From b8b2445251e3ef859eb9e77007ebde53a6f1141a Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Tue, 4 Apr 2023 06:14:22 +0000 Subject: [PATCH] Add se-policies for google_camera_app from pro - Found selinux violations on google_camera_app for these services which are fixed after these changes are included. Bug: 264490031 Change-Id: Ib6f4a8a548425b0b98ed9b69edff6c973b9cbe3e Signed-off-by: Dinesh Yadav --- vendor/google_camera_app.te | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index 9c233fed..8febc79a 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -9,7 +9,15 @@ hal_client_domain(google_camera_app, hal_power) # Allow camera app to access the a subset of app services. allow google_camera_app app_api_service:service_manager find; +allow google_camera_app audioserver_service:service_manager find; +allow google_camera_app cameraserver_service:service_manager find; +allow google_camera_app mediaextractor_service:service_manager find; +allow google_camera_app mediametrics_service:service_manager find; +allow google_camera_app mediaserver_service:service_manager find; # Allows GCA to access the EdgeTPU device. allow google_camera_app edgetpu_app_service:service_manager find; allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; + +# Library code may try to access vendor properties, but should be denied +dontaudit google_camera_app vendor_default_prop:file { getattr map open };