platform_system_sepolicy/public/hal_camera.te

# HwBinder IPC from clients to server and callbacks
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)

#binder IPC from client to service manager and callbacks
binder_use(hal_camera_server)

hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
hal_attribute_service(hal_camera, hal_camera_service)

allow hal_camera device:dir r_dir_perms;
allow hal_camera video_device:dir r_dir_perms;
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
allow hal_camera ion_device:chr_file rw_file_perms;
allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;

# Both the client and the server need to use the graphics allocator
allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;

# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
allow hal_camera { appdomain -isolated_app }:fd use;
allow hal_camera surfaceflinger:fd use;
allow hal_camera hal_allocator_server:fd use;

# Needed to provide debug dump output via dumpsys' pipes.
allow hal_camera shell:fd use;
allow hal_camera shell:fifo_file write;

###
### neverallow rules
###

# hal_camera should never execute any executable without a
# domain transition
neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;

# hal_camera should never need network access. Disallow network sockets.
neverallow hal_camera_server { domain userdebug_or_eng(`-su') }:{ tcp_socket udp_socket rawip_socket } *;

# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
Switch Camera HAL policy to _client/_server This switches Camera HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Camera HAL. Domains which are clients of Camera HAL, such as cameraserver domain, are granted rules targeting hal_camera only when the Camera HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_camera are not granted to client domains. Domains which offer a binderized implementation of Camera HAL, such as hal_camera_default domain, are always granted rules targeting hal_camera. Test: Take non-HDR photo using Google Camera app Test: Take HDR photo using Google Camera app Test: Record video using Google Camera app Bug: 34170079 Change-Id: I463646cf79fede57f11ccd4ec2cbc37a4fff141e 2017-02-17 01:08:22 +01:00			`# HwBinder IPC from clients to server and callbacks`
			`binder_call(hal_camera_client, hal_camera_server)`
			`binder_call(hal_camera_server, hal_camera_client)`
DO NOT MERGE: Camera: Add initial Treble camera HAL sepolicy - Allow cameraservice to talk to hwbinder, hwservicemanager - Allow hal_camera to talk to the same interfaces as cameraservice Test: Compiles, confirmed that cameraservice can call hwservicemanager Bug: 32991422 Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a 2016-12-22 21:55:02 +01:00
System wide sepolicy changes for aidl camera hals. Bug: 196432585 Test: Camera CTS Change-Id: I0ec0158c9cf82937d6c00841448e6e42f6ff4bb0 Signed-off-by: Jayant Chowdhary <jchowdhary@google.com> 2022-01-20 09:47:54 +01:00			`#binder IPC from client to service manager and callbacks`
			`binder_use(hal_camera_server)`

hal_attribute_hwservice_client drop '_client' Since this attribute just associates a hal_attribute with a given hwservice in the standard way. Bug: 80319537 Test: boot + sanity + test for denials Change-Id: I545de165515387317e6920ce8f5e8c491f9ab24e 2018-06-06 18:30:18 +02:00			`hal_attribute_hwservice(hal_camera, hal_camera_hwservice)`
System wide sepolicy changes for aidl camera hals. Bug: 196432585 Test: Camera CTS Change-Id: I0ec0158c9cf82937d6c00841448e6e42f6ff4bb0 Signed-off-by: Jayant Chowdhary <jchowdhary@google.com> 2022-01-20 09:47:54 +01:00			`hal_attribute_service(hal_camera, hal_camera_service)`
Policy for Camera HAL HwBinder service This adds restrictions on which domains can register this HwBinder service with hwservicemanager and which domains can obtain tokens for this service from hwservicemanager. Test: Use Google Camera app to take HDR+ photo, conventional photo, record video with sound, record slow motion video with sound. Check that the photos display correctly and that videos play back fine and with sound. Check that there are no SELinux denials to do with camera. Bug: 34454312 Change-Id: Icfaeed917423510d9f97d18b013775596883ff64 2017-04-13 19:29:42 +02:00
Camera: sepolicy for external camera Allow external camera HAL to monitor video device add/removal. Bug: 64874137 Change-Id: I1a3116a220df63c0aabb3c9afd7450552e6cd417 2018-01-24 01:02:34 +01:00			`allow hal_camera device:dir r_dir_perms;`
DO NOT MERGE: Camera: Add initial Treble camera HAL sepolicy - Allow cameraservice to talk to hwbinder, hwservicemanager - Allow hal_camera to talk to the same interfaces as cameraservice Test: Compiles, confirmed that cameraservice can call hwservicemanager Bug: 32991422 Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a 2016-12-22 21:55:02 +01:00			`allow hal_camera video_device:dir r_dir_perms;`
			`allow hal_camera video_device:chr_file rw_file_perms;`
			`allow hal_camera camera_device:chr_file rw_file_perms;`
			`allow hal_camera ion_device:chr_file rw_file_perms;`
Add missing permission for accessing the DMA-BUF system heap This patch fixes the following denials: avc: denied { open } for comm="composer@2.4-se" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="BootAnimation" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:bootanim:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="Binder:470_2" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { read } for comm="HwBinder:946_2" name="system" dev="tmpfs" ino=588 scontext=u:r:cameraserver:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="HwBinder:946_2" path="/dev/dma_heap/system" dev="tmpfs" ino=588 scontext=u:r:cameraserver:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 Bug: 178865267 Test: boot without these denials Signed-off-by: Hyesoo Yu <hyesoo.yu@samsung.com> Change-Id: Ic31dffd1328a8693b721433e1dcbbc650d3a3c07 2021-02-16 06:57:42 +01:00			`allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;`

Switch Camera HAL policy to _client/_server This switches Camera HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Camera HAL. Domains which are clients of Camera HAL, such as cameraserver domain, are granted rules targeting hal_camera only when the Camera HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_camera are not granted to client domains. Domains which offer a binderized implementation of Camera HAL, such as hal_camera_default domain, are always granted rules targeting hal_camera. Test: Take non-HDR photo using Google Camera app Test: Take HDR photo using Google Camera app Test: Record video using Google Camera app Bug: 34170079 Change-Id: I463646cf79fede57f11ccd4ec2cbc37a4fff141e 2017-02-17 01:08:22 +01:00			`# Both the client and the server need to use the graphics allocator`
			`allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;`
DO NOT MERGE: Camera: Add initial Treble camera HAL sepolicy - Allow cameraservice to talk to hwbinder, hwservicemanager - Allow hal_camera to talk to the same interfaces as cameraservice Test: Compiles, confirmed that cameraservice can call hwservicemanager Bug: 32991422 Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a 2016-12-22 21:55:02 +01:00
Camera: hal_camera FD access update Add FD accessing rules related to media,gralloc and ashmem. Also move a few rules to where they belong. Change-Id: I0bff6f86665a8a049bd767486275740fa369da3d 2017-02-25 02:45:11 +01:00			`# Allow hal_camera to use fd from app,gralloc,and ashmem HAL`
Camera: allow various FD usage for hal_camera The camera HAL1 will need to pass/receive FD from various related processes (app/surfaceflinger/medaiserver) Change-Id: Ia6a6efdddc6e3e92c71211bd28a83eaf2ebd1948 2017-02-24 02:48:50 +01:00			`allow hal_camera { appdomain -isolated_app }:fd use;`
			`allow hal_camera surfaceflinger:fd use;`
Switch Allocator HAL policy to _client/_server This switches Allocator HAL policy to the design which enables us to identify all SELinux domains which host HALs and all domains which are clients of HALs. Allocator HAL is special in the sense that it's assumed to be always binderized. As a result, rules in Camera HAL target hal_allocator_server rather than hal_allocator (which would be the server and any client, if the Allocator HAL runs in passthrough mode). Test: Device boots up, no new denials Test: YouTube video plays back Test: Take photo using Google Camera app, recover a video, record a slow motion video Bug: 34170079 Change-Id: Ifbbca554ec221712361ee6cda94c82f254d84936 2017-03-18 00:51:56 +01:00			`allow hal_camera hal_allocator_server:fd use;`
DO NOT MERGE: Camera: Add initial Treble camera HAL sepolicy - Allow cameraservice to talk to hwbinder, hwservicemanager - Allow hal_camera to talk to the same interfaces as cameraservice Test: Compiles, confirmed that cameraservice can call hwservicemanager Bug: 32991422 Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a 2016-12-22 21:55:02 +01:00
hal_camera: Allow writing dump info into pipes So dumpsys media.camera can do hal dump without root. Bug: 72261676 Change-Id: Ic7325418bc2ee5dbb005430135f1ccc88b418e8c 2018-02-26 23:08:21 +01:00			`# Needed to provide debug dump output via dumpsys' pipes.`
			`allow hal_camera shell:fd use;`
			`allow hal_camera shell:fifo_file write;`

DO NOT MERGE: Camera: Add initial Treble camera HAL sepolicy - Allow cameraservice to talk to hwbinder, hwservicemanager - Allow hal_camera to talk to the same interfaces as cameraservice Test: Compiles, confirmed that cameraservice can call hwservicemanager Bug: 32991422 Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a 2016-12-22 21:55:02 +01:00			`###`
			`### neverallow rules`
			`###`

			`# hal_camera should never execute any executable without a`
			`# domain transition`
Fix CTS regressions Commit 7688161 "hal__(client\|server) => hal(client\|server)domain" added neverallow rules on hal__client attributes while simultaneously expanding these attribute which causes them to fail CTS neverallow tests. Remove these neverallow rules as they do not impose specific security properties that we want to enforce. Modify Other neverallow failures which were imposed on hal_foo attributes and should have been enforced on hal_foo_server attributes instead. Bug: 69566734 Test: cts-tradefed run cts -m CtsSecurityHostTestCases -t \ android.cts.security.SELinuxNeverallowRulesTest CtsSecurityHostTestCases completed in 7s. 627 passed, 1 failed remaining failure appears to be caused by b/68133473 Test: build taimen-user/userdebug Change-Id: I619e71529e078235ed30dc06c60e6e448310fdbc 2017-11-21 06:43:25 +01:00			`neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;`
DO NOT MERGE: Camera: Add initial Treble camera HAL sepolicy - Allow cameraservice to talk to hwbinder, hwservicemanager - Allow hal_camera to talk to the same interfaces as cameraservice Test: Compiles, confirmed that cameraservice can call hwservicemanager Bug: 32991422 Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a 2016-12-22 21:55:02 +01:00
			`# hal_camera should never need network access. Disallow network sockets.`
System wide sepolicy changes for aidl camera hals. Bug: 196432585 Test: Camera CTS Change-Id: I0ec0158c9cf82937d6c00841448e6e42f6ff4bb0 Signed-off-by: Jayant Chowdhary <jchowdhary@google.com> 2022-01-20 09:47:54 +01:00			neverallow hal_camera_server { domain userdebug_or_eng(`-su') }:{ tcp_socket udp_socket rawip_socket } *;
Enforce separation of privilege for HAL driver access Only audio HAL may access audio driver. Only camera HAL may access camera driver. Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow rules are compile time assertions and do not change the on-device policy. Bug: 36185625 Change-Id: I1c9edf528080374f5f0d90d3c14d6c3b162484a3 2017-03-14 06:03:10 +01:00
hal_camera: remove video_device restriction Disallowing other HALs access to video_device does not appear to be enforceable. (cherry picked from commit c26dd18aebdf7fccaafd307666a92549f155e5fd) Bug: 37669506 Test: build policy. Neverallow rules are build time test and do not impact the policy binary. Change-Id: Iea401de08a63f3261a461f67b85113a9d838e88a 2017-04-26 06:06:54 +02:00			`# Only camera HAL may directly access the camera hardware`
Enforce separation of privilege for HAL driver access Only audio HAL may access audio driver. Only camera HAL may access camera driver. Test: aosp_marlin and aosp_bullhead policy builds. Note: neverallow rules are compile time assertions and do not change the on-device policy. Bug: 36185625 Change-Id: I1c9edf528080374f5f0d90d3c14d6c3b162484a3 2017-03-14 06:03:10 +01:00			`neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;`