From e3019be3dba956a0b2fa48bd06f51b69e6f5636f Mon Sep 17 00:00:00 2001
From: Jayant Chowdhary <jchowdhary@google.com>
Date: Thu, 20 Jan 2022 00:47:54 -0800
Subject: [PATCH] System wide sepolicy changes for aidl camera hals.

Bug: 196432585

Test: Camera CTS

Change-Id: I0ec0158c9cf82937d6c00841448e6e42f6ff4bb0
Signed-off-by: Jayant Chowdhary <jchowdhary@google.com>
---
 private/compat/32.0/32.0.ignore.cil | 1 +
 private/service_contexts            | 3 +++
 public/cameraserver.te              | 1 +
 public/hal_camera.te                | 6 +++++-
 public/service.te                   | 1 +
 5 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index f834ca335..bcdfa974a 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -23,6 +23,7 @@
     extra_free_kbytes_exec
     gesture_prop
     hal_contexthub_service
+    hal_camera_service
     hal_dice_service
     hal_drm_service
     hal_dumpstate_service
diff --git a/private/service_contexts b/private/service_contexts
index 1ada5439a..7075f4d47 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -4,6 +4,9 @@ android.hardware.automotive.audiocontrol.IAudioControl/default       u:object_r:
 android.hardware.biometrics.face.IFace/default                       u:object_r:hal_face_service:s0
 android.hardware.biometrics.fingerprint.IFingerprint/default         u:object_r:hal_fingerprint_service:s0
 android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
+# The instance here is internal/0 following naming convention for ICameraProvider.
+# It advertises internal camera devices.
+android.hardware.camera.provider.ICameraProvider/internal/0          u:object_r:hal_camera_service:s0
 android.hardware.contexthub.IContextHub/default                      u:object_r:hal_contexthub_service:s0
 android.hardware.drm.IDrmFactory/clearkey                            u:object_r:hal_drm_service:s0
 android.hardware.drm.ICryptoFactory/clearkey                         u:object_r:hal_drm_service:s0
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 577a46517..d41339a4a 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -35,6 +35,7 @@ allow cameraserver sensor_privacy_service:service_manager find;
 allow cameraserver surfaceflinger_service:service_manager find;
 
 allow cameraserver hidl_token_hwservice:hwservice_manager find;
+allow cameraserver hal_camera_service:service_manager find;
 
 # Allow to talk with surfaceflinger through unix stream socket
 allow cameraserver surfaceflinger:unix_stream_socket { read write };
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 45fad56e7..df70ab674 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,7 +2,11 @@
 binder_call(hal_camera_client, hal_camera_server)
 binder_call(hal_camera_server, hal_camera_client)
 
+#binder IPC from client to service manager and callbacks
+binder_use(hal_camera_server)
+
 hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
+hal_attribute_service(hal_camera, hal_camera_service)
 
 allow hal_camera device:dir r_dir_perms;
 allow hal_camera video_device:dir r_dir_perms;
@@ -32,7 +36,7 @@ allow hal_camera shell:fifo_file write;
 neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
 
 # hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_camera_server { domain userdebug_or_eng(`-su') }:{ tcp_socket udp_socket rawip_socket } *;
 
 # Only camera HAL may directly access the camera hardware
 neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/public/service.te b/public/service.te
index 012a781e1..46eaff17a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -268,6 +268,7 @@ type hal_wifi_supplicant_service, vendor_service, protected_service, service_man
 type hal_audio_service, vendor_service, protected_service, service_manager_type;
 type hal_audiocontrol_service, vendor_service, service_manager_type;
 type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_camera_service, vendor_service, protected_service, service_manager_type;
 type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
 type hal_dice_service, vendor_service, protected_service, service_manager_type;
 type hal_drm_service, vendor_service, service_manager_type;