Add camera HAL sepolicy based on previous chip family.

The camera HAL code is reused from the previous chip and needs to perform the same operations as previously, with the following differences: - The interrupt affinity workaround may no longer be necessary due to image sensor changes, so the ability to set interrupt affinity is removed. - Access to some files that were only present before the APEX migration is removed. - vendor_camera_tuning_file is no longer needed. - TEE access for face auth is removed for now. Bug: 205904406 Bug: 205657132 Bug: 205780186 Bug: 205072921 Bug: 205657133 Bug: 205780065 Bug: 204718762 Bug: 207300298 Bug: 209889068 Bug: 210067468 Test: Ensure that the policy builds; I don't have access to target hardware at the moment. Change-Id: Ia70b98d4e1f3a156a5e719f0d069a90579b6a247
2026-02-01 05:38:17 +00:00 · 2022-01-25 21:34:37 +00:00
parent ef2c46c2f4
commit b76b5e3872
4 changed files with 78 additions and 53 deletions
--- a/tracking_denials/hal_camera_default.te
+++ b/tracking_denials/hal_camera_default.te
@@ -1,54 +1,7 @@
-# b/204718762
-dontaudit hal_camera_default edgetpu_vendor_service:service_manager { find };
-dontaudit hal_camera_default hal_power_service:service_manager { find };
 # b/205072921
 dontaudit hal_camera_default kernel:process { setsched };
-dontaudit hal_camera_default vendor_camera_prop:file { getattr };
-dontaudit hal_camera_default vendor_camera_prop:file { map };
-dontaudit hal_camera_default vendor_camera_prop:file { open };
-dontaudit hal_camera_default vendor_camera_prop:file { read };
-dontaudit hal_camera_default vendor_camera_prop:property_service { set };
-# b/205657133
-dontaudit hal_camera_default edgetpu_device:chr_file { ioctl };
-dontaudit hal_camera_default edgetpu_device:chr_file { map };
-dontaudit hal_camera_default edgetpu_device:chr_file { open };
-dontaudit hal_camera_default edgetpu_device:chr_file { read write };
-dontaudit hal_camera_default gpu_device:chr_file { getattr };
-dontaudit hal_camera_default gpu_device:chr_file { ioctl };
-dontaudit hal_camera_default gpu_device:chr_file { map };
-dontaudit hal_camera_default gpu_device:chr_file { open };
-dontaudit hal_camera_default gpu_device:chr_file { read write };
-dontaudit hal_camera_default lwis_device:chr_file { ioctl };
-dontaudit hal_camera_default lwis_device:chr_file { open };
-dontaudit hal_camera_default lwis_device:chr_file { read };
-dontaudit hal_camera_default lwis_device:chr_file { write };
-dontaudit hal_camera_default vndbinder_device:chr_file { ioctl };
-dontaudit hal_camera_default vndbinder_device:chr_file { map };
-dontaudit hal_camera_default vndbinder_device:chr_file { open };
-dontaudit hal_camera_default vndbinder_device:chr_file { read };
-dontaudit hal_camera_default vndbinder_device:chr_file { write };
 # b/205780065
-dontaudit hal_camera_default apex_info_file:file { getattr };
-dontaudit hal_camera_default apex_info_file:file { open };
-dontaudit hal_camera_default apex_info_file:file { read };
-dontaudit hal_camera_default apex_info_file:file { watch };
-dontaudit hal_camera_default mnt_vendor_file:dir { search };
-dontaudit hal_camera_default persist_file:dir { search };
 dontaudit hal_camera_default system_data_file:dir { search };
-dontaudit hal_camera_default vendor_camera_data_file:dir { getattr };
-dontaudit hal_camera_default vendor_camera_data_file:dir { open };
-dontaudit hal_camera_default vendor_camera_data_file:dir { read };
-dontaudit hal_camera_default vendor_camera_data_file:dir { search };
-dontaudit hal_camera_default vendor_camera_data_file:file { open };
-dontaudit hal_camera_default vendor_camera_data_file:file { read };
 # b/205904406
-dontaudit hal_camera_default hal_camera_default:capability { sys_nice };
-dontaudit hal_camera_default hal_power_default:binder { call };
-dontaudit hal_camera_default hal_radioext_default:binder { call };
 dontaudit hal_camera_default init:unix_stream_socket { connectto };
 dontaudit hal_camera_default property_socket:sock_file { write };
-dontaudit hal_camera_default system_server:binder { call };
-# b/207300298
-dontaudit hal_camera_default vendor_camera_data_file:file { getattr };
-# b/210067468
-dontaudit hal_camera_default persist_camera_file:dir { search };
--- a/whitechapel_pro/hal_camera_default.te
+++ b/whitechapel_pro/hal_camera_default.te
@@ -1,13 +1,80 @@
-hal_client_domain(hal_camera_default, hal_power);
+type hal_camera_default_tmpfs, file_type;
+
+allow hal_camera_default self:global_capability_class_set sys_nice;
+
+binder_use(hal_camera_default);
+vndbinder_use(hal_camera_default);
+
+allow hal_camera_default lwis_device:chr_file rw_file_perms;
+allow hal_camera_default gpu_device:chr_file rw_file_perms;
+allow hal_camera_default sysfs_chip_id:file r_file_perms;
+
+# Allow the camera hal to access the EdgeTPU service and the
+# Android shared memory allocated by the EdgeTPU service for
+# on-device compilation.
+allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
+allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
+allow hal_camera_default sysfs_edgetpu:file r_file_perms;
+allow hal_camera_default edgetpu_vendor_service:service_manager find;
 binder_call(hal_camera_default, edgetpu_vendor_server)
-binder_use(hal_camera_default)

-allow hal_camera_default fwk_stats_service:service_manager find;
+# Allow access to data files used by the camera HAL
+allow hal_camera_default mnt_vendor_file:dir search;
+allow hal_camera_default persist_file:dir search;
+allow hal_camera_default persist_camera_file:dir rw_dir_perms;
+allow hal_camera_default persist_camera_file:file create_file_perms;
+allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
+allow hal_camera_default vendor_camera_data_file:file create_file_perms;

-# Allow camera HAL to query preferred camera frequencies from the radio HAL
-# extensions to avoid interference with cellular antennas.
-allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
+# Allow creating dump files for debugging in non-release builds
+userdebug_or_eng(`
+  allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;
+  allow hal_camera_default vendor_camera_data_file:file create_file_perms;
+')
+
+# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files
+# compiled into the shared libraries with cc_embed_data rules
+tmpfs_domain(hal_camera_default);
+
+# Allow access to camera-related system properties
+set_prop(hal_camera_default, vendor_camera_prop);
+set_prop(hal_camera_default, log_tag_prop);
+get_prop(hal_camera_default, vendor_camera_debug_prop);
+userdebug_or_eng(`
+  set_prop(hal_camera_default, vendor_camera_fatp_prop);
+  set_prop(hal_camera_default, vendor_camera_debug_prop);
+')

 # For camera hal to talk with rlsservice
 allow hal_camera_default rls_service:service_manager find;
 binder_call(hal_camera_default, rlsservice)
+
+hal_client_domain(hal_camera_default, hal_graphics_allocator);
+hal_client_domain(hal_camera_default, hal_graphics_composer)
+hal_client_domain(hal_camera_default, hal_power);
+hal_client_domain(hal_camera_default, hal_thermal);
+
+# Allow access to sensor service for sensor_listener
+binder_call(hal_camera_default, system_server);
+
+# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
+allow hal_camera_default eco_service:service_manager find;
+binder_call(hal_camera_default, mediacodec);
+
+# Allow camera HAL to query preferred camera frequencies from the radio HAL
+# extensions to avoid interference with cellular antennas.
+allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
+binder_call(hal_camera_default, hal_radioext_default);
+
+# Allow camera HAL to connect to the stats service.
+allow hal_camera_default fwk_stats_service:service_manager find;
+
+# For observing apex file changes
+allow hal_camera_default apex_info_file:file r_file_perms;
+
+# Allow camera HAL to query current device clock frequencies.
+allow hal_camera_default sysfs_devfreq_cur:file r_file_perms;
+
+# allow camera HAL to read backlight of display
+allow hal_camera_default sysfs_leds:dir r_dir_perms;
+allow hal_camera_default sysfs_leds:file r_file_perms;
--- a/whitechapel_pro/property.te
+++ b/whitechapel_pro/property.te
@@ -12,6 +12,8 @@ vendor_internal_prop(vendor_secure_element_prop)
 vendor_internal_prop(vendor_battery_profile_prop)
 vendor_internal_prop(vendor_battery_defender_prop)
 vendor_internal_prop(vendor_camera_prop)
+vendor_internal_prop(vendor_camera_debug_prop)
+vendor_internal_prop(vendor_camera_fatp_prop)
 vendor_internal_prop(vendor_usb_config_prop)
 vendor_internal_prop(vendor_tcpdump_log_prop)
 vendor_internal_prop(vendor_device_prop)
--- a/whitechapel_pro/property_contexts
+++ b/whitechapel_pro/property_contexts
@@ -71,7 +71,10 @@ vendor.wlan.firmware.version               u:object_r:vendor_wifi_version:s0
 ro.vendor.hwc.drm.device                   u:object_r:vendor_display_prop:s0

 # Camera
+persist.vendor.camera.                     u:object_r:vendor_camera_prop:s0
 vendor.camera.                             u:object_r:vendor_camera_prop:s0
+vendor.camera.debug.                       u:object_r:vendor_camera_debug_prop:s0
+vendor.camera.fatp.                        u:object_r:vendor_camera_fatp_prop:s0

 # for logger app
 persist.vendor.pixellogger.                u:object_r:vendor_logger_prop:s0