commit ad059403ad9ebf4bbdc4b276820ba263b5516d6d
author Mohi Montazer <mohimontazer@google.com> Fri Dec 09 10:23:37 2022 -0800
committer Mohi Montazer <mohimontazer@google.com> Tue Dec 13 09:52:04 2022 -0800
tree 48aa7a2ded277b8aeb1bd9b4c2cd8db526558f89
parent 71708e3a1dbb99d02432832041214186a90fe037

SEPolicy updates for camera HAL

Updates SEPolicy files to give camera HAL permission to access
Android Core Experiment flags.

Example denials:
11-30 13:08:33.172  1027  1027 W binder:1027_3: type=1400 audit(0.0:7): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
11-30 13:08:33.172  1027  1027 W binder:1027_3: type=1400 audit(0.0:8): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0
11-30 13:08:33.244  1027  1027 W 3AThreadPool:  type=1400 audit(0.0:9): avc: denied { read } for name="u:object_r:default_prop:s0" dev="tmpfs" ino=152 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:default_prop:s0 tclass=file permissive=0

Bug: 259433722
Test: m
Change-Id: I11165b56d7b7e38130698cf86d9739f878580a14

private/compat/33.0/33.0.ignore.cil

diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 786dc14..604be69 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -9,6 +9,7 @@
     apex_ready_prop
     artd
     credential_service
+    device_config_camera_native_prop
     device_config_memory_safety_native_prop
     device_config_vendor_system_native_prop
     devicelock_service

private/flags_health_check.te

diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index a26726d..0cc450d 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -28,6 +28,7 @@
 set_prop(flags_health_check, device_config_virtualization_framework_native_prop)
 set_prop(flags_health_check, device_config_memory_safety_native_prop)
 set_prop(flags_health_check, device_config_remote_key_provisioning_native_prop)
+set_prop(flags_health_check, device_config_camera_native_prop)
 
 # system property device_config_boot_count_prop is used for deciding when to perform server
 # configurable flags related disaster recovery. Mistakenly set up by unrelated components can, at a

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index a6a6ce4..1f140d2 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -247,6 +247,7 @@
 device_config.reset_performed                       u:object_r:device_config_reset_performed_prop:s0
 persist.device_config.activity_manager_native_boot. u:object_r:device_config_activity_manager_native_boot_prop:s0
 persist.device_config.attempted_boot_count          u:object_r:device_config_boot_count_prop:s0
+persist.device_config.camera_native.                u:object_r:device_config_camera_native_prop:s0
 persist.device_config.configuration.                u:object_r:device_config_configuration_prop:s0
 persist.device_config.connectivity.                 u:object_r:device_config_connectivity_prop:s0
 persist.device_config.input_native_boot.            u:object_r:device_config_input_native_boot_prop:s0

private/system_server.te

diff --git a/private/system_server.te b/private/system_server.te
index a967dcf..54ad242 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -744,6 +744,7 @@
 set_prop(system_server, device_config_runtime_native_prop)
 set_prop(system_server, device_config_lmkd_native_prop)
 set_prop(system_server, device_config_media_native_prop)
+set_prop(system_server, device_config_camera_native_prop)
 set_prop(system_server, device_config_mglru_native_prop)
 set_prop(system_server, device_config_profcollect_native_boot_prop)
 set_prop(system_server, device_config_statsd_native_prop)

public/property.te

diff --git a/public/property.te b/public/property.te
index 00ae1bb..c0a3a6e 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@
 system_restricted_prop(bq_config_prop)
 system_restricted_prop(build_bootimage_prop)
 system_restricted_prop(build_prop)
+system_restricted_prop(device_config_camera_native_prop)
 system_restricted_prop(device_config_nnapi_native_prop)
 system_restricted_prop(device_config_runtime_native_boot_prop)
 system_restricted_prop(device_config_runtime_native_prop)

vendor/hal_camera_default.te

diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index b0912d4..f0098a8 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -6,6 +6,8 @@
 
 allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
 
+get_prop(hal_camera_default, device_config_camera_native_prop);
+
 # For collecting bugreports.
 allow hal_camera_default dumpstate:fd use;
 allow hal_camera_default dumpstate:fifo_file write;