Allow Hexagon DSP access to GoogleCamera application

- Add custom domain for GoogleCamera, with QDSP access - Add app cert for Google apps - Add new hexagon_halide_file type, apply it to two critical DSP libraries, and grant GoogleCamera access to them. - Also allow tango_core access to hexagon_halide_file - Remove /vendor/lib/libhalide_hexagon_host from same_process_hal_file, it's not used by anything currently. - Move access to persist.camera.* properties to the generic app domain Test: GoogleCamera able to use Hexagon for HDR+ Bug: 62712071 Bug: 62341955 Change-Id: I2c49c35d9f90d07b148a2f27d0f8128f99b55b6c
2026-02-01 07:50:47 +00:00 · 2017-06-15 09:04:49 -07:00
parent 99be275e1e
commit 9da8401acb
10 changed files with 87 additions and 5 deletions
--- a/sepolicy/vendor/app.te
+++ b/sepolicy/vendor/app.te
@@ -0,0 +1,2 @@
+# For the camera app
+get_prop(appdomain, camera_prop)
--- a/sepolicy/vendor/certs/app.x509.pem
+++ b/sepolicy/vendor/certs/app.x509.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEqDCCA5CgAwIBAgIJANWFuGx90071MA0GCSqGSIb3DQEBBAUAMIGUMQswCQYD
+VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4g
+VmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UE
+AxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe
+Fw0wODA0MTUyMzM2NTZaFw0zNTA5MDEyMzM2NTZaMIGUMQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4G
+A1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9p
+ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZI
+hvcNAQEBBQADggENADCCAQgCggEBANbOLggKv+IxTdGNs8/TGFy0PTP6DHThvbbR
+24kT9ixcOd9W+EaBPWW+wPPKQmsHxajtWjmQwWfna8mZuSeJS48LIgAZlKkpFeVy
+xW0qMBujb8X8ETrWy550NaFtI6t9+u7hZeTfHwqNvacKhp1RbE6dBRGWynwMVX8X
+W8N1+UjFaq6GCJukT4qmpN2afb8sCjUigq0GuMwYXrFVee74bQgLHWGJwPmvmLHC
+69EH6kWr22ijx4OKXlSIx2xT1AsSHee70w5iDBiK4aph27yH3TxkXy9V89TDdexA
+cKk/cVHYNnDBapcavl7y0RiQ4biu8ymM8Ga/nmzhRKya6G0cGw8CAQOjgfwwgfkw
+HQYDVR0OBBYEFI0cxb6VTEM8YYY6FbBMvAPyT+CyMIHJBgNVHSMEgcEwgb6AFI0c
+xb6VTEM8YYY6FbBMvAPyT+CyoYGapIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UE
+CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMH
+QW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAG
+CSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJANWFuGx90071MAwGA1Ud
+EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADggEBABnTDPEF+3iSP0wNfdIjIz1AlnrP
+zgAIHVvXxunW7SBrDhEglQZBbKJEk5kT0mtKoOD1JMrSu1xuTKEBahWRbqHsXcla
+XjoBADb0kkjVEJu/Lh5hgYZnOjvlba8Ld7HCKePCVePoTJBdI4fvugnL8TsgK05a
+IskyY0hKI9L8KfqfGTl1lzOv2KoWD0KWwtAWPoGChZxmQ+nBli+gwYMzM1vAkP+a
+ayLe0a1EQimlOalO762r0GXO0ks+UeXde2Z4e+8S/pf7pITEI/tP+MxJTALw9QUW
+Ev9lKTk+jkbqxbsh8nfBUapfKqYn0eidpwq2AzVp3juYl7//fKnaPhJD9gs=
+-----END CERTIFICATE-----
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -69,3 +69,5 @@ type sysfs_data, fs_type, sysfs_type;

 #diag sysfs files
 type sysfs_diag, fs_type, sysfs_type;
+
+type hexagon_halide_file, vendor_file_type, file_type;
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -283,9 +283,9 @@
 # libGLESv2_adreno depends on this
 /vendor/lib(64)?/libllvm-glnext\.so         u:object_r:same_process_hal_file:s0

-# Loaded by native loader (zygote) for all processes
-/vendor/lib(64)?/libhalide_hexagon_host\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libadsprpc\.so             u:object_r:same_process_hal_file:s0
+# Hexagon DSP host runtime and DSP-side executable needed for Halide operation
+/vendor/lib(64)?/libadsprpc\.so             u:object_r:hexagon_halide_file:s0
+/vendor/lib/dsp/fastrpc_shell_0             u:object_r:hexagon_halide_file:s0

 # data files
 /data/misc/radio(/.*)?                 u:object_r:radio_data_file:s0
--- a/sepolicy/vendor/google_camera_app.te
+++ b/sepolicy/vendor/google_camera_app.te
@@ -0,0 +1,41 @@
+type google_camera_app, domain, coredomain;
+
+app_domain(google_camera_app)
+
+# Access standard system services
+allow google_camera_app app_api_service:service_manager find;
+allow google_camera_app audioserver_service:service_manager find;
+allow google_camera_app cameraserver_service:service_manager find;
+allow google_camera_app drmserver_service:service_manager find;
+allow google_camera_app mediacodec_service:service_manager find;
+allow google_camera_app mediaextractor_service:service_manager find;
+allow google_camera_app mediaserver_service:service_manager find;
+allow google_camera_app mediametrics_service:service_manager find;
+allow google_camera_app nfc_service:service_manager find;
+allow google_camera_app surfaceflinger_service:service_manager find;
+
+allow google_camera_app hidl_token_hwservice:hwservice_manager find;
+
+# Execute libraries from RenderScript cache
+allow google_camera_app app_data_file:file { rx_file_perms };
+
+# Read memory info
+allow google_camera_app proc_meminfo:file r_file_perms;
+
+# gdbserver / stack traces
+allow google_camera_app self:process ptrace;
+
+# Access to Hexagon DSP kernel device
+allow google_camera_app qdsp_device:chr_file { r_file_perms };
+
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow google_camera_app system_app_data_file:file { read write getattr };
+
+# Allow GoogleCamera access to necessary vendor libraries to execute
+# Halide code
+allow google_camera_app hexagon_halide_file:file { execute read open getattr };
+
+# Access to persist.camera.* system properties
+get_prop(google_camera_app, camera_prop)
--- a/sepolicy/vendor/keys.conf
+++ b/sepolicy/vendor/keys.conf
@@ -8,3 +8,6 @@ ALL : device/google/wahoo/sepolicy/vendor/certs/tango_release.x509.pem
 ENG         : device/google/wahoo/sepolicy/vendor/certs/tango.x509.pem
 USERDEBUG   : device/google/wahoo/sepolicy/vendor/certs/tango.x509.pem
 USER        : device/google/wahoo/sepolicy/vendor/certs/tango_userdev.x509.pem
+
+[@GOOGLE]
+ALL : device/google/wahoo/sepolicy/vendor/certs/app.x509.pem
--- a/sepolicy/vendor/mac_permissions.xml
+++ b/sepolicy/vendor/mac_permissions.xml
@@ -21,6 +21,9 @@
      - The default tag is consulted last if needed.
 -->
    <!-- google apps key -->
+    <signer signature="@GOOGLE" >
+      <seinfo value="google" />
+    </signer>
    <signer signature="@TANGO" >
      <seinfo value="tango" />
    </signer>
--- a/sepolicy/vendor/seapp_contexts
+++ b/sepolicy/vendor/seapp_contexts
@@ -14,3 +14,6 @@ user=_app seinfo=tango name=com.google.tango.* domain=tango_core type=app_data_f
 user=_app seinfo=tango name=com.google.tango:app domain=untrusted_app type=app_data_file levelFrom=user

 user=_app seinfo=platform name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user
+
+# Use a custom domain for GoogleCamera, to allow for Hexagon DSP access
+user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=user
--- a/sepolicy/vendor/tango_core.te
+++ b/sepolicy/vendor/tango_core.te
@@ -11,3 +11,6 @@ allow tango_core vendor_file:file { getattr open read };
 allow tango_core app_api_service:service_manager find;
 allow tango_core surfaceflinger_service:service_manager find;
 allow tango_core cameraserver_service:service_manager find;
+
+# Allow access to necessary vendor libraries to execute Hexagon code
+allow tango_core hexagon_halide_file:file { execute read open getattr };
--- a/sepolicy/vendor/untrusted_app.te
+++ b/sepolicy/vendor/untrusted_app.te
@@ -1,2 +0,0 @@
-# For the camera app
-get_prop(untrusted_app, camera_prop)