f0dc7907b0
Today the EdgeTpu metrics logging library (used by EdgeTpu library used by camera HAL) has a dependency on edgetpu_app_service, in order to call its UserIsAuthorized API to know whether to log the metrics (We don't want to log metrics for 3P apps), see b/275016466. This is not ideal, because strictly speaking, camera HAL doesn't need such dependency. Still, this is fine and there is no security risk, because today even untrusted apps can call edgetpu_app_service: http://cs/android-internal/device/google/gs-common/edgetpu/sepolicy/untrusted_app_all.te;l=2;rcl=f4b62d12c171d4e294d8251e34197ab555c40673 Bug: 266084950 Test: Just mm Change-Id: I6c0e4411370e4b300b9ceb3ad804688d873371cd
94 lines
4 KiB
Text
94 lines
4 KiB
Text
allow hal_camera_default self:global_capability_class_set sys_nice;
|
|
allow hal_camera_default kernel:process setsched;
|
|
|
|
vndbinder_use(hal_camera_default);
|
|
|
|
allow hal_camera_default lwis_device:chr_file rw_file_perms;
|
|
|
|
# Face authentication code that is part of the camera HAL needs to allocate
|
|
# dma_bufs and access the Trusted Execution Environment device node
|
|
|
|
# Allow the camera hal to access the EdgeTPU service and the
|
|
# Android shared memory allocated by the EdgeTPU service for
|
|
# on-device compilation.
|
|
allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
|
|
allow hal_camera_default edgetpu_vendor_service:service_manager find;
|
|
binder_call(hal_camera_default, edgetpu_vendor_server)
|
|
# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging
|
|
# library has a dependency on edgetpu_app_service, see b/275016466.
|
|
allow hal_camera_default edgetpu_app_service:service_manager find;
|
|
binder_call(hal_camera_default, edgetpu_app_server)
|
|
|
|
# Allow access to data files used by the camera HAL
|
|
allow hal_camera_default mnt_vendor_file:dir search;
|
|
allow hal_camera_default persist_file:dir search;
|
|
allow hal_camera_default persist_camera_file:dir rw_dir_perms;
|
|
allow hal_camera_default persist_camera_file:file create_file_perms;
|
|
allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
|
|
allow hal_camera_default vendor_camera_data_file:file create_file_perms;
|
|
|
|
# Allow the camera hal to access the GXP device.
|
|
allow hal_camera_default gxp_device:chr_file rw_file_perms;
|
|
|
|
# Allow creating dump files for debugging in non-release builds
|
|
userdebug_or_eng(`
|
|
allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;
|
|
allow hal_camera_default vendor_camera_data_file:file create_file_perms;
|
|
')
|
|
|
|
# Allow access to camera-related system properties
|
|
set_prop(hal_camera_default, vendor_camera_prop);
|
|
get_prop(hal_camera_default, vendor_camera_debug_prop);
|
|
userdebug_or_eng(`
|
|
set_prop(hal_camera_default, vendor_camera_fatp_prop);
|
|
set_prop(hal_camera_default, vendor_camera_debug_prop);
|
|
')
|
|
|
|
# For camera hal to talk with rlsservice
|
|
allow hal_camera_default rls_service:service_manager find;
|
|
binder_call(hal_camera_default, rlsservice)
|
|
|
|
hal_client_domain(hal_camera_default, hal_graphics_allocator);
|
|
hal_client_domain(hal_camera_default, hal_graphics_composer)
|
|
hal_client_domain(hal_camera_default, hal_power);
|
|
hal_client_domain(hal_camera_default, hal_thermal);
|
|
|
|
# Allow access to sensor service for sensor_listener
|
|
binder_call(hal_camera_default, system_server);
|
|
|
|
# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
|
|
allow hal_camera_default eco_service:service_manager find;
|
|
binder_call(hal_camera_default, mediacodec_samsung);
|
|
|
|
# Allow camera HAL to connect to the stats service.
|
|
allow hal_camera_default fwk_stats_service:service_manager find;
|
|
|
|
# For observing apex file changes
|
|
allow hal_camera_default apex_info_file:file r_file_perms;
|
|
|
|
# Allow camera HAL to query current device clock frequencies.
|
|
allow hal_camera_default sysfs_devfreq_cur:file r_file_perms;
|
|
|
|
# Allow camera HAL to read backlight of display
|
|
allow hal_camera_default sysfs_leds:dir r_dir_perms;
|
|
allow hal_camera_default sysfs_leds:file r_file_perms;
|
|
|
|
# Allow camera HAL to query preferred camera frequencies from the radio HAL
|
|
# extensions to avoid interference with cellular antennas.
|
|
allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
|
|
binder_call(hal_camera_default, hal_radioext_default);
|
|
|
|
# For camera hal to talk with rlsservice
|
|
allow hal_camera_default rls_service:service_manager find;
|
|
binder_call(hal_camera_default, rlsservice)
|
|
|
|
# Allow camera HAL to send trace packets to Perfetto
|
|
userdebug_or_eng(`perfetto_producer(hal_camera_default)')
|
|
|
|
# Some file searches attempt to access system data and are denied.
|
|
# This is benign and can be ignored.
|
|
dontaudit hal_camera_default system_data_file:dir { search };
|
|
|
|
# google3 prebuilts attempt to connect to the wrong trace socket, ignore them.
|
|
dontaudit hal_camera_default traced:unix_stream_socket { connectto };
|
|
dontaudit hal_camera_default traced_producer_socket:sock_file { write };
|