c5a7f8cc0d
Add the following avc denial:
```
10-02 19:55:46.156 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=activity scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:activity_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.258 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=netstats scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:netstats_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.263 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=content_capture scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:content_capture_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.267 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=gpu scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:gpu_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.267 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=activity_task scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:activity_task_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.416 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=voiceinteraction scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:voiceinteraction_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.417 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=autofill scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:autofill_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.425 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=sensitive_content_protection_service scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:sensitive_content_protection_service:s0 tclass=service_manager permissive=1
10-02 19:55:46.427 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=performance_hint scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:hint_service:s0 tclass=service_manager permissive=1
10-02 19:55:48.156 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=audio scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:audio_service:s0 tclass=service_manager permissive=1
10-02 19:55:53.869 402 402 E SELinux : avc: denied { find } for pid=6934 uid=10311 name=textservices scontext=u:r:camera_propsetter_app:s0:c55,c257,c512,c768 tcontext=u:object_r:textservices_service:s0 tclass=service_manager permissive=1
```
Bug: 370472903
Test: locally on komodo
Flag: EXEMPT NDK
Change-Id: Ia1a8b42697e790f27a5da9aaa1f7c83fddf2a365
30 lines
1.4 KiB
XML
30 lines
1.4 KiB
XML
<?xml version="1.0" encoding="utf-8"?>
|
|
<policy>
|
|
|
|
<!--
|
|
|
|
* A signature is a hex encoded X.509 certificate or a tag defined in
|
|
keys.conf and is required for each signer tag.
|
|
* A signer tag may contain a seinfo tag and multiple package stanzas.
|
|
* A default tag is allowed that can contain policy for all apps not signed with a
|
|
previously listed cert. It may not contain any inner package stanzas.
|
|
* Each signer/default/package tag is allowed to contain one seinfo tag. This tag
|
|
represents additional info that each app can use in setting a SELinux security
|
|
context on the eventual process.
|
|
* When a package is installed the following logic is used to determine what seinfo
|
|
value, if any, is assigned.
|
|
- All signatures used to sign the app are checked first.
|
|
- If a signer stanza has inner package stanzas, those stanza will be checked
|
|
to try and match the package name of the app. If the package name matches
|
|
then that seinfo tag is used. If no inner package matches then the outer
|
|
seinfo tag is assigned.
|
|
- The default tag is consulted last if needed.
|
|
-->
|
|
<!-- google apps key -->
|
|
<signer signature="@EUICCSUPPORTPIXEL" >
|
|
<seinfo value="EuiccSupportPixel" />
|
|
</signer>
|
|
<signer signature="@CAMERAPROPSETTER" >
|
|
<seinfo value="CameraPropsetter" />
|
|
</signer>
|
|
</policy>
|