diff options
author | Greg Kaiser <gkaiser@google.com> | 2021-03-02 13:36:31 -0800 |
---|---|---|
committer | Greg Kaiser <gkaiser@google.com> | 2021-03-02 13:36:31 -0800 |
commit | b1a095f09eb64ce78c0917860dc111b5ba83ade2 (patch) | |
tree | 88484d8afc763722607528196b5ea4c3695d7f62 | |
parent | 20e95959ab19aac6722cb40fc8cd834e09974c6c (diff) | |
download | wembley-sepolicy-b1a095f09eb64ce78c0917860dc111b5ba83ade2.tar.gz |
Put in SELinux holes for other cameras
Right now, anyone using CameraGo is told to fully disable
SELinux for the entire device in order to be able to save
pictures they take. This is not an issue with CameraGo,
as OpenCamera has the same behavior.
With this CL, we weaken and put holes in the device SELinux
policy until we're able to save a picture with OpenCamera.
This is a much better state than having folks disable
SELinux altogether, and also should make it much easier to
test with this camera.
Bug: 152082918
Test: OpenCamera app is able to store pictures and videos without disabling selinux for the device.
Change-Id: I14afc331c12dd0316e8c90cc878374e0a1ee94f6
-rw-r--r-- | neverallows/non_plat/neverallows.te | 2 | ||||
-rw-r--r-- | non_plat/mtk_hal_camera.te | 5 |
2 files changed, 7 insertions, 0 deletions
diff --git a/neverallows/non_plat/neverallows.te b/neverallows/non_plat/neverallows.te index b4de8ec..3826b67 100644 --- a/neverallows/non_plat/neverallows.te +++ b/neverallows/non_plat/neverallows.te @@ -17,6 +17,8 @@ full_treble_only(` init merged_hal_service mtk_hal_bluetooth + # TODO(b/152082918) Remove mtk_hal_camera line when permissions are fixed. + mtk_hal_camera mtk_hal_power mtk_hal_usb mtk_hal_wifi diff --git a/non_plat/mtk_hal_camera.te b/non_plat/mtk_hal_camera.te index 131095e..4173b0a 100644 --- a/non_plat/mtk_hal_camera.te +++ b/non_plat/mtk_hal_camera.te @@ -373,3 +373,8 @@ MTK_M4U_T_SEC_INIT # Operation : For android Q allowing ioctl allow mtk_hal_camera mtk_hal_camera:unix_stream_socket { ioctl }; allowxperm mtk_hal_camera mtk_hal_camera:unix_stream_socket ioctl IIOCNETAIF; + +# TODO(b/152082918): Hacks to get OpenCamera/CameraGo "work"ing. +allow mtk_hal_camera sysfs:file rw_file_perms; +allow mtk_hal_camera system_server:binder call; +allow mtk_hal_camera Vcodec_device:chr_file rw_file_perms; |