diff options
author | Nick Kralevich <nnk@google.com> | 2013-11-12 17:36:51 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2013-11-12 17:36:52 +0000 |
commit | 3d4bad010aaf96b5a052dace966424e0f10146ff (patch) | |
tree | 53e6d1b49a2f613f3e4a0b5adbdef23865a9aa8b /sepolicy | |
parent | 97a630532787ea3972c88c817fd87cbfbb9dbb91 (diff) | |
parent | 2a15fb1a023b306f08bfd0552069934d25a6f05d (diff) | |
download | mako-3d4bad010aaf96b5a052dace966424e0f10146ff.tar.gz |
Merge "Improve camera selinux policy."
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/camera.te | 21 | ||||
-rw-r--r-- | sepolicy/file.te | 1 | ||||
-rw-r--r-- | sepolicy/file_contexts | 1 | ||||
-rw-r--r-- | sepolicy/mediaserver.te | 2 |
4 files changed, 24 insertions, 1 deletions
diff --git a/sepolicy/camera.te b/sepolicy/camera.te index dce8d3f..e1caf05 100644 --- a/sepolicy/camera.te +++ b/sepolicy/camera.te @@ -5,4 +5,23 @@ type camera_exec, exec_type, file_type; # Started by init init_daemon_domain(camera) -unconfined_domain(camera) +permissive camera; + +# Interact with other media devices +allow camera camera_device:dir search; +allow camera { video_device camera_device }:chr_file rw_file_perms; +allow camera { surfaceflinger mediaserver }:fd use; + +# Create front and back camera sockets (/data/cam_socket[01]) +type_transition camera system_data_file:sock_file camera_socket "cam_socket0"; +type_transition camera system_data_file:sock_file camera_socket "cam_socket1"; +allow camera camera_socket:sock_file { create unlink }; +allow camera system_data_file:dir w_dir_perms; +allow camera system_data_file:sock_file unlink; + +type_transition camera system_data_file:file camera_calibration_file "fdAlbum"; +allow camera camera_calibration_file:file create_file_perms; + +# Connect to sensor socket (/data/app/sensor_ctl_socket) +unix_socket_connect(camera, sensors, sensors) +allow camera sensors_socket:sock_file read; diff --git a/sepolicy/file.te b/sepolicy/file.te index 30fd2ba..0a0169b 100644 --- a/sepolicy/file.te +++ b/sepolicy/file.te @@ -1,6 +1,7 @@ # Qualcomm MSM Interface (QMI) socket type qmuxd_socket, file_type; type sensors_socket, file_type; +type camera_socket, file_type; type sensors_data_file, file_type, data_file_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index aa8f832..91baf5b 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -85,6 +85,7 @@ /data/qcks(/.*)? u:object_r:kickstart_data_file:s0 /data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0 /data/system/sensors(/.*)? u:object_r:sensors_data_file:s0 +/data/fdAlbum u:object_r:camera_calibration_file:s0 /system/bin/hci_qcomm_init u:object_r:hci_attach_exec:s0 /system/bin/bdAddrLoader u:object_r:bluetooth_loader_exec:s0 diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te index 7091ab5..a0ec3e4 100644 --- a/sepolicy/mediaserver.te +++ b/sepolicy/mediaserver.te @@ -4,6 +4,8 @@ allow mediaserver msm_acdb_device:chr_file rw_file_perms; # Grant access to Qualcomm MSM Interface (QMI) audio sockets to mediaserver qmux_socket(mediaserver) +unix_socket_send(mediaserver, camera, camera) + # Permit mediaserver to create sockets allow mediaserver self:socket create; |