Merge "Add selinux permissions for DeviceAsWebcam Service" am: 870b368ec5

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2410788

Change-Id: I4f2f7feac7862ff525e1ebf15c7ee1f036ca9fb3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Treehugger Robot 2023-02-03 02:00:29 +00:00 committed by Automerger Merge Worker
commit d1c26af880
5 changed files with 40 additions and 12 deletions

View file

@ -503,4 +503,20 @@ neverallow {
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
}:file no_x_file_perms;
}:file no_x_file_perms;
# Don't allow apps access to any of the following character devices.
neverallow appdomain {
audio_device
camera_device
dm_device
radio_device
rpmsg_device
}:chr_file { read write };
# Block video device access for all apps except the DeviceAsWebcam Service which
# needs access to /dev/video* for interfacing with the host
neverallow {
appdomain
-device_as_webcam
} video_device:chr_file { read write };

View file

@ -11,6 +11,7 @@
bt_device
build_attestation_prop
credential_service
device_as_webcam
device_config_camera_native_prop
device_config_memory_safety_native_boot_prop
device_config_memory_safety_native_prop

View file

@ -0,0 +1,21 @@
# Domain for DeviceAsWebcam Service
type device_as_webcam, domain, coredomain, mlstrustedsubject;
app_domain(device_as_webcam)
allow device_as_webcam system_app_data_file:dir create_dir_perms;
allow device_as_webcam system_app_data_file:file create_file_perms;
allow device_as_webcam { app_api_service cameraserver_service }:service_manager find;
# Allow DeviceAsWebcam Service needs to access ro.usb.uvc.enabled property to
# enale/disable itself
get_prop(device_as_webcam, usb_uvc_enabled_prop)
# need to access /dev to list all devices
allow device_as_webcam device:dir r_dir_perms;
# UVC nodes are mounted as V4L2 nodes (/dev/video*) on the device. These need to
# be accessed by the DeviceAsWebcam Service.
allow device_as_webcam video_device:dir r_dir_perms;
allow device_as_webcam video_device:chr_file rw_file_perms;

View file

@ -154,6 +154,7 @@ neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
@ -190,4 +191,3 @@ user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file leve
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
user=_app fromRunAs=true domain=runas_app levelFrom=user

View file

@ -21,16 +21,6 @@ neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
# Access to any of the following character devices.
neverallow appdomain {
audio_device
camera_device
dm_device
radio_device
rpmsg_device
video_device
}:chr_file { read write };
# Note: Try expanding list of app domains in the future.
neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };