Allow binder services to r/w su:tcp_socket Test: binderHostDeviceTest Bug: 182914638 Change-Id: I128abb8f3c91c29b6222f9b72088503111fd91f8

commit: 140072f4ca8c1de6d9ac9d69cfc6fa5ef6c3d043 [log] [tgz]
author: Yifan Hong <elsk@google.com> Tue Jun 08 10:32:18 2021 -0700
committer: Yifan Hong <elsk@google.com> Tue Jun 08 10:34:38 2021 -0700
tree: bf11423cd85cc6a6177924e1ad853781595f8380
parent: e8c63687760d6a0a242f22a4d0f5992cac7b0844 [diff] [blame]
diff --git a/microdroid/sepolicy/system/public/cameraserver.te b/microdroid/sepolicy/system/public/cameraserver.te
index 7a29240..d7451df 100644
--- a/microdroid/sepolicy/system/public/cameraserver.te
+++ b/microdroid/sepolicy/system/public/cameraserver.te

@@ -53,7 +53,8 @@
 # permissions and be isolated from the rest of the system and network.
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
-neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow cameraserver domain:{ udp_socket rawip_socket } *;
+neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;
 
 # Allow shell commands from ADB for CTS testing/dumping
 allow cameraserver adbd:fd use;
commit	140072f4ca8c1de6d9ac9d69cfc6fa5ef6c3d043	[log] [tgz]
author	Yifan Hong <elsk@google.com>	Tue Jun 08 10:32:18 2021 -0700
committer	Yifan Hong <elsk@google.com>	Tue Jun 08 10:34:38 2021 -0700
tree	bf11423cd85cc6a6177924e1ad853781595f8380
parent	e8c63687760d6a0a242f22a4d0f5992cac7b0844 [diff] [blame]