hal_graphics_allocator);
|
||||
hal_client_domain(hal_camera_default, hal_graphics_composer)
|
||||
hal_client_domain(hal_camera_default, hal_power);
|
||||
hal_client_domain(hal_camera_default, hal_thermal);
|
||||
|
||||
# Allow access to sensor service for sensor_listener
|
||||
binder_call(hal_camera_default, system_server);
|
||||
|
||||
# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
|
||||
allow hal_camera_default eco_service:service_manager find;
|
||||
binder_call(hal_camera_default, mediacodec_samsung);
|
||||
|
||||
# Allow camera HAL to connect to the stats service.
|
||||
allow hal_camera_default fwk_stats_service:service_manager find;
|
||||
|
||||
# For observing apex file changes
|
||||
allow hal_camera_default apex_info_file:file r_file_perms;
|
||||
|
||||
# Allow camera HAL to query current device clock frequencies.
|
||||
allow hal_camera_default sysfs_devfreq_cur:file r_file_perms;
|
||||
|
||||
# Allow camera HAL to read backlight of display
|
||||
allow hal_camera_default sysfs_leds:dir r_dir_perms;
|
||||
allow hal_camera_default sysfs_leds:file r_file_perms;
|
||||
|
||||
# Allow camera HAL to send trace packets to Perfetto
|
||||
userdebug_or_eng(`perfetto_producer(hal_camera_default)')
|
||||
|
||||
# Some file searches attempt to access system data and are denied.
|
||||
# This is benign and can be ignored.
|
||||
dontaudit hal_camera_default system_data_file:dir { search };
|
||||
|
||||
# google3 prebuilts attempt to connect to the wrong trace socket, ignore them.
|
||||
dontaudit hal_camera_default traced:unix_stream_socket { connectto };
|
||||
dontaudit hal_camera_default traced_producer_socket:sock_file { write };
|
||||
5
vendor/property_contexts
vendored
Normal file
5
vendor/property_contexts
vendored
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
# Camera
|
||||
persist.vendor.camera. u:object_r:vendor_camera_prop:s0
|
||||
vendor.camera. u:object_r:vendor_camera_prop:s0
|
||||
vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0
|
||||
vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0
|
||||
Loading…
Add table
Add a link
Reference in a new issue