From c5a7f8cc0de7dd3c7837e7116e2eb1720aa3c152 Mon Sep 17 00:00:00 2001
From: cwkao <cwkao@google.com>
Date: Wed, 2 Oct 2024 19:48:09 +0800
Subject: [PATCH] Add SELiunx for camera debug app (propsetter)

Add the following avc denial:
```
10-02 19:55:46.156   402   402 E SELinux : avc:  denied  { find } for pid=6934 uid=10311 name=activity scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.258   402   402 E SELinux : avc:  denied  { find } for pid=6934 uid=10311 name=netstats scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.263   402   402 E SELinux : avc:  denied  { find } for pid=6934 uid=10311 name=content_capture scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.267   402   402 E SELinux : avc:  denied  { find } for pid=6934 uid=10311 name=gpu scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.267   402   402 E SELinux : avc:  denied  { find } for pid=6934 uid=10311 name=activity_task scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.416   402   402 E SELinux : avc:  denied  { find } for pid=6934 uid=10311 name=voiceinteraction scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.417   402   402 E SELinux : avc:  denied  { find } for pid=6934 uid=10311 name=autofill scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.425   402   402 E SELinux : avc:  denied  { find } for pid=6934 uid=10311 name=sensitive_content_protection_service scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:sensitive_content_protection_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.427   402   402 E SELinux : avc:  denied  { find } for pid=6934 uid=10311 name=performance_hint scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:hint_service:s0 tclass=service_manager permissive=1
10-02 19:55:48.156   402   402 E SELinux : avc:  denied  { find } for pid=6934 uid=10311 name=audio scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
10-02 19:55:53.869   402   402 E SELinux : avc:  denied  { find } for pid=6934 uid=10311 name=textservices scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:textservices_service:s0 tclass=service_manager permissive=1
```

Bug: 370472903
Test: locally on komodo
Flag: EXEMPT NDK
Change-Id: Ia1a8b42697e790f27a5da9aaa1f7c83fddf2a365
---
 vendor/camera_propsetter_app.te               | 22 +++++++++++++++++++
 ...roid_apps_camera_tools_propsetter.x509.pem | 17 ++++++++++++++
 vendor/keys.conf                              |  2 ++
 vendor/mac_permissions.xml                    |  3 +++
 vendor/seapp_contexts                         |  2 ++
 5 files changed, 46 insertions(+)
 create mode 100644 vendor/camera_propsetter_app.te
 create mode 100644 vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem

diff --git a/vendor/camera_propsetter_app.te b/vendor/camera_propsetter_app.te
new file mode 100644
index 0000000..be40d7a
--- /dev/null
+++ b/vendor/camera_propsetter_app.te
@@ -0,0 +1,22 @@
+#  Camera Debug Tool at google3/java/com/google/android/apps/camera/tools/propsetter/
+
+type camera_propsetter_app, domain;
+
+userdebug_or_eng(`
+    app_domain(camera_propsetter_app)
+    net_domain(camera_propsetter_app)
+
+    allow camera_propsetter_app activity_service:service_manager find;
+    allow camera_propsetter_app activity_task_service:service_manager find;
+    allow camera_propsetter_app autofill_service:service_manager find;
+    allow camera_propsetter_app audio_service:service_manager find;
+    allow camera_propsetter_app content_capture_service:service_manager find;
+    allow camera_propsetter_app gpu_service:service_manager find;
+    allow camera_propsetter_app hint_service:service_manager find;
+    allow camera_propsetter_app netstats_service:service_manager find;
+    allow camera_propsetter_app sensitive_content_protection_service:service_manager find;
+    allow camera_propsetter_app textservices_service:service_manager find;
+    allow camera_propsetter_app voiceinteraction_service:service_manager find;
+
+    set_prop(camera_propsetter_app, vendor_camera_prop)
+')
diff --git a/vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem b/vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem
new file mode 100644
index 0000000..011a9ec
--- /dev/null
+++ b/vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem
@@ -0,0 +1,17 @@
+-----BEGIN CERTIFICATE-----
+MIICpzCCAmWgAwIBAgIEUAV8QjALBgcqhkjOOAQDBQAwNzELMAkGA1UEBhMCVVMx
+EDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJvaWQgRGVidWcwHhcNMTIw
+NzE3MTQ1MjUwWhcNMjIwNzE1MTQ1MjUwWjA3MQswCQYDVQQGEwJVUzEQMA4GA1UE
+ChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZzCCAbcwggEsBgcqhkjO
+OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR
++1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb
++DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg
+UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX
+TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj
+rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB
+TDv+z0kqA4GEAAKBgGrRG9fVZtJ69DnALkForP1FtL6FvJmMe5uOHHdUaT+MDUKK
+pPzhEISBOEJPpozRMFJO7/bxNzhjgi+mNymL/k1GoLhmZe7wQRc5AQNbHIBqoxgY
+DTA6qMyeWSPgam+r+nVoPEU7sgd3fPL958+xmxQwOBSqHfe0PVsiK1cGtIuUMAsG
+ByqGSM44BAMFAAMvADAsAhQJ0tGwRwIptb7SkCZh0RLycMXmHQIUZ1ACBqeAULp4
+rscXTxYEf4Tqovc=
+-----END CERTIFICATE-----
diff --git a/vendor/keys.conf b/vendor/keys.conf
index 3ffa695..15d7596 100644
--- a/vendor/keys.conf
+++ b/vendor/keys.conf
@@ -1,3 +1,5 @@
 [@EUICCSUPPORTPIXEL]
 ALL : device/google/zumapro-sepolicy/vendor/certs/EuiccSupportPixel.x509.pem
 
+[@CAMERAPROPSETTER]
+ALL : device/google/zumapro-sepolicy/vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem
diff --git a/vendor/mac_permissions.xml b/vendor/mac_permissions.xml
index 0eab982..03409ee 100644
--- a/vendor/mac_permissions.xml
+++ b/vendor/mac_permissions.xml
@@ -24,4 +24,7 @@
     <signer signature="@EUICCSUPPORTPIXEL" >
         <seinfo value="EuiccSupportPixel" />
     </signer>
+    <signer signature="@CAMERAPROPSETTER" >
+      <seinfo value="CameraPropsetter" />
+    </signer>
 </policy>
diff --git a/vendor/seapp_contexts b/vendor/seapp_contexts
index 4116372..363e753 100644
--- a/vendor/seapp_contexts
+++ b/vendor/seapp_contexts
@@ -1,3 +1,5 @@
 # Domain for EuiccSupportPixel
 user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
 
+# Camera propsetter app
+user=_app seinfo=CameraPropsetter name=com.google.android.apps.camera.tools.propsetter domain=camera_propsetter_app type=app_data_file levelFrom=all