Allow tachyon service to make binder calls to GCA

This permission is needed for tachyon service to call callbacks. AVC Error seen when tachyon tries accessing GCA: 12-02 11:40:03.212 6987 6987 W com.google.edge: type=1400 audit(0.0:17): avc: denied { call } for scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:google_camera_app:s0:c145,c256,c512,c768 tclass=binder permissive=0 12-03 07:12:26.424 4166 4166 W com.google.edge: type=1400 audit(0.0:254): avc: denied { call } for scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:debug_camera_app:s0:c67,c257,c512,c768 tclass=binder permissive=0 Bug: 381787911 Flag: EXEMPT updates device sepolicy only Change-Id: I5544fbc11cea0d98dfdeffd9d2871fc037d87c61
2026-01-27 17:24:46 +00:00 · 2024-12-06 03:53:02 +00:00
parent e547b08ebd
commit 1b7a5a0078
2 changed files with 7 additions and 0 deletions
--- a/vendor/debug_camera_app.te
+++ b/vendor/debug_camera_app.te
@@ -1,3 +1,4 @@
+# File containing sepolicies for GCA-Eng & GCA-Next.
 userdebug_or_eng(`
 	# Allows GCA-Eng & GCA-Next access the GXP device and properties.
 	allow debug_camera_app gxp_device:chr_file rw_file_perms;
@@ -9,4 +10,7 @@ userdebug_or_eng(`

 	# Allows  GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12.
 	allow debug_camera_app hw_jpg_device:chr_file rw_file_perms;
+
+	# Allow tachyon_service to communicate with GCA-Eng via binder.
+	binder_call(edgetpu_tachyon_server, debug_camera_app);
 ')
--- a/vendor/google_camera_app.te
+++ b/vendor/google_camera_app.te
@@ -8,3 +8,6 @@ allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map }

 # Allows GCA to access the hw_jpeg /dev/video12.
 allow google_camera_app hw_jpg_device:chr_file rw_file_perms;
+
+# Allow tachyon service to communicate with google_camera_app via binder.
+binder_call(edgetpu_tachyon_server, google_camera_app);