Put in SELinux holes for other cameras

Right now, anyone using CameraGo is told to fully disable
SELinux for the entire device in order to be able to save
pictures they take.  This is not an issue with CameraGo,
as OpenCamera has the same behavior.

With this CL, we weaken and put holes in the device SELinux
policy until we're able to save a picture with OpenCamera.
This is a much better state than having folks disable
SELinux altogether, and also should make it much easier to
test with this camera.

Bug: 152082918
Test: OpenCamera app is able to store pictures and videos without disabling selinux for the device.
Change-Id: I14afc331c12dd0316e8c90cc878374e0a1ee94f6

2 files changed, 7 insertions, 0 deletions

diff --git a/neverallows/non_plat/neverallows.te b/neverallows/non_plat/neverallows.te
index b4de8ec..3826b67 100644
--- a/neverallows/non_plat/neverallows.te
+++ b/neverallows/non_plat/neverallows.te
@@ -17,6 +17,8 @@ full_treble_only(`
     init
     merged_hal_service
     mtk_hal_bluetooth
+    # TODO(b/152082918) Remove mtk_hal_camera line when permissions are fixed.
+    mtk_hal_camera
     mtk_hal_power
     mtk_hal_usb
     mtk_hal_wifi
diff --git a/non_plat/mtk_hal_camera.te b/non_plat/mtk_hal_camera.te
index 131095e..4173b0a 100644
--- a/non_plat/mtk_hal_camera.te
+++ b/non_plat/mtk_hal_camera.te
@@ -373,3 +373,8 @@ MTK_M4U_T_SEC_INIT
 # Operation : For android Q allowing ioctl
 allow mtk_hal_camera mtk_hal_camera:unix_stream_socket { ioctl };
 allowxperm mtk_hal_camera mtk_hal_camera:unix_stream_socket ioctl IIOCNETAIF;
+
+# TODO(b/152082918): Hacks to get OpenCamera/CameraGo "work"ing.
+allow mtk_hal_camera sysfs:file rw_file_perms;
+allow mtk_hal_camera system_server:binder call;
+allow mtk_hal_camera Vcodec_device:chr_file rw_file_perms;