Add SELiunx for camera debug app (propsetter)
Add the following avc denial:
```
10-02 19:55:46.156 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=activity scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.258 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=netstats scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.263 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=content_capture scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.267 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=gpu scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.267 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=activity_task scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.416 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=voiceinteraction scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.417 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=autofill scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.425 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=sensitive_content_protection_service scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:sensitive_content_protection_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.427 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=performance_hint scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:hint_service:s0 tclass=service_manager permissive=1
10-02 19:55:48.156 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=audio scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
10-02 19:55:53.869 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=textservices scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:textservices_service:s0 tclass=service_manager permissive=1
```
Bug: 370472903
Test: locally on komodo
Flag: EXEMPT NDK
Change-Id: Ia1a8b42697e790f27a5da9aaa1f7c83fddf2a365
This commit is contained in:
cwkao
Chi-Wei Kao
parent
bf729b7266
commit
c5a7f8cc0d
5 changed files with 46 additions and 0 deletions
22
vendor/camera_propsetter_app.te
vendored
Normal file
22
vendor/camera_propsetter_app.te
vendored
Normal file
|
|
@ -0,0 +1,22 @@
|
||||||
|
# Camera Debug Tool at google3/java/com/google/android/apps/camera/tools/propsetter/
|
||||||
|
|
||||||
|
type camera_propsetter_app, domain;
|
||||||
|
|
||||||
|
userdebug_or_eng(`
|
||||||
|
app_domain(camera_propsetter_app)
|
||||||
|
net_domain(camera_propsetter_app)
|
||||||
|
|
||||||
|
allow camera_propsetter_app activity_service:service_manager find;
|
||||||
|
allow camera_propsetter_app activity_task_service:service_manager find;
|
||||||
|
allow camera_propsetter_app autofill_service:service_manager find;
|
||||||
|
allow camera_propsetter_app audio_service:service_manager find;
|
||||||
|
allow camera_propsetter_app content_capture_service:service_manager find;
|
||||||
|
allow camera_propsetter_app gpu_service:service_manager find;
|
||||||
|
allow camera_propsetter_app hint_service:service_manager find;
|
||||||
|
allow camera_propsetter_app netstats_service:service_manager find;
|
||||||
|
allow camera_propsetter_app sensitive_content_protection_service:service_manager find;
|
||||||
|
allow camera_propsetter_app textservices_service:service_manager find;
|
||||||
|
allow camera_propsetter_app voiceinteraction_service:service_manager find;
|
||||||
|
|
||||||
|
set_prop(camera_propsetter_app, vendor_camera_prop)
|
||||||
|
')
|
||||||
17
vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem
vendored
Normal file
17
vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem
vendored
Normal file
|
|
@ -0,0 +1,17 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIICpzCCAmWgAwIBAgIEUAV8QjALBgcqhkjOOAQDBQAwNzELMAkGA1UEBhMCVVMx
|
||||||
|
EDAOBgNVBAoTB0FuZHJvaWQxFjAUBgNVBAMTDUFuZHJvaWQgRGVidWcwHhcNMTIw
|
||||||
|
NzE3MTQ1MjUwWhcNMjIwNzE1MTQ1MjUwWjA3MQswCQYDVQQGEwJVUzEQMA4GA1UE
|
||||||
|
ChMHQW5kcm9pZDEWMBQGA1UEAxMNQW5kcm9pZCBEZWJ1ZzCCAbcwggEsBgcqhkjO
|
||||||
|
OAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR
|
||||||
|
+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQpaSfn+gEexAiwk+7qdf+t8Yb
|
||||||
|
+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd0UgBxwIVAJdg
|
||||||
|
UI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX
|
||||||
|
TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCj
|
||||||
|
rh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQB
|
||||||
|
TDv+z0kqA4GEAAKBgGrRG9fVZtJ69DnALkForP1FtL6FvJmMe5uOHHdUaT+MDUKK
|
||||||
|
pPzhEISBOEJPpozRMFJO7/bxNzhjgi+mNymL/k1GoLhmZe7wQRc5AQNbHIBqoxgY
|
||||||
|
DTA6qMyeWSPgam+r+nVoPEU7sgd3fPL958+xmxQwOBSqHfe0PVsiK1cGtIuUMAsG
|
||||||
|
ByqGSM44BAMFAAMvADAsAhQJ0tGwRwIptb7SkCZh0RLycMXmHQIUZ1ACBqeAULp4
|
||||||
|
rscXTxYEf4Tqovc=
|
||||||
|
-----END CERTIFICATE-----
|
||||||
2
vendor/keys.conf
vendored
2
vendor/keys.conf
vendored
|
|
@ -1,3 +1,5 @@
|
||||||
[@EUICCSUPPORTPIXEL]
|
[@EUICCSUPPORTPIXEL]
|
||||||
ALL : device/google/zumapro-sepolicy/vendor/certs/EuiccSupportPixel.x509.pem
|
ALL : device/google/zumapro-sepolicy/vendor/certs/EuiccSupportPixel.x509.pem
|
||||||
|
|
||||||
|
[@CAMERAPROPSETTER]
|
||||||
|
ALL : device/google/zumapro-sepolicy/vendor/certs/com_google_android_apps_camera_tools_propsetter.x509.pem
|
||||||
|
|
|
||||||
3
vendor/mac_permissions.xml
vendored
3
vendor/mac_permissions.xml
vendored
|
|
@ -24,4 +24,7 @@
|
||||||
<signer signature="@EUICCSUPPORTPIXEL" >
|
<signer signature="@EUICCSUPPORTPIXEL" >
|
||||||
<seinfo value="EuiccSupportPixel" />
|
<seinfo value="EuiccSupportPixel" />
|
||||||
</signer>
|
</signer>
|
||||||
|
<signer signature="@CAMERAPROPSETTER" >
|
||||||
|
<seinfo value="CameraPropsetter" />
|
||||||
|
</signer>
|
||||||
</policy>
|
</policy>
|
||||||
|
|
|
||||||
2
vendor/seapp_contexts
vendored
2
vendor/seapp_contexts
vendored
|
|
@ -1,3 +1,5 @@
|
||||||
# Domain for EuiccSupportPixel
|
# Domain for EuiccSupportPixel
|
||||||
user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
|
user=_app isPrivApp=true seinfo=EuiccSupportPixel name=com.google.euiccpixel domain=euiccpixel_app type=app_data_file levelFrom=all
|
||||||
|
|
||||||
|
# Camera propsetter app
|
||||||
|
user=_app seinfo=CameraPropsetter name=com.google.android.apps.camera.tools.propsetter domain=camera_propsetter_app type=app_data_file levelFrom=all
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue