Merge "System wide sepolicy changes for aidl camera hals."
This commit is contained in:
commit
b00bf9d282
5 changed files with 11 additions and 1 deletions
|
@ -23,6 +23,7 @@
|
|||
extra_free_kbytes_exec
|
||||
gesture_prop
|
||||
hal_contexthub_service
|
||||
hal_camera_service
|
||||
hal_dice_service
|
||||
hal_drm_service
|
||||
hal_dumpstate_service
|
||||
|
|
|
@ -4,6 +4,9 @@ android.hardware.automotive.audiocontrol.IAudioControl/default u:object_r:
|
|||
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
|
||||
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
|
||||
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
|
||||
# The instance here is internal/0 following naming convention for ICameraProvider.
|
||||
# It advertises internal camera devices.
|
||||
android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
|
||||
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
|
||||
android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
|
||||
android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0
|
||||
|
|
|
@ -35,6 +35,7 @@ allow cameraserver sensor_privacy_service:service_manager find;
|
|||
allow cameraserver surfaceflinger_service:service_manager find;
|
||||
|
||||
allow cameraserver hidl_token_hwservice:hwservice_manager find;
|
||||
allow cameraserver hal_camera_service:service_manager find;
|
||||
|
||||
# Allow to talk with surfaceflinger through unix stream socket
|
||||
allow cameraserver surfaceflinger:unix_stream_socket { read write };
|
||||
|
|
|
@ -2,7 +2,11 @@
|
|||
binder_call(hal_camera_client, hal_camera_server)
|
||||
binder_call(hal_camera_server, hal_camera_client)
|
||||
|
||||
#binder IPC from client to service manager and callbacks
|
||||
binder_use(hal_camera_server)
|
||||
|
||||
hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
|
||||
hal_attribute_service(hal_camera, hal_camera_service)
|
||||
|
||||
allow hal_camera device:dir r_dir_perms;
|
||||
allow hal_camera video_device:dir r_dir_perms;
|
||||
|
@ -32,7 +36,7 @@ allow hal_camera shell:fifo_file write;
|
|||
neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
|
||||
|
||||
# hal_camera should never need network access. Disallow network sockets.
|
||||
neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
|
||||
neverallow hal_camera_server { domain userdebug_or_eng(`-su') }:{ tcp_socket udp_socket rawip_socket } *;
|
||||
|
||||
# Only camera HAL may directly access the camera hardware
|
||||
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
|
||||
|
|
|
@ -268,6 +268,7 @@ type hal_wifi_supplicant_service, vendor_service, protected_service, service_man
|
|||
type hal_audio_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_audiocontrol_service, vendor_service, service_manager_type;
|
||||
type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_camera_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_dice_service, vendor_service, protected_service, service_manager_type;
|
||||
type hal_drm_service, vendor_service, service_manager_type;
|
||||
|
|
Loading…
Reference in a new issue