No camera for idle uids - selinux

If a UID is idle (being in the background for more than cartain amount of time) it should not be able to use the camera. If the UID becomes idle we generate an eror and close the cameras for this UID. If an app in an idle UID tries to use the camera we immediately generate an error. Since apps already should handle these errors it is safe to apply this policy to all apps to protect user privacy. Test: Pass - cts-tradefed run cts -m CtsCameraTestCases Added - CameraTest#testCameraAccessForIdleUid Change-Id: I9ab3d6ec99764a93638746f18912ed60d299015f

No camera for idle uids - selinux
9139ea1b · Svet Ganov · 1d2c3f44 · 9139ea1b
Commit 9139ea1b authored 7 years ago by Svet Ganov
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -17,6 +17,8 @@ allow cameraserver ion_device:chr_file rw_file_perms;
 allow cameraserver hal_graphics_composer:fd use;

 add_service(cameraserver, cameraserver_service)
+
+allow cameraserver activity_service:service_manager find;
 allow cameraserver appops_service:service_manager find;
 allow cameraserver audioserver_service:service_manager find;
 allow cameraserver batterystats_service:service_manager find;
@@ -47,3 +49,14 @@ neverallow cameraserver { file_type fs_type }:file execute_no_trans;
 # Lengthier explanation here:
 # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
 neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Allow shell commands from ADB for CTS testing/dumping
+allow cameraserver adbd:fd use;
+allow cameraserver adbd:unix_stream_socket { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+  allow cameraserver su:fd use;
+  allow cameraserver su:fifo_file { read write };
+  allow cameraserver su:unix_stream_socket { read write };
+')