From 93f989ecc198fedfddedb55507692f861c433e4a Mon Sep 17 00:00:00 2001 From: Max Bires Date: Tue, 25 Apr 2017 11:46:28 -0700 Subject: [PATCH] Adding allows and file_contexts to handle the following camera denials These were occuring on camera init: denied { read } for pid=699 comm="CAM_laser_sens" name="input" dev="tmpfs" ino=17802 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:device:s0 tclass=dir denied { write } for pid=699 comm="CAM_laser_sens" name="enable_ps_sensor" dev="sysfs" ino=39968 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file denied { call } for pid=810 comm="cameraserver" scontext=u:r:cameraserver:s0 tcontext=u:r:mediacodec:s0 tclass=binder Bug: 37669506 Test: These denials no longer occur during init Change-Id: Ie97ab9433efd43da29f18ffa652c43701b3662af --- sepolicy/cameraserver.te | 3 +++ sepolicy/file.te | 2 ++ sepolicy/file_contexts | 2 ++ sepolicy/hal_camera_default.te | 4 ++++ 4 files changed, 11 insertions(+) diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te index 95c6b2a8..d29d473d 100644 --- a/sepolicy/cameraserver.te +++ b/sepolicy/cameraserver.te @@ -6,3 +6,6 @@ allow cameraserver sysfs_camera:file r_file_perms; allow cameraserver sysfs_camera:dir search; allow cameraserver system_server:unix_stream_socket { read write }; + +# TODO (b/37688918) Verify that this is actually needed and not a violation of treble +binder_call(cameraserver, mediacodec) diff --git a/sepolicy/file.te b/sepolicy/file.te index 872ee20c..35c5f86c 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,12 +1,14 @@ type sysfs_camera, sysfs_type, fs_type; type sysfs_fingerprint, sysfs_type, fs_type; type sysfs_graphics, sysfs_type, fs_type; +type sysfs_laser, sysfs_type, fs_type; type sysfs_mdss_mdp_caps, sysfs_type, fs_type; type sysfs_msm_subsys, sysfs_type, fs_type; type sysfs_msm_subsys_restart, sysfs_type, fs_type; type sysfs_net, sysfs_type, fs_type; type sysfs_rmtfs, sysfs_type, fs_type; type sysfs_soc, sysfs_type, fs_type; + type debugfs_ion, debugfs_type, fs_type; type debugfs_kgsl, debugfs_type, fs_type; type debugfs_rpm, debugfs_type, fs_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 89714bb6..c1201ea8 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -15,6 +15,7 @@ /dev/video([0-9])+ u:object_r:video_device:s0 /dev/media([0-9])+ u:object_r:video_device:s0 /dev/v4l-subdev.* u:object_r:video_device:s0 +/dev/input(/.*)? u:object_r:input_device:s0 /dev/qseecom u:object_r:tee_device:s0 /dev/qsee_ipc_irq_spss u:object_r:qsee_ipc_irq_spss_device:s0 /dev/seemplog u:object_r:seemplog_device:s0 @@ -130,6 +131,7 @@ /sys/devices/soc/0\.qcom,rmtfs_sharedmem(/.*)? u:object_r:sysfs_rmtfs:s0 /sys/devices/soc/soc:fp_fpc1020(/.*)? u:object_r:sysfs_fingerprint:s0 /sys/devices/virtual/thermal(/.*)? u:object_r:sysfs_thermal:s0 +/sys/devices/virtual/wahoo_laser(/.*)? u:object_r:sysfs_laser:s0 /sys/kernel/debug/rmt_storage(/.*)? u:object_r:debugfs_rmt_storage:s0 /sys/module/msm_thermal(/.*)? u:object_r:sysfs_thermal:s0 /sys/module/tcp_cubic/parameters(/.*)? u:object_r:sysfs_net:s0 diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te index 216eece4..c0d3bc87 100644 --- a/sepolicy/hal_camera_default.te +++ b/sepolicy/hal_camera_default.te @@ -1,2 +1,6 @@ # TODO(b/36569385): Remove once Camera HAL no longer uses Binder typeattribute hal_camera_default binder_in_vendor_violators; + +allow hal_camera_default input_device:dir r_dir_perms; + +allow hal_camera_default sysfs_laser:file w_file_perms;