From 9139ea1b2ab0b013bbe4f518808f46137c1add80 Mon Sep 17 00:00:00 2001
From: Svet Ganov <svetoslavganov@google.com>
Date: Mon, 15 Jan 2018 16:11:42 -0800
Subject: [PATCH] No camera for idle uids - selinux
If a UID is idle (being in the background for more than
cartain amount of time) it should not be able to use the
camera. If the UID becomes idle we generate an eror and
close the cameras for this UID. If an app in an idle UID
tries to use the camera we immediately generate an error.
Since apps already should handle these errors it is safe
to apply this policy to all apps to protect user privacy.
Test: Pass - cts-tradefed run cts -m CtsCameraTestCases
Added - CameraTest#testCameraAccessForIdleUid
Change-Id: I9ab3d6ec99764a93638746f18912ed60d299015f
---
public/cameraserver.te | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 0dd4a80ce..ebf099294 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -17,6 +17,8 @@ allow cameraserver ion_device:chr_file rw_file_perms;
allow cameraserver hal_graphics_composer:fd use;
add_service(cameraserver, cameraserver_service)
+
+allow cameraserver activity_service:service_manager find;
allow cameraserver appops_service:service_manager find;
allow cameraserver audioserver_service:service_manager find;
allow cameraserver batterystats_service:service_manager find;
@@ -47,3 +49,14 @@ neverallow cameraserver { file_type fs_type }:file execute_no_trans;
# Lengthier explanation here:
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
+
+# Allow shell commands from ADB for CTS testing/dumping
+allow cameraserver adbd:fd use;
+allow cameraserver adbd:unix_stream_socket { read write };
+
+# Allow shell commands from ADB for CTS testing/dumping
+userdebug_or_eng(`
+ allow cameraserver su:fd use;
+ allow cameraserver su:fifo_file { read write };
+ allow cameraserver su:unix_stream_socket { read write };
+')
--
GitLab