Move camera's coredomain sepolicy to product
Because they are installed to product partition and it's Treble
violation to assign them with vendor sepolicy
Bug: 296512192
Test: lunch panther and build
Change-Id: I2d2c2a8027eed2b3e2ee1a78d629d44b99867128
diff --git a/camera/dump.mk b/camera/dump.mk
index a3a5c7a..8569610 100644
--- a/camera/dump.mk
+++ b/camera/dump.mk
@@ -1,4 +1,6 @@
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/vendor
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/product/private
PRODUCT_PACKAGES_DEBUG += dump_camera
diff --git a/camera/sepolicy/seapp_contexts b/camera/sepolicy/product/private/seapp_contexts
similarity index 100%
rename from camera/sepolicy/seapp_contexts
rename to camera/sepolicy/product/private/seapp_contexts
diff --git a/camera/sepolicy/product/private/vendor_pbcs_app.te b/camera/sepolicy/product/private/vendor_pbcs_app.te
new file mode 100644
index 0000000..d77162e
--- /dev/null
+++ b/camera/sepolicy/product/private/vendor_pbcs_app.te
@@ -0,0 +1,9 @@
+typeattribute vendor_pbcs_app coredomain;
+
+app_domain(vendor_pbcs_app);
+
+dontaudit vendor_pbcs_app system_app_data_file:dir *;
+
+allow vendor_pbcs_app app_api_service:service_manager find;
+# Allow PBCS to find Camera Service.
+allow vendor_pbcs_app cameraserver_service:service_manager find;
diff --git a/camera/sepolicy/product/private/vendor_pcs_app.te b/camera/sepolicy/product/private/vendor_pcs_app.te
new file mode 100644
index 0000000..6bf0451
--- /dev/null
+++ b/camera/sepolicy/product/private/vendor_pcs_app.te
@@ -0,0 +1,12 @@
+typeattribute vendor_pcs_app coredomain;
+
+app_domain(vendor_pcs_app);
+
+allow vendor_pcs_app {
+ app_api_service
+ audioserver_service
+ cameraserver_service
+ mediametrics_service
+ mediaserver_service
+ radio_service
+}:service_manager find;
diff --git a/camera/sepolicy/product/public/vendor_pbcs_app.te b/camera/sepolicy/product/public/vendor_pbcs_app.te
new file mode 100644
index 0000000..7180719
--- /dev/null
+++ b/camera/sepolicy/product/public/vendor_pbcs_app.te
@@ -0,0 +1 @@
+type vendor_pbcs_app, domain;
diff --git a/camera/sepolicy/product/public/vendor_pcs_app.te b/camera/sepolicy/product/public/vendor_pcs_app.te
new file mode 100644
index 0000000..fb8b0a1
--- /dev/null
+++ b/camera/sepolicy/product/public/vendor_pcs_app.te
@@ -0,0 +1 @@
+type vendor_pcs_app, domain;
diff --git a/camera/sepolicy/dump_camera.te b/camera/sepolicy/vendor/dump_camera.te
similarity index 100%
rename from camera/sepolicy/dump_camera.te
rename to camera/sepolicy/vendor/dump_camera.te
diff --git a/camera/sepolicy/file.te b/camera/sepolicy/vendor/file.te
similarity index 100%
rename from camera/sepolicy/file.te
rename to camera/sepolicy/vendor/file.te
diff --git a/camera/sepolicy/file_contexts b/camera/sepolicy/vendor/file_contexts
similarity index 100%
rename from camera/sepolicy/file_contexts
rename to camera/sepolicy/vendor/file_contexts
diff --git a/camera/sepolicy/hal_camera_default.te b/camera/sepolicy/vendor/hal_camera_default.te
similarity index 100%
rename from camera/sepolicy/hal_camera_default.te
rename to camera/sepolicy/vendor/hal_camera_default.te
diff --git a/camera/sepolicy/init.camera.set-interrupts-ownership.te b/camera/sepolicy/vendor/init.camera.set-interrupts-ownership.te
similarity index 100%
rename from camera/sepolicy/init.camera.set-interrupts-ownership.te
rename to camera/sepolicy/vendor/init.camera.set-interrupts-ownership.te
diff --git a/camera/sepolicy/property.te b/camera/sepolicy/vendor/property.te
similarity index 100%
rename from camera/sepolicy/property.te
rename to camera/sepolicy/vendor/property.te
diff --git a/camera/sepolicy/property_contexts b/camera/sepolicy/vendor/property_contexts
similarity index 100%
rename from camera/sepolicy/property_contexts
rename to camera/sepolicy/vendor/property_contexts
diff --git a/camera/sepolicy/service.te b/camera/sepolicy/vendor/service.te
similarity index 100%
rename from camera/sepolicy/service.te
rename to camera/sepolicy/vendor/service.te
diff --git a/camera/sepolicy/service_contexts b/camera/sepolicy/vendor/service_contexts
similarity index 100%
rename from camera/sepolicy/service_contexts
rename to camera/sepolicy/vendor/service_contexts
diff --git a/camera/sepolicy/vendor/vendor_pbcs_app.te b/camera/sepolicy/vendor/vendor_pbcs_app.te
new file mode 100644
index 0000000..7b9c5e2
--- /dev/null
+++ b/camera/sepolicy/vendor/vendor_pbcs_app.te
@@ -0,0 +1,12 @@
+# Allow PBCS to add the ServiceBinder service to ServiceManager.
+add_service(vendor_pbcs_app, vendor_camera_binder_service);
+# Allow PBCS to add the LyricConfigProvider service to ServiceManager.
+add_service(vendor_pbcs_app, vendor_camera_lyricconfigprovider_service);
+# Allow PBCS to add the CameraIdRemapper service to ServiceManager.
+add_service(vendor_pbcs_app, vendor_camera_cameraidremapper_service);
+
+# Allow PBCS to read debug system properties of the form vendor.camera.pbcs.debug.*
+# and persist.vendor.camera.pbcs.debug.*
+get_prop(vendor_pbcs_app, vendor_camera_pbcs_debug_prop);
+
+binder_call(vendor_pbcs_app, hal_camera_default);
diff --git a/camera/sepolicy/vendor/vendor_pcs_app.te b/camera/sepolicy/vendor/vendor_pcs_app.te
new file mode 100644
index 0000000..99a9bea
--- /dev/null
+++ b/camera/sepolicy/vendor/vendor_pcs_app.te
@@ -0,0 +1,10 @@
+# Allow PCS to find the LyricConfigProvider service through ServiceManager.
+allow vendor_pcs_app vendor_camera_lyricconfigprovider_service:service_manager find;
+# Allow PCS to find the CameraIdRemapper service through ServiceManager.
+allow vendor_pcs_app vendor_camera_cameraidremapper_service:service_manager find;
+
+allow vendor_pcs_app hal_pixel_remote_camera_service:service_manager add;
+
+binder_call(vendor_pcs_app, hal_pixel_remote_camera_service);
+
+binder_call(vendor_pcs_app, hal_camera_default);
diff --git a/camera/sepolicy/vendor_pbcs_app.te b/camera/sepolicy/vendor_pbcs_app.te
deleted file mode 100644
index 880ff5d..0000000
--- a/camera/sepolicy/vendor_pbcs_app.te
+++ /dev/null
@@ -1,25 +0,0 @@
-type vendor_pbcs_app, domain, coredomain;
-
-# TODO(b/296512192): move vendor_pbcs_app out of vendor sepolicy
-typeattribute vendor_pbcs_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(vendor_pbcs_app);
-
-dontaudit vendor_pbcs_app system_app_data_file:dir *;
-
-allow vendor_pbcs_app app_api_service:service_manager find;
-# Allow PBCS to find Camera Service.
-allow vendor_pbcs_app cameraserver_service:service_manager find;
-
-# Allow PBCS to add the ServiceBinder service to ServiceManager.
-add_service(vendor_pbcs_app, vendor_camera_binder_service);
-# Allow PBCS to add the LyricConfigProvider service to ServiceManager.
-add_service(vendor_pbcs_app, vendor_camera_lyricconfigprovider_service);
-# Allow PBCS to add the CameraIdRemapper service to ServiceManager.
-add_service(vendor_pbcs_app, vendor_camera_cameraidremapper_service);
-
-binder_call(vendor_pbcs_app, hal_camera_default);
-
-# Allow PBCS to read debug system properties of the form vendor.camera.pbcs.debug.*
-# and persist.vendor.camera.pbcs.debug.*
-get_prop(vendor_pbcs_app, vendor_camera_pbcs_debug_prop);
diff --git a/camera/sepolicy/vendor_pcs_app.te b/camera/sepolicy/vendor_pcs_app.te
deleted file mode 100644
index a736be5..0000000
--- a/camera/sepolicy/vendor_pcs_app.te
+++ /dev/null
@@ -1,26 +0,0 @@
-type vendor_pcs_app, domain, coredomain;
-
-# TODO(b/296512192): move vendor_pcs_app out of vendor sepolicy
-typeattribute vendor_pcs_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(vendor_pcs_app);
-
-allow vendor_pcs_app {
- app_api_service
- audioserver_service
- cameraserver_service
- mediametrics_service
- mediaserver_service
- radio_service
-}:service_manager find;
-
-# Allow PCS to find the LyricConfigProvider service through ServiceManager.
-allow vendor_pcs_app vendor_camera_lyricconfigprovider_service:service_manager find;
-# Allow PCS to find the CameraIdRemapper service through ServiceManager.
-allow vendor_pcs_app vendor_camera_cameraidremapper_service:service_manager find;
-
-allow vendor_pcs_app hal_pixel_remote_camera_service:service_manager add;
-
-binder_call(vendor_pcs_app, hal_camera_default);
-
-binder_call(vendor_pcs_app, hal_pixel_remote_camera_service);