From 6d632595b693e806a5768258a6c4ef82ac00d0fd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Krzysztof=20Kosi=C5=84ski?= Date: Fri, 12 Apr 2024 22:32:38 +0000 Subject: [PATCH] Remove legacy camera HAL policy. All of these accesses are still needed. Bug: 313934097 Test: presubmit Change-Id: I5222a7416d7cffed0d84b1a4c80f74edc4aadd49 --- legacy/zuma/vendor/google_camera_app.te | 7 -- legacy/zuma/vendor/hal_camera_default.te | 89 ---------------------- vendor/google_camera_app.te | 8 ++ vendor/hal_camera_default.te | 94 +++++++++++++++++++++++- 4 files changed, 100 insertions(+), 98 deletions(-) delete mode 100644 legacy/zuma/vendor/google_camera_app.te delete mode 100644 legacy/zuma/vendor/hal_camera_default.te diff --git a/legacy/zuma/vendor/google_camera_app.te b/legacy/zuma/vendor/google_camera_app.te deleted file mode 100644 index fd19c05..0000000 --- a/legacy/zuma/vendor/google_camera_app.te +++ /dev/null @@ -1,7 +0,0 @@ -# Allows GCA to acccess the GXP device & properties. -allow google_camera_app gxp_device:chr_file rw_file_perms; -get_prop(google_camera_app, vendor_gxp_prop) - -# Allows GCA to find and access the EdgeTPU. -allow google_camera_app edgetpu_app_service:service_manager find; -allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; diff --git a/legacy/zuma/vendor/hal_camera_default.te b/legacy/zuma/vendor/hal_camera_default.te deleted file mode 100644 index 6f8a338..0000000 --- a/legacy/zuma/vendor/hal_camera_default.te +++ /dev/null @@ -1,89 +0,0 @@ -allow hal_camera_default self:global_capability_class_set sys_nice; -allow hal_camera_default kernel:process setsched; - -vndbinder_use(hal_camera_default); - -allow hal_camera_default lwis_device:chr_file rw_file_perms; - -# Face authentication code that is part of the camera HAL needs to allocate -# dma_bufs and access the Trusted Execution Environment device node -allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; -allow hal_camera_default tee_device:chr_file rw_file_perms; - -# Allow the camera hal to access the EdgeTPU service and the -# Android shared memory allocated by the EdgeTPU service for -# on-device compilation. -allow hal_camera_default edgetpu_device:chr_file rw_file_perms; -allow hal_camera_default edgetpu_vendor_service:service_manager find; -binder_call(hal_camera_default, edgetpu_vendor_server) -# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging -# library has a dependency on edgetpu_app_service, see b/275016466. -allow hal_camera_default edgetpu_app_service:service_manager find; -binder_call(hal_camera_default, edgetpu_app_server) - -# Allow access to data files used by the camera HAL -allow hal_camera_default mnt_vendor_file:dir search; -allow hal_camera_default persist_file:dir search; -allow hal_camera_default persist_camera_file:dir rw_dir_perms; -allow hal_camera_default persist_camera_file:file create_file_perms; -allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; -allow hal_camera_default vendor_camera_data_file:file create_file_perms; - -# Allow creating dump files for debugging in non-release builds -userdebug_or_eng(` - allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; - allow hal_camera_default vendor_camera_data_file:file create_file_perms; -') - -# Allow access to camera-related system properties -set_prop(hal_camera_default, vendor_camera_prop); -get_prop(hal_camera_default, vendor_camera_debug_prop); -userdebug_or_eng(` - set_prop(hal_camera_default, vendor_camera_fatp_prop); - set_prop(hal_camera_default, vendor_camera_debug_prop); -') - - -hal_client_domain(hal_camera_default, hal_graphics_allocator); -hal_client_domain(hal_camera_default, hal_graphics_composer) -hal_client_domain(hal_camera_default, hal_power); -hal_client_domain(hal_camera_default, hal_thermal); - -# Allow access to sensor service for sensor_listener -binder_call(hal_camera_default, system_server); - -# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering -allow hal_camera_default eco_service:service_manager find; -binder_call(hal_camera_default, mediacodec_samsung); - -# Allow camera HAL to connect to the stats service. -allow hal_camera_default fwk_stats_service:service_manager find; - -# For observing apex file changes -allow hal_camera_default apex_info_file:file r_file_perms; - -# Allow camera HAL to query current device clock frequencies. -allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; - -# Allow camera HAL to read backlight of display -allow hal_camera_default sysfs_leds:dir r_dir_perms; -allow hal_camera_default sysfs_leds:file r_file_perms; - -# Allow camera HAL to query preferred camera frequencies from the radio HAL -# extensions to avoid interference with cellular antennas. -allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; -binder_call(hal_camera_default, hal_radioext_default); - -# Allow access to always-on compute device node -allow hal_camera_default aoc_device:chr_file rw_file_perms; - -# Allow camera HAL to send trace packets to Perfetto -userdebug_or_eng(`perfetto_producer(hal_camera_default)') - -# Some file searches attempt to access system data and are denied. -# This is benign and can be ignored. -dontaudit hal_camera_default system_data_file:dir { search }; - -# google3 prebuilts attempt to connect to the wrong trace socket, ignore them. -dontaudit hal_camera_default traced:unix_stream_socket { connectto }; -dontaudit hal_camera_default traced_producer_socket:sock_file { write }; diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te index aa3f9e3..c572c26 100644 --- a/vendor/google_camera_app.te +++ b/vendor/google_camera_app.te @@ -1,2 +1,10 @@ +# Allows GCA to acccess the GXP device & properties. +allow google_camera_app gxp_device:chr_file rw_file_perms; +get_prop(google_camera_app, vendor_gxp_prop) + +# Allows GCA to find and access the EdgeTPU. +allow google_camera_app edgetpu_app_service:service_manager find; +allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }; + # Allows GCA to access the hw_jpeg /dev/video12. allow google_camera_app hw_jpg_device:chr_file rw_file_perms; diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 0b916fd..536a294 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -1,5 +1,95 @@ -# Allow the Camera HAL to acquire wakelocks for buffer pre-allocation purposes -wakelock_use(hal_camera_default) +allow hal_camera_default self:global_capability_class_set sys_nice; +allow hal_camera_default kernel:process setsched; + +vndbinder_use(hal_camera_default); + +allow hal_camera_default lwis_device:chr_file rw_file_perms; + +# Face authentication code that is part of the camera HAL needs to allocate +# dma_bufs and access the Trusted Execution Environment device node +allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; +allow hal_camera_default tee_device:chr_file rw_file_perms; + +# Allow the camera hal to access the EdgeTPU service and the +# Android shared memory allocated by the EdgeTPU service for +# on-device compilation. +allow hal_camera_default edgetpu_device:chr_file rw_file_perms; +allow hal_camera_default edgetpu_vendor_service:service_manager find; +binder_call(hal_camera_default, edgetpu_vendor_server) +# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging +# library has a dependency on edgetpu_app_service, see b/275016466. +allow hal_camera_default edgetpu_app_service:service_manager find; +binder_call(hal_camera_default, edgetpu_app_server) + +# Allow access to data files used by the camera HAL +allow hal_camera_default mnt_vendor_file:dir search; +allow hal_camera_default persist_file:dir search; +allow hal_camera_default persist_camera_file:dir rw_dir_perms; +allow hal_camera_default persist_camera_file:file create_file_perms; +allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; +allow hal_camera_default vendor_camera_data_file:file create_file_perms; + +# Allow creating dump files for debugging in non-release builds +userdebug_or_eng(` + allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; + allow hal_camera_default vendor_camera_data_file:file create_file_perms; +') + +# Allow access to camera-related system properties +set_prop(hal_camera_default, vendor_camera_prop); +get_prop(hal_camera_default, vendor_camera_debug_prop); +userdebug_or_eng(` + set_prop(hal_camera_default, vendor_camera_fatp_prop); + set_prop(hal_camera_default, vendor_camera_debug_prop); +') + + +hal_client_domain(hal_camera_default, hal_graphics_allocator); +hal_client_domain(hal_camera_default, hal_graphics_composer) +hal_client_domain(hal_camera_default, hal_power); +hal_client_domain(hal_camera_default, hal_thermal); + +# Allow access to sensor service for sensor_listener +binder_call(hal_camera_default, system_server); + +# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering +allow hal_camera_default eco_service:service_manager find; +binder_call(hal_camera_default, mediacodec_samsung); + +# Allow camera HAL to connect to the stats service. +allow hal_camera_default fwk_stats_service:service_manager find; + +# For observing apex file changes +allow hal_camera_default apex_info_file:file r_file_perms; + +# Allow camera HAL to query current device clock frequencies. +allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; + +# Allow camera HAL to read backlight of display +allow hal_camera_default sysfs_leds:dir r_dir_perms; +allow hal_camera_default sysfs_leds:file r_file_perms; + +# Allow camera HAL to query preferred camera frequencies from the radio HAL +# extensions to avoid interference with cellular antennas. +allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; +binder_call(hal_camera_default, hal_radioext_default); # Allows camera HAL to access the hw_jpeg /dev/video12. allow hal_camera_default hw_jpg_device:chr_file rw_file_perms; + +# Allow access to always-on compute device node +allow hal_camera_default aoc_device:chr_file rw_file_perms; + +# Allow camera HAL to send trace packets to Perfetto +userdebug_or_eng(`perfetto_producer(hal_camera_default)') + +# Some file searches attempt to access system data and are denied. +# This is benign and can be ignored. +dontaudit hal_camera_default system_data_file:dir { search }; + +# google3 prebuilts attempt to connect to the wrong trace socket, ignore them. +dontaudit hal_camera_default traced:unix_stream_socket { connectto }; +dontaudit hal_camera_default traced_producer_socket:sock_file { write }; + +# Allow the Camera HAL to acquire wakelocks for buffer pre-allocation purposes +wakelock_use(hal_camera_default)