Policy for Camera HAL HwBinder service

This adds restrictions on which domains can register this HwBinder service with hwservicemanager and which domains can obtain tokens for this service from hwservicemanager. Test: Use Google Camera app to take HDR+ photo, conventional photo, record video with sound, record slow motion video with sound. Check that the photos display correctly and that videos play back fine and with sound. Check that there are no SELinux denials to do with camera. Bug: 34454312 Change-Id: Icfaeed917423510d9f97d18b013775596883ff64

Policy for Camera HAL HwBinder service
This adds restrictions on which domains can register this HwBinder service with hwservicemanager and which domains can obtain tokens for this service from hwservicemanager. Test: Use Google Camera app to take HDR+ photo, conventional photo, record video with sound, record slow motion video with sound. Check that the photos display correctly and that videos play back fine and with sound. Check that there are no SELinux denials to do with camera. Bug: 34454312 Change-Id: Icfaeed917423510d9f97d18b013775596883ff64
ab2c681f · Alex Klyubin · b36c9bcd · ab2c681f · ab2c681f · ab2c681f
Commit ab2c681f authored 7 years ago by Alex Klyubin
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
+android.hardware.camera.provider::ICameraProvider             u:object_r:hw_camera_provider_ICameraProvider:s0
 *                                    u:object_r:default_android_hwservice:s0
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -8,6 +8,8 @@ binder_call(cameraserver, appdomain)
 binder_service(cameraserver)

 hal_client_domain(cameraserver, hal_camera)
+allow cameraserver hw_camera_provider_ICameraProvider:hwservice_manager find;
+
 hal_client_domain(cameraserver, hal_graphics_allocator)

 allow cameraserver ion_device:chr_file rw_file_perms;

--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,6 +2,8 @@
 binder_call(hal_camera_client, hal_camera_server)
 binder_call(hal_camera_server, hal_camera_client)

+add_hwservice(hal_camera_server, hw_camera_provider_ICameraProvider)
+
 # access /data/misc/camera
 allow hal_camera camera_data_file:dir create_dir_perms;
 allow hal_camera camera_data_file:file create_file_perms;

--- a/public/hwservice.te
+++ b/public/hwservice.te
 type default_android_hwservice,   hwservice_manager_type;
+type hw_camera_provider_ICameraProvider,             hwservice_manager_type;
--- a/public/te_macros
+++ b/public/te_macros
@@ -500,6 +500,16 @@ define(`add_service', `
  neverallow { domain -$1 } $2:service_manager add;
 ')

+###########################################
+# add_hwservice(domain, service)
+# Ability for domain to add a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_hwservice', `
+  allow $1 $2:hwservice_manager { add find };
+  neverallow { domain -$1 } $2:hwservice_manager add;
+')
+
 ##########################################
 # print a message with a trailing newline
 # print(`args')