Seandroid: Add policy for camera domain
Adding policy for mm-qcamerad
Change-Id: I57efce6ec83d188f2a56f22ef3dd076b1fa09e09
diff --git a/Android.mk b/Android.mk
index 6bb46bc..df85656 100644
--- a/Android.mk
+++ b/Android.mk
@@ -41,4 +41,5 @@
system_app.te \
bluetooth.te \
init_shell.te \
- mpdecision.te
+ mpdecision.te \
+ mm-qcamerad.te
diff --git a/common/file.te b/common/file.te
index 8676045..bed528b 100755
--- a/common/file.te
+++ b/common/file.te
@@ -59,3 +59,6 @@
type sysfs_mpdecision, fs_type, sysfs_type;
type sysfs_rqstats, fs_type, sysfs_type;
type sysfs_cpu_online, fs_type, sysfs_type;
+
+#mm-qcamera-daemon socket
+type camera_socket, file_type;
diff --git a/common/file_contexts b/common/file_contexts
index e91b7ed..991cb08 100755
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -22,6 +22,9 @@
/dev/ttyHSL0 u:object_r:console_device:s0
/dev/ttyHS[0-9]* u:object_r:serial_device:s0
/dev/usb_ext_chg u:object_r:hvdcp_device:s0
+/dev/media([0-9])+ u:object_r:camera_device:s0
+/dev/jpeg[0-9]* u:object_r:camera_device:s0
+/dev/v4l-subdev.* u:object_r:camera_device:s0
###################################
# Dev socket nodes
#
@@ -59,6 +62,7 @@
/system/bin/sns.* u:object_r:sensors_test_exec:s0
/system/bin/test_diag u:object_r:diag_exec:s0
/system/bin/thermal-engine u:object_r:thermal-engine_exec:s0
+/system/bin/mm-qcamera-daemon u:object_r:mm-qcamerad_exec:s0
/system/etc/sensor_def_qcomdev.conf u:object_r:sensors_system_file:s0
/system/etc/sensors(/.*)? u:object_r:sensors_system_file:s0
/system/rfs.* u:object_r:rfs_system_file:s0
@@ -95,6 +99,7 @@
/data/diag_log(/.*)? u:object_r:diag_data_file:s0
/data/misc/sensors(/.*)? u:object_r:sensors_data_file:s0
/data/rfs.* u:object_r:rfs_data_file:s0
+/data/camera(/.*)? u:object_r:camera_socket:s0
###################################
# persist files
diff --git a/common/mediaserver.te b/common/mediaserver.te
index b67ad17..7d0699b 100644
--- a/common/mediaserver.te
+++ b/common/mediaserver.te
@@ -1,2 +1,5 @@
# allow mediaserver to communicate with cnd
unix_socket_connect(mediaserver, cnd, cnd)
+
+allow mediaserver camera_device:chr_file rw_file_perms;
+unix_socket_send(mediaserver, camera, mm-qcamerad)
diff --git a/common/mm-qcamerad.te b/common/mm-qcamerad.te
new file mode 100644
index 0000000..fd4371d
--- /dev/null
+++ b/common/mm-qcamerad.te
@@ -0,0 +1,21 @@
+type mm-qcamerad, domain;
+type mm-qcamerad_exec, exec_type, file_type;
+init_daemon_domain(mm-qcamerad)
+
+userdebug_or_eng(`
+ allow mm-qcamerad debugfs:dir search;
+')
+
+#Communicate with user land process through domain socket
+allow mm-qcamerad camera_socket:sock_file { create unlink write };
+allow mm-qcamerad camera_socket:dir w_dir_perms;
+unix_socket_connect(mm-qcamerad, sensors, sensors)
+
+allow mm-qcamerad self:process execmem;
+# Interact with other media devices
+allow mm-qcamerad camera_device:dir search;
+allow mm-qcamerad { gpu_device video_device camera_device sensors_device }:chr_file rw_file_perms;
+
+allow mm-qcamerad { surfaceflinger mediaserver }:fd use;
+# Need to investigate this
+allow mm-qcamerad self:tcp_socket create_socket_perms;