Commit graph

29 commits

Author SHA1 Message Date
Hridya Valsaraju
8d5403c517 Add missing permission for accessing the DMA-BUF system heap
This patch fixes the following denials:

avc: denied { open } for comm="composer@2.4-se" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="BootAnimation"
path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:bootanim:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { open } for comm="Binder:470_2" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:surfaceflinger:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { read } for comm="HwBinder:946_2" name="system" dev="tmpfs"
ino=588 scontext=u:r:cameraserver:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { open } for comm="HwBinder:946_2" path="/dev/dma_heap/system"
dev="tmpfs" ino=588 scontext=u:r:cameraserver:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1

Bug: 178865267
Test: boot without these denials
Signed-off-by: Hyesoo Yu <hyesoo.yu@samsung.com>

Change-Id: Ic31dffd1328a8693b721433e1dcbbc650d3a3c07
2021-03-03 14:22:48 -08:00
Evan Severson
5fa543a26b Allow cameraserver to use package manager native
Test: Mnaual
Bug: 162549680
Change-Id: I77681bf2e21ab8bf5ab24e683bb2eed50c4c53ce
2021-02-26 12:42:56 -08:00
Pawin Vongmasa
609c243dd0 Properly define hal_codec2 and related policies
Test: make cts -j123 && cts-tradefed run cts-dev -m \
CtsMediaTestCases --compatibility:module-arg \
CtsMediaTestCases:include-annotation:\
android.platform.test.annotations.RequiresDevice

Bug: 131677974
Change-Id: I59c3d225499a8c53c2ed9f3bd677ff3d7423990b
2019-05-23 03:53:47 -07:00
Shuzhen Wang
2c3b7241fd Allow cameraserver to access tmpfs am: 248633385e am: 410a5f08d3
am: 2f0b7676cf

Change-Id: I04cfd417f8de49138d27ac2ee09d87c493a63a4e
2019-01-29 21:59:51 -08:00
Shuzhen Wang
043d6165cc Revert "Cameraserver: Allow cameraserver to access /data/misc/cameraserver" am: 6b4caaa3e8 am: e588655bb9
am: e828b68c69

Change-Id: I2f7bea04a595a7c18d915d354a833581a08ec556
2019-01-29 21:58:14 -08:00
Shuzhen Wang
248633385e Allow cameraserver to access tmpfs
Bug: 79465976
Test: testHeic CTS test
Change-Id: I51eb485dc29d869c5d35fc317b0e008d04bdcbad
2019-01-30 05:31:42 +00:00
Shuzhen Wang
6b4caaa3e8 Revert "Cameraserver: Allow cameraserver to access /data/misc/cameraserver"
This reverts commit 4e1497c7c0.

Reason for revert: Write temporary file to in-memory tmpfs instead

Test: testHeic CTS test
Bug: 123526741
Change-Id: Ifa7f5a0b50c46ee3e1a5695595233b17adc99222
2019-01-29 23:29:05 +00:00
Shuzhen Wang
bdcc2e6c5f Cameraserver: Allow cameraserver to access /data/misc/cameraserver am: 4e1497c7c0 am: 33898587ef
am: 588ea7beb8

Change-Id: I4cee94a2540767c54eecedb9d40943f35186be21
2019-01-28 09:13:15 -08:00
Shuzhen Wang
749065a516 Cameraserver: Allow camera server to talk to MediaCodec am: 8db7e4a7fa am: b1a7f25f58
am: 53eccb65a7

Change-Id: If3cc713bf8e61cebf9ba1d4b3255aabdf7b78855
2019-01-28 09:12:50 -08:00
Shuzhen Wang
4e1497c7c0 Cameraserver: Allow cameraserver to access /data/misc/cameraserver
Test: Cameraserver writes/reads/overwrites files in the folder
Bug: 79465976
Change-Id: I76460844a8e02e4c6ce704b85c72e57f861f5b18
2019-01-28 07:32:00 -08:00
Shuzhen Wang
8db7e4a7fa Cameraserver: Allow camera server to talk to MediaCodec
Test: Verify that cameraserver can call MediaCodec functions
Bug: 79465976
Change-Id: I145d2aac5004bf0d9432c3d5dd4d6dcd672374be
2019-01-28 07:32:00 -08:00
Michael Groover
ee3a142e51 Add sepolicy for cameraserver to find sensor_privacy_service
Test: Manually verified apps cannot use the camera when sensor privacy \
      is enabled.
Bug: 110842805

Change-Id: Idd0fb204205dffd49689d74b9d87fa613347c752
2018-12-19 11:05:07 -08:00
Jayant Chowdhary
039d4151da Add selinux rules for HIDL ICameraServer.
Bug: 110364143

Test: lshal->android.frameworks.cameraservice.service@2.0::ICameraService/default
      is registered.

Change-Id: I689ca5a570c169581b2bfb9d117fcdafced0a7e0
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
2018-11-12 10:42:29 -08:00
Nick Kralevich
5e37271df8 Introduce system_file_type
system_file_type is a new attribute used to identify files which exist
on the /system partition. It's useful for allow rules in init, which are
based off of a blacklist of writable files. Additionally, it's useful
for constructing neverallow rules to prevent regressions.

Additionally, add commented out tests which enforce that all files on
the /system partition have the system_file_type attribute. These tests
will be uncommented in a future change after all the device-specific
policies are cleaned up.

Test: Device boots and no obvious problems.
Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 12:52:09 -07:00
huans
a6acef9a9e Add shell:fifo_file permission for cameraserver
Bug: 73952536
Test: run cts -m CtsCameraTestCases -t android.hardware.camera2.cts.IdleUidTest#testCameraAccessBecomingInactiveUid
Change-Id: I508352671367dfa106e80108c3a5c0255b5273b2
2018-02-28 16:12:40 -08:00
Eino-Ville Talvala
c41a7bd121 Cameraserver: Allow shell user to use 'cmd media.camera'
Test: atest cts/tests/camera/src/android/hardware/camera2/cts/IdleUidTest.java
Change-Id: Id9adcec4db2e55f2e41ebd1b018ebc40aa0be404
2018-01-22 17:10:12 -08:00
Svet Ganov
9139ea1b2a No camera for idle uids - selinux
If a UID is idle (being in the background for more than
cartain amount of time) it should not be able to use the
camera. If the UID becomes idle we generate an eror and
close the cameras for this UID. If an app in an idle UID
tries to use the camera we immediately generate an error.
Since apps already should handle these errors it is safe
to apply this policy to all apps to protect user privacy.

Test: Pass - cts-tradefed run cts -m CtsCameraTestCases
      Added - CameraTest#testCameraAccessForIdleUid

Change-Id: I9ab3d6ec99764a93638746f18912ed60d299015f
2018-01-15 16:12:06 -08:00
Alex Klyubin
53656c1742 Restrict access to hwservicemanager
This adds fine-grained policy about who can register and find which
HwBinder services in hwservicemanager.

Test: Play movie in Netflix and Google Play Movies
Test: Play video in YouTube app and YouTube web page
Test: In Google Camera app, take photo (HDR+ and conventional),
      record video (slow motion and normal), and check that photos
      look fine and videos play back with sound.
Test: Cast screen to a Google Cast device
Test: Get location fix in Google Maps
Test: Make and receive a phone call, check that sound works both ways
      and that disconnecting the call frome either end works fine.
Test: Run RsHelloCompute RenderScript demo app
Test: Run fast subset of media CTS tests:
      make and install CtsMediaTestCases.apk
      adb shell am instrument -e size small \
          -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner'
Test: Play music using Google Play music
Test: Adjust screen brightness via the slider in Quick Settings
Test: adb bugreport
Test: Enroll in fingerprint screen unlock, unlock screen using
      fingerprint
Test: Apply OTA update:
      Make some visible change, e.g., rename Settings app.
      make otatools && \
      make dist
      Ensure device has network connectivity
      ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip
      Confirm the change is now live on the device
Bug: 34454312
(cherry picked from commit 632bc494f1)
Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3
Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31
2017-04-21 09:54:53 -07:00
Martijn Coenen
de2e79c58f Give apps, cameraserver, and system_server access to sync fences.
Since hal_graphics_composer_default is now no longer
a member of binderservicedomain, these domains would
no longer be able to use filedescriptors from it.

Bug: 36569525
Bug: 35706331
Test: marlin boots, YouTube, Maps, Camera, video
Change-Id: I4c110cf7530983470ae079e4fbc8cf11aa0fab7f
2017-04-14 23:05:39 +00:00
Alex Klyubin
ab2c681fb1 Policy for Camera HAL HwBinder service
This adds restrictions on which domains can register this HwBinder
service with hwservicemanager and which domains can obtain tokens for
this service from hwservicemanager.

Test: Use Google Camera app to take HDR+ photo, conventional photo,
      record video with sound, record slow motion video with sound.
      Check that the photos display correctly and that videos play
      back fine and with sound. Check that there are no SELinux
      denials to do with camera.
Bug: 34454312
Change-Id: Icfaeed917423510d9f97d18b013775596883ff64
2017-04-13 10:31:04 -07:00
Alex Klyubin
57ab001530 Remove unnecessary binder_call from cameraserver
This is a follow-up to 9339168688
which added both
hal_client_domain(cameraserver, hal_graphics_allocator) and
binder_call(cameraserver, hal_graphics_allocator). The latter
binder_call rule is no longer needed because it is automatically
granted by virtue of cameraserver being marked as a client of
Graphics Allocator HAL --
see 49274721b3.

Test: Take a photo (both HDR and conventional) using Google Camera
Test: Record video using Google Camera
Test: Record slow motion video using Google Camera
Test: No denials to do with cameraserver and hal_graphics_allocator*
Bug: 34170079
Change-Id: If93fe310fa62923b5107a7e78d158f6e4b4d0b3a
2017-03-21 12:39:13 -07:00
Yin-Chia Yeh
9339168688 Camera: allow cameraserver access hal_graphics_allocator
Test: Google camera app snapshot/record/
      slow motion recording
Bug: 36383997
Change-Id: I565fb441aec529464474e0dd0e01dbfe0b167c82
2017-03-20 15:51:08 -07:00
Nick Kralevich
38c12828da Add documentation on neverallow rules
Better document the reasons behind the neverallow for tcp/udp sockets.

Test: policy compiles.
Change-Id: Iee386af3be6fc7495addc9300b5628d0fe61c8e9
2017-02-17 22:37:23 +00:00
Alex Klyubin
3a8426bf89 Switch Camera HAL policy to _client/_server
This switches Camera HAL policy to the design which enables us to
conditionally remove unnecessary rules from domains which are clients
of Camera HAL.

Domains which are clients of Camera HAL, such as cameraserver domain,
are granted rules targeting hal_camera only when the Camera HAL runs
in passthrough mode (i.e., inside the client's process). When the HAL
runs in binderized mode (i.e., in another process/domain, with clients
talking to the HAL over HwBinder IPC), rules targeting hal_camera are
not granted to client domains.

Domains which offer a binderized implementation of Camera HAL, such
as hal_camera_default domain, are always granted rules targeting
hal_camera.

Test: Take non-HDR photo using Google Camera app
Test: Take HDR photo using Google Camera app
Test: Record video using Google Camera app
Bug: 34170079
Change-Id: I463646cf79fede57f11ccd4ec2cbc37a4fff141e
2017-02-16 20:37:21 -08:00
Yin-Chia Yeh
8a6d397f48 Camera: grant system file perm for Treble
Test: Google Camera app working
Bug: 34786432
Change-Id: Ie14ac8a58a331f96a56fb6fc09318e2d737c4076
2017-01-30 14:52:21 -08:00
William Roberts
606d2fd665 te_macros: introduce add_service() macro
Introduce the add_service() macro which wraps up add/find
permissions for the source domain with a neverallow preventing
others from adding it. Only a particular domain should
add a particular service.

Use the add_service() macro to automatically add a neverallow
that prevents other domains from adding the service.

mediadrmserver was adding services labeled mediaserver_service.
Drop the add permission as it should just need the find
permission.

Additionally, the macro adds the { add find } permission which
causes some existing neverallow's to assert. Adjust those
neverallow's so "self" can always find.

Test: compile and run on hikey and emulator. No new denials were
found, and all services, where applicable, seem to be running OK.

Change-Id: Ibbd2a5304edd5f8b877bc86852b0694732be993c
Signed-off-by: William Roberts <william.c.roberts@intel.com>
2017-01-26 04:43:16 +00:00
Eino-Ville Talvala
9c43a3ff10 DO NOT MERGE: Camera: Add initial Treble camera HAL sepolicy
- Allow cameraservice to talk to hwbinder, hwservicemanager
- Allow hal_camera to talk to the same interfaces as cameraservice

Test: Compiles, confirmed that cameraservice can call hwservicemanager
Bug: 32991422
Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a
2017-01-18 12:02:36 -08:00
Chia-I Wu
dd958e5a21 Add sepolicy for gralloc-alloc HAL
Allow SurfaceFlinger to call into IAllocator, and allow everyone to access
IAllocator's fd.

Specifically,

hwbinder_use(...) for
avc: denied { call } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:hal_graphics_allocator:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1

allow ... ion_device:chr_file r_file_perms for
avc: denied { read } for name="ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/ion" dev="tmpfs" ino=15014 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1

allow ... gpu_device:chr_file rw_file_perms; for
avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_allocator:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1

binder_call(surfaceflinger, ...) for
avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=binder permissive=1

allow ... ...:fd use for
avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_allocator:s0 tclass=fd permissive=1

Bug: 32021161
Test: make bootimage
Change-Id: Ie7700142313407ac438c43dd1a85544dc4c67f13
2016-11-14 01:09:51 +00:00
dcashman
cc39f63773 Split general policy into public and private components.
Divide policy into public and private components.  This is the first
step in splitting the policy creation for platform and non-platform
policies.  The policy in the public directory will be exported for use
in non-platform policy creation.  Backwards compatibility with it will
be achieved by converting the exported policy into attribute-based
policy when included as part of the non-platform policy and a mapping
file will be maintained to be included with the platform policy that
maps exported attributes of previous versions to the current platform
version.

Eventually we would like to create a clear interface between the
platform and non-platform device components so that the exported policy,
and the need for attributes is minimal.  For now, almost all types and
avrules are left in public.

Test: Tested by building policy and running on device.

Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
2016-10-06 13:09:06 -07:00
Renamed from cameraserver.te (Browse further)