From 4541687be516e00492efe3e0ff906f14c8b48910 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Fri, 5 Feb 2016 14:17:22 -0800
Subject: [PATCH] cameraserver: Build up least privileged policy

Remove all permissions not observed during testing.

Remove domain_deprecated.

Bug: 26982110
Change-Id: I33f1887c95bdf378c945319494378225b41db215
---
 bluetooth.te      |  1 -
 cameraserver.te   | 99 +++++------------------------------------------
 mediaserver.te    |  1 -
 radio.te          |  1 -
 surfaceflinger.te |  1 -
 system_server.te  |  2 -
 6 files changed, 9 insertions(+), 96 deletions(-)

diff --git a/bluetooth.te b/bluetooth.te
index 0c42eb52e..6a329b70c 100644
--- a/bluetooth.te
+++ b/bluetooth.te
@@ -37,7 +37,6 @@ set_prop(bluetooth, ctl_dhcp_pan_prop)
 
 allow bluetooth audioserver_service:service_manager find;
 allow bluetooth bluetooth_service:service_manager find;
-allow bluetooth cameraserver_service:service_manager find;
 allow bluetooth drmserver_service:service_manager find;
 allow bluetooth mediaserver_service:service_manager find;
 allow bluetooth radio_service:service_manager find;
diff --git a/cameraserver.te b/cameraserver.te
index 3a5dff370..ca29304c8 100644
--- a/cameraserver.te
+++ b/cameraserver.te
@@ -1,116 +1,35 @@
 # cameraserver - camera daemon
-type cameraserver, domain, domain_deprecated;
+type cameraserver, domain;
 type cameraserver_exec, exec_type, file_type;
 
-typeattribute cameraserver mlstrustedsubject;
+# STOPSHIP. cameraserver into permissive mode to collect denials from
+# droidfooders
+permissive cameraserver;
 
-net_domain(cameraserver)
 init_daemon_domain(cameraserver)
 
-r_dir_file(cameraserver, sdcard_type)
-
 binder_use(cameraserver)
 binder_call(cameraserver, binderservicedomain)
 binder_call(cameraserver, appdomain)
 binder_service(cameraserver)
 
-# Required by Widevine DRM (b/22990512)
-allow cameraserver self:process execmem;
-
-allow cameraserver kernel:system module_request;
-allow cameraserver media_data_file:dir create_dir_perms;
-allow cameraserver media_data_file:file create_file_perms;
+# access /data/misc/camera
 allow cameraserver camera_data_file:dir create_dir_perms;
 allow cameraserver camera_data_file:file create_file_perms;
-allow cameraserver app_data_file:dir search;
-allow cameraserver app_data_file:file rw_file_perms;
-allow cameraserver sdcard_type:file write;
-allow cameraserver gpu_device:chr_file rw_file_perms;
+
 allow cameraserver video_device:dir r_dir_perms;
 allow cameraserver video_device:chr_file rw_file_perms;
-allow cameraserver audio_device:dir r_dir_perms;
-allow cameraserver tee_device:chr_file rw_file_perms;
-
-set_prop(cameraserver, audio_prop)
-
-# Access audio devices at all.
-allow cameraserver audio_device:chr_file rw_file_perms;
-
-# XXX Label with a specific type?
-allow cameraserver sysfs:file r_file_perms;
-
-# Read resources from open apk files passed over Binder.
-allow cameraserver apk_data_file:file { read getattr };
-allow cameraserver asec_apk_file:file { read getattr };
-
-# Read /data/data/com.android.providers.telephony files passed over Binder.
-allow cameraserver radio_data_file:file { read getattr };
-
-# Use pipes passed over Binder from app domains.
-allow cameraserver appdomain:fifo_file { getattr read write };
-
-allow cameraserver rpmsg_device:chr_file rw_file_perms;
-
-# Inter System processes communicate over named pipe (FIFO)
-allow cameraserver system_server:fifo_file r_file_perms;
+allow cameraserver ion_device:chr_file rw_file_perms;
 
-# Camera data
-r_dir_file(cameraserver, camera_data_file)
-r_dir_file(cameraserver, media_rw_data_file)
-
-# Grant access to audio files to cameraserver
-allow cameraserver audio_data_file:dir ra_dir_perms;
-allow cameraserver audio_data_file:file create_file_perms;
-
-# Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
-allow cameraserver qtaguid_proc:file rw_file_perms;
-allow cameraserver qtaguid_device:chr_file r_file_perms;
-
-# Allow abstract socket connection
-allow cameraserver rild:unix_stream_socket { connectto read write setopt };
-
-# Needed on some devices for playing DRM protected content,
-# but seems expected and appropriate for all devices.
-unix_socket_connect(cameraserver, drmserver, drmserver)
-
-# Needed on some devices for playing audio on paired BT device,
-# but seems appropriate for all devices.
-unix_socket_connect(cameraserver, bluetooth, bluetooth)
-
-# Connect to tee service.
-allow cameraserver tee:unix_stream_socket connectto;
-
-allow cameraserver activity_service:service_manager find;
 allow cameraserver appops_service:service_manager find;
 allow cameraserver audioserver_service:service_manager find;
-allow cameraserver cameraproxy_service:service_manager find;
-allow cameraserver cameraserver_service:service_manager { add find };
 allow cameraserver batterystats_service:service_manager find;
-allow cameraserver drmserver_service:service_manager find;
-allow cameraserver mediaextractor_service:service_manager find;
+allow cameraserver cameraproxy_service:service_manager find;
+allow cameraserver cameraserver_service:service_manager add;
 allow cameraserver mediaserver_service:service_manager find;
-allow cameraserver permission_service:service_manager find;
-allow cameraserver power_service:service_manager find;
 allow cameraserver processinfo_service:service_manager find;
-allow cameraserver scheduling_policy_service:service_manager find;
 allow cameraserver surfaceflinger_service:service_manager find;
 
-# /oem access
-allow cameraserver oemfs:dir search;
-allow cameraserver oemfs:file r_file_perms;
-
-use_drmservice(cameraserver)
-allow cameraserver drmserver:drmservice {
-    consumeRights
-    setPlaybackStatus
-    openDecryptSession
-    closeDecryptSession
-    initializeDecryptUnit
-    decrypt
-    finalizeDecryptUnit
-    pread
-};
-
 ###
 ### neverallow rules
 ###
diff --git a/mediaserver.te b/mediaserver.te
index 38c0af200..6d977a37c 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -90,7 +90,6 @@ allow mediaserver tee:unix_stream_socket connectto;
 allow mediaserver activity_service:service_manager find;
 allow mediaserver appops_service:service_manager find;
 allow mediaserver audioserver_service:service_manager find;
-allow mediaserver cameraserver_service:service_manager find;
 allow mediaserver cameraproxy_service:service_manager find;
 allow mediaserver batterystats_service:service_manager find;
 allow mediaserver drmserver_service:service_manager find;
diff --git a/radio.te b/radio.te
index c4df1f7d1..0da43a6d2 100644
--- a/radio.te
+++ b/radio.te
@@ -28,7 +28,6 @@ auditallow radio system_radio_prop:property_service set;
 set_prop(radio, ctl_rildaemon_prop)
 
 allow radio audioserver_service:service_manager find;
-allow radio cameraserver_service:service_manager find;
 allow radio drmserver_service:service_manager find;
 allow radio mediaserver_service:service_manager find;
 allow radio radio_service:service_manager { add find };
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 31f7de66d..8fb6463ff 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -54,7 +54,6 @@ allow surfaceflinger tee_device:chr_file rw_file_perms;
 
 # media.player service
 allow surfaceflinger audioserver_service:service_manager find;
-allow surfaceflinger cameraserver_service:service_manager find;
 allow surfaceflinger mediaserver_service:service_manager find;
 allow surfaceflinger permission_service:service_manager find;
 allow surfaceflinger power_service:service_manager find;
diff --git a/system_server.te b/system_server.te
index e8c52ff97..1da04c171 100644
--- a/system_server.te
+++ b/system_server.te
@@ -153,8 +153,6 @@ r_dir_file(system_server, inputflinger)
 # Use sockets received over binder from various services.
 allow system_server audioserver:tcp_socket rw_socket_perms;
 allow system_server audioserver:udp_socket rw_socket_perms;
-allow system_server cameraserver:tcp_socket rw_socket_perms;
-allow system_server cameraserver:udp_socket rw_socket_perms;
 allow system_server mediaserver:tcp_socket rw_socket_perms;
 allow system_server mediaserver:udp_socket rw_socket_perms;
 
-- 
GitLab