Merge "Improve camera selinux policy."

4 files changed, 24 insertions, 1 deletions

diff --git a/sepolicy/camera.te b/sepolicy/camera.te
index dce8d3f..e1caf05 100644
--- a/sepolicy/camera.te
+++ b/sepolicy/camera.te
@@ -5,4 +5,23 @@ type camera_exec, exec_type, file_type;
 # Started by init
 init_daemon_domain(camera)
 
-unconfined_domain(camera)
+permissive camera;
+
+# Interact with other media devices
+allow camera camera_device:dir search;
+allow camera { video_device camera_device }:chr_file rw_file_perms;
+allow camera { surfaceflinger mediaserver }:fd use;
+
+# Create front and back camera sockets (/data/cam_socket[01])
+type_transition camera system_data_file:sock_file camera_socket "cam_socket0";
+type_transition camera system_data_file:sock_file camera_socket "cam_socket1";
+allow camera camera_socket:sock_file { create unlink };
+allow camera system_data_file:dir w_dir_perms;
+allow camera system_data_file:sock_file unlink;
+
+type_transition camera system_data_file:file camera_calibration_file "fdAlbum";
+allow camera camera_calibration_file:file create_file_perms;
+
+# Connect to sensor socket (/data/app/sensor_ctl_socket)
+unix_socket_connect(camera, sensors, sensors)
+allow camera sensors_socket:sock_file read;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 30fd2ba..0a0169b 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,6 +1,7 @@
 # Qualcomm MSM Interface (QMI) socket
 type qmuxd_socket, file_type;
 type sensors_socket, file_type;
+type camera_socket, file_type;
 
 type sensors_data_file, file_type, data_file_type;
 
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index aa8f832..91baf5b 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -85,6 +85,7 @@
 /data/qcks(/.*)?                   u:object_r:kickstart_data_file:s0
 /data/misc/sensors(/.*)?           u:object_r:sensors_data_file:s0
 /data/system/sensors(/.*)?         u:object_r:sensors_data_file:s0
+/data/fdAlbum                      u:object_r:camera_calibration_file:s0
 
 /system/bin/hci_qcomm_init         u:object_r:hci_attach_exec:s0
 /system/bin/bdAddrLoader           u:object_r:bluetooth_loader_exec:s0
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
index 7091ab5..a0ec3e4 100644
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@@ -4,6 +4,8 @@ allow mediaserver msm_acdb_device:chr_file rw_file_perms;
 # Grant access to Qualcomm MSM Interface (QMI) audio sockets to mediaserver
 qmux_socket(mediaserver)
 
+unix_socket_send(mediaserver, camera, camera)
+
 # Permit mediaserver to create sockets
 allow mediaserver self:socket create;