platform_system_sepolicy/public/hal_camera.te

39 lines
1.4 KiB
Text
Raw Normal View History

# HwBinder IPC from clients to server and callbacks
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
allow hal_camera device:dir r_dir_perms;
allow hal_camera video_device:dir r_dir_perms;
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
allow hal_camera ion_device:chr_file rw_file_perms;
Add missing permission for accessing the DMA-BUF system heap This patch fixes the following denials: avc: denied { open } for comm="composer@2.4-se" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="BootAnimation" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:bootanim:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="Binder:470_2" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { read } for comm="HwBinder:946_2" name="system" dev="tmpfs" ino=588 scontext=u:r:cameraserver:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="HwBinder:946_2" path="/dev/dma_heap/system" dev="tmpfs" ino=588 scontext=u:r:cameraserver:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 Bug: 178865267 Test: boot without these denials Signed-off-by: Hyesoo Yu <hyesoo.yu@samsung.com> Change-Id: Ic31dffd1328a8693b721433e1dcbbc650d3a3c07
2021-02-16 06:57:42 +01:00
allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;
# Both the client and the server need to use the graphics allocator
allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
allow hal_camera { appdomain -isolated_app }:fd use;
allow hal_camera surfaceflinger:fd use;
allow hal_camera hal_allocator_server:fd use;
# Needed to provide debug dump output via dumpsys' pipes.
allow hal_camera shell:fd use;
allow hal_camera shell:fifo_file write;
###
### neverallow rules
###
# hal_camera should never execute any executable without a
# domain transition
neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets.
neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;