summaryrefslogtreecommitdiff
path: root/sepolicy
diff options
context:
space:
mode:
authorRyan Savitski <rsavitski@google.com>2019-05-20 11:51:35 +0100
committerRyan Savitski <rsavitski@google.com>2019-05-20 13:03:04 +0000
commit12b641491996f6ef1e50654b79be2b4729bea765 (patch)
tree4c955d3175226b4cfe3eb6a3f1fa0f5985d7348c /sepolicy
parent5f92082d07796d39b937a5817f8d7b9fab84d36f (diff)
downloadwahoo-12b641491996f6ef1e50654b79be2b4729bea765.tar.gz
Allow camera to notify traced of a notable event (walleye/taimen)
Most apps already have the permission to act as full producers (isolated_app, ephemeral_app, priv_app, untrusted_app_all), but the camera doesn't inherit that as it runs in its own domain. Granting only the socket (i.e. ipc) permission, as: * only that is needed at the moment. * granting the shmem/fd permissions would require a broader change, as traced_tmpfs is declared in private/. Specific denial: 05-20 13:56:20.303 7751 7751 W trigger_perfett: type=1400 audit(0.0:19): avc: denied { write } for name="traced_producer" dev="tmpfs" ino=7061 scontext=u:r:google_camera_app:s0:c181,c256,c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=0 app=com.google.android.GoogleCamera Bug: 130543265 Tested: extrapolating from the same fix on crosshatch, tested manually on blueline-userdebug. Change-Id: I53dc08a28d167f566b759d8f91d00a4828f4847f
Diffstat (limited to 'sepolicy')
-rw-r--r--sepolicy/vendor/google_camera_app.te3
1 files changed, 3 insertions, 0 deletions
diff --git a/sepolicy/vendor/google_camera_app.te b/sepolicy/vendor/google_camera_app.te
index eeacf373..15146ba0 100644
--- a/sepolicy/vendor/google_camera_app.te
+++ b/sepolicy/vendor/google_camera_app.te
@@ -43,4 +43,7 @@ allow google_camera_app system_app_data_file:file { read write getattr };
typeattribute google_camera_app system_executes_vendor_violators;
allow google_camera_app hexagon_halide_file:file { execute read open getattr };
+# Allow notifying Perfetto traced daemon that a notable event has occurred.
+unix_socket_connect(google_camera_app, traced_producer, traced)
+
dontaudit google_camera_app easel_device:chr_file r_file_perms;
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-04 02:56:13 +0000