Adding allows and file_contexts to handle the following camera denials

These were occuring on camera init: denied { read } for pid=699 comm="CAM_laser_sens" name="input" dev="tmpfs" ino=17802 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:device:s0 tclass=dir denied { write } for pid=699 comm="CAM_laser_sens" name="enable_ps_sensor" dev="sysfs" ino=39968 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { call } for pid=810 comm="cameraserver" scontext=u:r:cameraserver:s0 tcontext=u:r:mediacodec:s0 tclass=binder Bug: 37669506 Test: These denials no longer occur during init Change-Id: Ie97ab9433efd43da29f18ffa652c43701b3662af
2026-02-01 07:50:47 +00:00 · 2017-04-25 11:46:28 -07:00
parent b13737cc28
commit 93f989ecc1
4 changed files with 11 additions and 0 deletions
--- a/sepolicy/cameraserver.te
+++ b/sepolicy/cameraserver.te
@@ -6,3 +6,6 @@ allow cameraserver sysfs_camera:file r_file_perms;
 allow cameraserver sysfs_camera:dir search;

 allow cameraserver system_server:unix_stream_socket { read write };
+
+# TODO (b/37688918) Verify that this is actually needed and not a violation of treble
+binder_call(cameraserver, mediacodec)
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,12 +1,14 @@
 type sysfs_camera, sysfs_type, fs_type;
 type sysfs_fingerprint, sysfs_type, fs_type;
 type sysfs_graphics, sysfs_type, fs_type;
+type sysfs_laser, sysfs_type, fs_type;
 type sysfs_mdss_mdp_caps, sysfs_type, fs_type;
 type sysfs_msm_subsys, sysfs_type, fs_type;
 type sysfs_msm_subsys_restart, sysfs_type, fs_type;
 type sysfs_net, sysfs_type, fs_type;
 type sysfs_rmtfs, sysfs_type, fs_type;
 type sysfs_soc, sysfs_type, fs_type;
+
 type debugfs_ion, debugfs_type, fs_type;
 type debugfs_kgsl, debugfs_type, fs_type;
 type debugfs_rpm, debugfs_type, fs_type;
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -15,6 +15,7 @@
 /dev/video([0-9])+                              u:object_r:video_device:s0
 /dev/media([0-9])+                              u:object_r:video_device:s0
 /dev/v4l-subdev.*                               u:object_r:video_device:s0
+/dev/input(/.*)?                                u:object_r:input_device:s0
 /dev/qseecom                                    u:object_r:tee_device:s0
 /dev/qsee_ipc_irq_spss                          u:object_r:qsee_ipc_irq_spss_device:s0
 /dev/seemplog                                   u:object_r:seemplog_device:s0
@@ -130,6 +131,7 @@
 /sys/devices/soc/0\.qcom,rmtfs_sharedmem(/.*)?                      u:object_r:sysfs_rmtfs:s0
 /sys/devices/soc/soc:fp_fpc1020(/.*)?                               u:object_r:sysfs_fingerprint:s0
 /sys/devices/virtual/thermal(/.*)?                                  u:object_r:sysfs_thermal:s0
+/sys/devices/virtual/wahoo_laser(/.*)?                              u:object_r:sysfs_laser:s0
 /sys/kernel/debug/rmt_storage(/.*)?                                 u:object_r:debugfs_rmt_storage:s0
 /sys/module/msm_thermal(/.*)?                                       u:object_r:sysfs_thermal:s0
 /sys/module/tcp_cubic/parameters(/.*)?                              u:object_r:sysfs_net:s0
--- a/sepolicy/hal_camera_default.te
+++ b/sepolicy/hal_camera_default.te
@@ -1,2 +1,6 @@
 # TODO(b/36569385): Remove once Camera HAL no longer uses Binder
 typeattribute hal_camera_default binder_in_vendor_violators;
+
+allow hal_camera_default input_device:dir r_dir_perms;
+
+allow hal_camera_default sysfs_laser:file w_file_perms;