From 5b2134d5c556d88126690cee957f54d6c004af3d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Thu, 27 Apr 2023 19:53:25 +0000 Subject: [PATCH] Enforce sepolicy for Google Camera App. Added missing statement allowing GXP firmware access. Bug: 264489778 Test: GCA smoke test in setenforce mode. Change-Id: Ied2f675a2e11f7aebcf4e1e6ac49fc2e39dd2ecf --- tracking_denials/google_camera_app.te | 7 ------- vendor/google_camera_app.te | 16 ++++++++-------- 2 files changed, 8 insertions(+), 15 deletions(-) delete mode 100644 tracking_denials/google_camera_app.te diff --git a/tracking_denials/google_camera_app.te b/tracking_denials/google_camera_app.te deleted file mode 100644 index b6994f9e..00000000 --- a/tracking_denials/google_camera_app.te +++ /dev/null @@ -1,7 +0,0 @@ -# b/264490031 -userdebug_or_eng(` - permissive google_camera_app; -') -# b/277300017 -dontaudit google_camera_app cameraserver_service:service_manager { find }; -dontaudit google_camera_app mediaserver_service:service_manager { find }; diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index 8febc79a..337a358c 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,13 +1,6 @@ type google_camera_app, domain, coredomain; app_domain(google_camera_app) -# Allows camera app to access the GXP device. -allow google_camera_app gxp_device:chr_file rw_file_perms; - -# Allows camera app to access the PowerHAL. -hal_client_domain(google_camera_app, hal_power) - -# Allow camera app to access the a subset of app services. allow google_camera_app app_api_service:service_manager find; allow google_camera_app audioserver_service:service_manager find; allow google_camera_app cameraserver_service:service_manager find; @@ -15,7 +8,14 @@ allow google_camera_app mediaextractor_service:service_manager find; allow google_camera_app mediametrics_service:service_manager find; allow google_camera_app mediaserver_service:service_manager find; -# Allows GCA to access the EdgeTPU device. +# Allows GCA to acccess the GXP device and search for the firmware file. +allow google_camera_app gxp_device:chr_file rw_file_perms; +allow google_camera_app vendor_fw_file:dir search; + +# Allows GCA to access the PowerHAL. +hal_client_domain(google_camera_app, hal_power) + +# Allows GCA to find and access the EdgeTPU. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };