Enable isolated_like app to request camera service binder
Processes that share isolated AIDs are allowed to use system services.
Existing isolated app should not be affected by this change as SEPolicy
blocks the use of camera service.
Bug: 265540209
Test: atest CtsCameraTestCases
Test: manual - avc denial for isolated_app when accessing CameraManager, and processes not isolated_app but with an isolated AID gets the binder.
Change-Id: If29dc43528c22bf20b21a933dff52179b7b9031b
diff --git a/services/camera/libcameraservice/CameraService.cpp b/services/camera/libcameraservice/CameraService.cpp
index 8221a83..5eb068f 100644
--- a/services/camera/libcameraservice/CameraService.cpp
+++ b/services/camera/libcameraservice/CameraService.cpp
@@ -170,6 +170,11 @@
return (CameraThreadState::getCallingUid() < AID_APP_START);
}
+// Enable processes with isolated AID to request the binder
+void CameraService::instantiate() {
+ CameraService::publish(true);
+}
+
void CameraService::onServiceRegistration(const String16& name, const sp<IBinder>&) {
if (name != String16(kAppopsServiceName)) {
return;
diff --git a/services/camera/libcameraservice/CameraService.h b/services/camera/libcameraservice/CameraService.h
index fb0ece5..59c5534 100644
--- a/services/camera/libcameraservice/CameraService.h
+++ b/services/camera/libcameraservice/CameraService.h
@@ -99,6 +99,9 @@
// Event log ID
static const int SN_EVENT_LOG_ID = 0x534e4554;
+ // Register camera service
+ static void instantiate();
+
// Implementation of BinderService<T>
static char const* getServiceName() { return "media.camera"; }