51c91e5bdf
Test: 05-05 05:07:06.652 4616 4616 W FinishThread: type=1400 audit(0.0:24): avc: denied { read write } for name="video12" dev="tmpfs" ino=646 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:video_device:s0 tclass=chr_file permissive=0 app=com.google.android.GoogleCameraEng
05-08 22:00:59.000 7323 7323 I FinishThread: type=1400 audit(0.0:36): avc: denied { read } for name="lib_jpg_encoder.so"
dev="dm-45" ino=25639 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera_data_file:s0 tcl
ass=file permissive=1 app=com.google.android.GoogleCameraEng
05-08 22:00:59.000 7323 7323 I FinishThread: type=1400 audit(0.0:37): avc: denied { open } for path="/vendor/lib64/lib_j
pg_encoder.so" dev="dm-45" ino=25639 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera_da
ta_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
05-08 22:46:00.260 4784 4784 I FinishThread: type=1400 audit(0.0:29): avc: denied { execute } for path="/vendor/lib64/
libhwjpeg.so" dev="dm-50" ino=55596 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera_d
ata_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
05-08 22:33:30.504 7436 7436 I FinishThread: type=1400 audit(0.0:36): avc: denied { getattr } for path="/vendor/lib64/
lib_jpg_encoder.so" dev="dm-50" ino=53765 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_ca
mera_data_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
05-08 22:33:30.504 7436 7436 I FinishThread: type=1400 audit(0.0:37): avc: denied { map } for path="/vendor/lib64/lib_
jpg_encoder.so" dev="dm-50" ino=53765 scontext=u:r:debug_camera_app:s0:c32,c257,c512,c768 tcontext=u:object_r:vendor_camera
_data_file:s0 tclass=file permissive=1 app=com.google.android.GoogleCameraEng
binder:7312_2: type=1400 audit(0.0:18): avc: denied { read write } for name="video12" dev="tmpfs" ino=680 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hw_jpg_device:s0 tclass=chr_file permissive=1
05-08 22:28:37.692 7312 7312 I binder:7312_2: type=1400 audit(0.0:19): avc: denied { open } for path="/dev/video12" dev="tmpfs" ino=680 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hw_jpg_device:s0 tclass=chr_file permissive=1
05-08 22:28:37.692 7312 7312 I binder:7312_2: type=1400 audit(0.0:20): avc: denied { ioctl } for path="/dev/video12" dev="tmpfs" ino=680 ioctlcmd=0x5600 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:hw_jpg_device:s0 tclass=chr_file permissive=1
05-08 22:28:37.700 7312 7312 I binder:7312_2: type=1400 audit(0.0:21): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=167 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=1
Bug: 267820687
Change-Id: I69f502d721f683d3532038d618f5fafc83f38b6b
105 lines
4.5 KiB
Text
105 lines
4.5 KiB
Text
allow hal_camera_default self:global_capability_class_set sys_nice;
|
|
allow hal_camera_default kernel:process setsched;
|
|
|
|
vndbinder_use(hal_camera_default);
|
|
|
|
allow hal_camera_default lwis_device:chr_file rw_file_perms;
|
|
|
|
# Face authentication code that is part of the camera HAL needs to allocate
|
|
# dma_bufs and access the Trusted Execution Environment device node
|
|
allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms;
|
|
allow hal_camera_default tee_device:chr_file rw_file_perms;
|
|
|
|
# Allow the camera hal to access the EdgeTPU service and the
|
|
# Android shared memory allocated by the EdgeTPU service for
|
|
# on-device compilation.
|
|
allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
|
|
allow hal_camera_default edgetpu_vendor_service:service_manager find;
|
|
binder_call(hal_camera_default, edgetpu_vendor_server)
|
|
# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging
|
|
# library has a dependency on edgetpu_app_service, see b/275016466.
|
|
allow hal_camera_default edgetpu_app_service:service_manager find;
|
|
binder_call(hal_camera_default, edgetpu_app_server)
|
|
|
|
# Allow access to data files used by the camera HAL
|
|
allow hal_camera_default mnt_vendor_file:dir search;
|
|
allow hal_camera_default persist_file:dir search;
|
|
allow hal_camera_default persist_camera_file:dir rw_dir_perms;
|
|
allow hal_camera_default persist_camera_file:file create_file_perms;
|
|
allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
|
|
allow hal_camera_default vendor_camera_data_file:file create_file_perms;
|
|
|
|
# Allow the camera hal to access the GXP device.
|
|
allow hal_camera_default gxp_device:chr_file rw_file_perms;
|
|
|
|
# Allow creating dump files for debugging in non-release builds
|
|
userdebug_or_eng(`
|
|
allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;
|
|
allow hal_camera_default vendor_camera_data_file:file create_file_perms;
|
|
')
|
|
|
|
# Allow access to camera-related system properties
|
|
set_prop(hal_camera_default, vendor_camera_prop);
|
|
get_prop(hal_camera_default, vendor_camera_debug_prop);
|
|
userdebug_or_eng(`
|
|
set_prop(hal_camera_default, vendor_camera_fatp_prop);
|
|
set_prop(hal_camera_default, vendor_camera_debug_prop);
|
|
')
|
|
|
|
# For camera hal to talk with rlsservice
|
|
allow hal_camera_default rls_service:service_manager find;
|
|
binder_call(hal_camera_default, rlsservice)
|
|
|
|
hal_client_domain(hal_camera_default, hal_graphics_allocator);
|
|
hal_client_domain(hal_camera_default, hal_graphics_composer)
|
|
hal_client_domain(hal_camera_default, hal_power);
|
|
hal_client_domain(hal_camera_default, hal_thermal);
|
|
|
|
# Allow access to sensor service for sensor_listener
|
|
binder_call(hal_camera_default, system_server);
|
|
|
|
# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
|
|
allow hal_camera_default eco_service:service_manager find;
|
|
binder_call(hal_camera_default, mediacodec_samsung);
|
|
|
|
# Allow camera HAL to connect to the stats service.
|
|
allow hal_camera_default fwk_stats_service:service_manager find;
|
|
|
|
# For observing apex file changes
|
|
allow hal_camera_default apex_info_file:file r_file_perms;
|
|
|
|
# Allow camera HAL to query current device clock frequencies.
|
|
allow hal_camera_default sysfs_devfreq_cur:file r_file_perms;
|
|
|
|
# Allow camera HAL to read backlight of display
|
|
allow hal_camera_default sysfs_leds:dir r_dir_perms;
|
|
allow hal_camera_default sysfs_leds:file r_file_perms;
|
|
|
|
# Allow camera HAL to query preferred camera frequencies from the radio HAL
|
|
# extensions to avoid interference with cellular antennas.
|
|
allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
|
|
binder_call(hal_camera_default, hal_radioext_default);
|
|
|
|
# Allows camera HAL to access the hw_jpeg /dev/video12.
|
|
allow hal_camera_default hw_jpg_device:chr_file rw_file_perms;
|
|
|
|
# For camera hal to talk with rlsservice
|
|
allow hal_camera_default rls_service:service_manager find;
|
|
binder_call(hal_camera_default, rlsservice)
|
|
|
|
# Allow access to always-on compute device node
|
|
allow hal_camera_default aoc_device:chr_file rw_file_perms;
|
|
|
|
# Allow camera HAL to send trace packets to Perfetto
|
|
userdebug_or_eng(`perfetto_producer(hal_camera_default)')
|
|
|
|
# Some file searches attempt to access system data and are denied.
|
|
# This is benign and can be ignored.
|
|
dontaudit hal_camera_default system_data_file:dir { search };
|
|
|
|
# google3 prebuilts attempt to connect to the wrong trace socket, ignore them.
|
|
dontaudit hal_camera_default traced:unix_stream_socket { connectto };
|
|
dontaudit hal_camera_default traced_producer_socket:sock_file { write };
|
|
|
|
# Allow the Camera HAL to acquire wakelocks for buffer pre-allocation purposes
|
|
wakelock_use(hal_camera_default)
|