Merge "System wide sepolicy changes for aidl camera hals."

This commit is contained in:
Jayant Chowdhary 2022-02-09 03:08:37 +00:00 committed by Gerrit Code Review
commit b00bf9d282
5 changed files with 11 additions and 1 deletions

View file

@ -23,6 +23,7 @@
extra_free_kbytes_exec
gesture_prop
hal_contexthub_service
hal_camera_service
hal_dice_service
hal_drm_service
hal_dumpstate_service

View file

@ -4,6 +4,9 @@ android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
# The instance here is internal/0 following naming convention for ICameraProvider.
# It advertises internal camera devices.
android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0

View file

@ -35,6 +35,7 @@ allow cameraserver sensor_privacy_service:service_manager find;
allow cameraserver surfaceflinger_service:service_manager find;
allow cameraserver hidl_token_hwservice:hwservice_manager find;
allow cameraserver hal_camera_service:service_manager find;
# Allow to talk with surfaceflinger through unix stream socket
allow cameraserver surfaceflinger:unix_stream_socket { read write };

View file

@ -2,7 +2,11 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
#binder IPC from client to service manager and callbacks
binder_use(hal_camera_server)
hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
hal_attribute_service(hal_camera, hal_camera_service)
allow hal_camera device:dir r_dir_perms;
allow hal_camera video_device:dir r_dir_perms;
@ -32,7 +36,7 @@ allow hal_camera shell:fifo_file write;
neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets.
neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
neverallow hal_camera_server { domain userdebug_or_eng(`-su') }:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;

View file

@ -268,6 +268,7 @@ type hal_wifi_supplicant_service, vendor_service, protected_service, service_man
type hal_audio_service, vendor_service, protected_service, service_manager_type;
type hal_audiocontrol_service, vendor_service, service_manager_type;
type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
type hal_camera_service, vendor_service, protected_service, service_manager_type;
type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
type hal_dice_service, vendor_service, protected_service, service_manager_type;
type hal_drm_service, vendor_service, service_manager_type;