Merge "Add selinux permissions for DeviceAsWebcam Service" am: 870b368ec5
Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2410788 Change-Id: I4f2f7feac7862ff525e1ebf15c7ee1f036ca9fb3 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
commit
d1c26af880
5 changed files with 40 additions and 12 deletions
|
@ -503,4 +503,20 @@ neverallow {
|
|||
-dalvikcache_data_file
|
||||
-system_data_file # shared libs in apks
|
||||
-apk_data_file
|
||||
}:file no_x_file_perms;
|
||||
}:file no_x_file_perms;
|
||||
|
||||
# Don't allow apps access to any of the following character devices.
|
||||
neverallow appdomain {
|
||||
audio_device
|
||||
camera_device
|
||||
dm_device
|
||||
radio_device
|
||||
rpmsg_device
|
||||
}:chr_file { read write };
|
||||
|
||||
# Block video device access for all apps except the DeviceAsWebcam Service which
|
||||
# needs access to /dev/video* for interfacing with the host
|
||||
neverallow {
|
||||
appdomain
|
||||
-device_as_webcam
|
||||
} video_device:chr_file { read write };
|
||||
|
|
|
@ -11,6 +11,7 @@
|
|||
bt_device
|
||||
build_attestation_prop
|
||||
credential_service
|
||||
device_as_webcam
|
||||
device_config_camera_native_prop
|
||||
device_config_memory_safety_native_boot_prop
|
||||
device_config_memory_safety_native_prop
|
||||
|
|
21
private/device_as_webcam.te
Normal file
21
private/device_as_webcam.te
Normal file
|
@ -0,0 +1,21 @@
|
|||
# Domain for DeviceAsWebcam Service
|
||||
type device_as_webcam, domain, coredomain, mlstrustedsubject;
|
||||
|
||||
app_domain(device_as_webcam)
|
||||
|
||||
allow device_as_webcam system_app_data_file:dir create_dir_perms;
|
||||
allow device_as_webcam system_app_data_file:file create_file_perms;
|
||||
|
||||
allow device_as_webcam { app_api_service cameraserver_service }:service_manager find;
|
||||
|
||||
# Allow DeviceAsWebcam Service needs to access ro.usb.uvc.enabled property to
|
||||
# enale/disable itself
|
||||
get_prop(device_as_webcam, usb_uvc_enabled_prop)
|
||||
|
||||
# need to access /dev to list all devices
|
||||
allow device_as_webcam device:dir r_dir_perms;
|
||||
|
||||
# UVC nodes are mounted as V4L2 nodes (/dev/video*) on the device. These need to
|
||||
# be accessed by the DeviceAsWebcam Service.
|
||||
allow device_as_webcam video_device:dir r_dir_perms;
|
||||
allow device_as_webcam video_device:chr_file rw_file_perms;
|
|
@ -154,6 +154,7 @@ neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
|
|||
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
|
||||
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
|
||||
user=system seinfo=platform domain=system_app type=system_app_data_file
|
||||
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
|
||||
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
|
||||
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
|
||||
user=nfc seinfo=platform domain=nfc type=nfc_data_file
|
||||
|
@ -190,4 +191,3 @@ user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file leve
|
|||
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
|
||||
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
|
||||
user=_app fromRunAs=true domain=runas_app levelFrom=user
|
||||
|
||||
|
|
|
@ -21,16 +21,6 @@ neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
|
|||
# Block device access.
|
||||
neverallow appdomain dev_type:blk_file { read write };
|
||||
|
||||
# Access to any of the following character devices.
|
||||
neverallow appdomain {
|
||||
audio_device
|
||||
camera_device
|
||||
dm_device
|
||||
radio_device
|
||||
rpmsg_device
|
||||
video_device
|
||||
}:chr_file { read write };
|
||||
|
||||
# Note: Try expanding list of app domains in the future.
|
||||
neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
|
||||
|
||||
|
|
Loading…
Reference in a new issue