From ab2c681fb181839ac7beee49ebd51dc4781f0c56 Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Thu, 13 Apr 2017 10:29:42 -0700
Subject: [PATCH] Policy for Camera HAL HwBinder service

This adds restrictions on which domains can register this HwBinder
service with hwservicemanager and which domains can obtain tokens for
this service from hwservicemanager.

Test: Use Google Camera app to take HDR+ photo, conventional photo,
      record video with sound, record slow motion video with sound.
      Check that the photos display correctly and that videos play
      back fine and with sound. Check that there are no SELinux
      denials to do with camera.
Bug: 34454312
Change-Id: Icfaeed917423510d9f97d18b013775596883ff64
---
 private/hwservice_contexts |  1 +
 public/cameraserver.te     |  2 ++
 public/hal_camera.te       |  2 ++
 public/hwservice.te        |  1 +
 public/te_macros           | 10 ++++++++++
 5 files changed, 16 insertions(+)

diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 4351ea1d8..9330041a7 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -1 +1,2 @@
+android.hardware.camera.provider::ICameraProvider             u:object_r:hw_camera_provider_ICameraProvider:s0
 *                                    u:object_r:default_android_hwservice:s0
diff --git a/public/cameraserver.te b/public/cameraserver.te
index d1b55cff0..46083f5cc 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -8,6 +8,8 @@ binder_call(cameraserver, appdomain)
 binder_service(cameraserver)
 
 hal_client_domain(cameraserver, hal_camera)
+allow cameraserver hw_camera_provider_ICameraProvider:hwservice_manager find;
+
 hal_client_domain(cameraserver, hal_graphics_allocator)
 
 allow cameraserver ion_device:chr_file rw_file_perms;
diff --git a/public/hal_camera.te b/public/hal_camera.te
index b05239b78..a00bf9f42 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,6 +2,8 @@
 binder_call(hal_camera_client, hal_camera_server)
 binder_call(hal_camera_server, hal_camera_client)
 
+add_hwservice(hal_camera_server, hw_camera_provider_ICameraProvider)
+
 # access /data/misc/camera
 allow hal_camera camera_data_file:dir create_dir_perms;
 allow hal_camera camera_data_file:file create_file_perms;
diff --git a/public/hwservice.te b/public/hwservice.te
index a39ffd2a3..cf5962942 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -1 +1,2 @@
 type default_android_hwservice,   hwservice_manager_type;
+type hw_camera_provider_ICameraProvider,             hwservice_manager_type;
diff --git a/public/te_macros b/public/te_macros
index 020bdc505..c19a56d11 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -500,6 +500,16 @@ define(`add_service', `
   neverallow { domain -$1 } $2:service_manager add;
 ')
 
+###########################################
+# add_hwservice(domain, service)
+# Ability for domain to add a service to hwservice_manager
+# and find it. It also creates a neverallow preventing
+# others from adding it.
+define(`add_hwservice', `
+  allow $1 $2:hwservice_manager { add find };
+  neverallow { domain -$1 } $2:hwservice_manager add;
+')
+
 ##########################################
 # print a message with a trailing newline
 # print(`args')
-- 
GitLab