diff options
author | Ryan Savitski <rsavitski@google.com> | 2019-05-20 11:51:35 +0100 |
---|---|---|
committer | Ryan Savitski <rsavitski@google.com> | 2019-05-20 13:03:04 +0000 |
commit | 12b641491996f6ef1e50654b79be2b4729bea765 (patch) | |
tree | 4c955d3175226b4cfe3eb6a3f1fa0f5985d7348c /sepolicy | |
parent | 5f92082d07796d39b937a5817f8d7b9fab84d36f (diff) | |
download | wahoo-12b641491996f6ef1e50654b79be2b4729bea765.tar.gz |
Allow camera to notify traced of a notable event (walleye/taimen)
Most apps already have the permission to act as full producers
(isolated_app, ephemeral_app, priv_app, untrusted_app_all), but
the camera doesn't inherit that as it runs in its own domain.
Granting only the socket (i.e. ipc) permission, as:
* only that is needed at the moment.
* granting the shmem/fd permissions would require a broader change, as traced_tmpfs is declared in private/.
Specific denial:
05-20 13:56:20.303 7751 7751 W trigger_perfett: type=1400 audit(0.0:19): avc: denied { write } for name="traced_producer" dev="tmpfs" ino=7061 scontext=u:r:google_camera_app:s0:c181,c256,c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=0 app=com.google.android.GoogleCamera
Bug: 130543265
Tested: extrapolating from the same fix on crosshatch, tested manually on blueline-userdebug.
Change-Id: I53dc08a28d167f566b759d8f91d00a4828f4847f
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/vendor/google_camera_app.te | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/sepolicy/vendor/google_camera_app.te b/sepolicy/vendor/google_camera_app.te index eeacf373..15146ba0 100644 --- a/sepolicy/vendor/google_camera_app.te +++ b/sepolicy/vendor/google_camera_app.te @@ -43,4 +43,7 @@ allow google_camera_app system_app_data_file:file { read write getattr }; typeattribute google_camera_app system_executes_vendor_violators; allow google_camera_app hexagon_halide_file:file { execute read open getattr }; +# Allow notifying Perfetto traced daemon that a notable event has occurred. +unix_socket_connect(google_camera_app, traced_producer, traced) + dontaudit google_camera_app easel_device:chr_file r_file_perms; |