From 15de2eba0cd50d8559752055d2d3549fa424554e Mon Sep 17 00:00:00 2001
From: Eino-Ville Talvala <etalvala@google.com>
Date: Thu, 22 Dec 2016 12:55:02 -0800
Subject: [PATCH] Camera: Add initial Treble camera HAL sepolicy

- Allow cameraservice to talk to hwbinder, hwservicemanager
- Allow hal_camera to talk to the same interfaces as cameraservice

Test: Compiles, confirmed that cameraservice can call hwservicemanager
Bug: 32991422
Change-Id: Ied0a3f5f7149e29c468a13887510c78d555dcb2a
---
 private/file_contexts         |  1 +
 private/hal_camera_default.te |  5 +++++
 public/attributes             |  1 +
 public/cameraserver.te        |  4 ++++
 public/hal_camera.te          | 26 ++++++++++++++++++++++++++
 5 files changed, 37 insertions(+)
 create mode 100644 private/hal_camera_default.te
 create mode 100644 public/hal_camera.te

diff --git a/private/file_contexts b/private/file_contexts
index 450101614..7c6ed8d9c 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -236,6 +236,7 @@
 /system/lib(64)?/libart.*        u:object_r:libart_file:s0
 /system/bin/hw/android\.hardware\.audio@2\.0-service          u:object_r:hal_audio_default_exec:s0
 /system/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
+/system/bin/hw/android\.hardware\.camera\.provider@2\.4-service          u:object_r:hal_camera_default_exec:s0
 /system/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
 /system/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
 /system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
diff --git a/private/hal_camera_default.te b/private/hal_camera_default.te
new file mode 100644
index 000000000..a97989a54
--- /dev/null
+++ b/private/hal_camera_default.te
@@ -0,0 +1,5 @@
+type hal_camera_default, domain;
+hal_impl_domain(hal_camera_default, hal_camera)
+
+type hal_camera_default_exec, exec_type, file_type;
+init_daemon_domain(hal_camera_default)
diff --git a/public/attributes b/public/attributes
index 66cc59403..aec85fb06 100644
--- a/public/attributes
+++ b/public/attributes
@@ -120,6 +120,7 @@ attribute haldomain;
 # HALs
 attribute hal_audio;
 attribute hal_bluetooth;
+attribute hal_camera;
 attribute hal_dumpstate;
 attribute hal_fingerprint;
 attribute hal_gatekeeper;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 51f96d748..41359261e 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -7,6 +7,10 @@ binder_call(cameraserver, binderservicedomain)
 binder_call(cameraserver, appdomain)
 binder_service(cameraserver)
 
+hwbinder_use(cameraserver)
+binder_call(cameraserver, hal_camera)
+binder_call(cameraserver, hwservicemanager)
+
 # access /data/misc/camera
 allow cameraserver camera_data_file:dir create_dir_perms;
 allow cameraserver camera_data_file:file create_file_perms;
diff --git a/public/hal_camera.te b/public/hal_camera.te
new file mode 100644
index 000000000..e412a4d8b
--- /dev/null
+++ b/public/hal_camera.te
@@ -0,0 +1,26 @@
+hwbinder_use(hal_camera)
+binder_call(hal_camera, cameraserver)
+
+allow hal_camera system_file:dir { open read };
+
+# access /data/misc/camera
+allow hal_camera camera_data_file:dir create_dir_perms;
+allow hal_camera camera_data_file:file create_file_perms;
+
+allow hal_camera video_device:dir r_dir_perms;
+allow hal_camera video_device:chr_file rw_file_perms;
+allow hal_camera camera_device:chr_file rw_file_perms;
+allow hal_camera ion_device:chr_file rw_file_perms;
+allow hal_camera hal_graphics_allocator:fd use;
+
+
+###
+### neverallow rules
+###
+
+# hal_camera should never execute any executable without a
+# domain transition
+neverallow hal_camera { file_type fs_type }:file execute_no_trans;
+
+# hal_camera should never need network access. Disallow network sockets.
+neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
-- 
GitLab