Give EdgeTpu access to vendor_pcs_app
- In addition, add some more allowances
to more closely approximate a priv_app.
Especially, accessing the cache, media
storage and preloads.
Bug: 325326355
Test: I've tested that existing PCS doesn't break.
Change-Id: I045dd3e6d7587ba1bb405e57204d3cc7c9dc5f69
diff --git a/camera/sepolicy/product/private/vendor_pcs_app.te b/camera/sepolicy/product/private/vendor_pcs_app.te
index 6bf0451..55eeee7 100644
--- a/camera/sepolicy/product/private/vendor_pcs_app.te
+++ b/camera/sepolicy/product/private/vendor_pcs_app.te
@@ -1,12 +1,32 @@
typeattribute vendor_pcs_app coredomain;
app_domain(vendor_pcs_app);
+net_domain(vendor_pcs_app);
+bluetooth_domain(vendor_pcs_app);
allow vendor_pcs_app {
app_api_service
audioserver_service
cameraserver_service
+ drmserver_service
mediametrics_service
mediaserver_service
+ nfc_service
radio_service
}:service_manager find;
+
+# Following allowances were replicated from priv_app
+# Write to /cache.
+allow vendor_pcs_app { cache_file cache_recovery_file }:dir create_dir_perms;
+allow vendor_pcs_app { cache_file cache_recovery_file }:file create_file_perms;
+# /cache is a symlink to /data/cache on some devices. Allow reading the link.
+allow vendor_pcs_app cache_file:lnk_file r_file_perms;
+
+# Access to /data/media.
+allow vendor_pcs_app media_rw_data_file:dir create_dir_perms;
+allow vendor_pcs_app media_rw_data_file:file create_file_perms;
+
+# Access to /data/preloads
+r_dir_file(vendor_pcs_app, preloads_data_file)
+r_dir_file(vendor_pcs_app, preloads_media_file)
+
diff --git a/camera/sepolicy/vendor/vendor_pcs_app.te b/camera/sepolicy/vendor/vendor_pcs_app.te
index e269a2f..b4d71b5 100644
--- a/camera/sepolicy/vendor/vendor_pcs_app.te
+++ b/camera/sepolicy/vendor/vendor_pcs_app.te
@@ -1,14 +1,17 @@
-# Allow PCS to find the LyricConfigProvider service through ServiceManager.
-allow vendor_pcs_app vendor_camera_lyricconfigprovider_service:service_manager find;
-# Allow PCS to find the CameraIdRemapper service through ServiceManager.
-allow vendor_pcs_app vendor_camera_cameraidremapper_service:service_manager find;
+allow vendor_pcs_app {
+ vendor_camera_lyricconfigprovider_service
+ vendor_camera_cameraidremapper_service
+ edgetpu_app_service
+}:service_manager find;
allow vendor_pcs_app hal_pixel_remote_camera_service:service_manager add;
binder_call(vendor_pcs_app, hal_pixel_remote_camera_service);
-
binder_call(vendor_pcs_app, hal_camera_default);
+# Allow interacting with EdgeTpu.
+allow vendor_pcs_app edgetpu_device:chr_file { getattr read write ioctl map };
+
# Allow PCS to open socket connections for HTTP streaming support.
allow vendor_pcs_app vendor_pcs_app:unpriv_socket_class_set create_socket_perms_no_ioctl;
allow vendor_pcs_app fwmarkd_socket:sock_file write;