From 7a0a7ea6a501c2862e0ca9b9a6eaba6fa411f010 Mon Sep 17 00:00:00 2001 From: Aayush Gupta Date: Mon, 28 Dec 2020 13:04:46 +0530 Subject: [PATCH] non_plat: Label /data/vendor/camera/ and allow mtk_hal_camera create perms Camera data files are store in /data/vendor/camera/ by camera hal on treble devices. Label and allow mtk_hal_camera to manage it. Denial observed without this change: [ 17.686535] .(4)[399:logd.auditd]type=1400 audit(1609114842.280:303): avc: denied { getattr } for comm="camerahalserver" path="/data/vendor/camera/back_dual_camera_caldata_wt.bin" dev="sdc46" ino=2490446 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:vendor_data_file:s0 tclass=file permissive=1 Test: Boot and notice denial has disappeared Signed-off-by: Aayush Gupta Change-Id: I98d0ddcce95cccdb9e86c4d36cb692e1f1ff41cb --- non_plat/file.te | 3 +++ non_plat/file_contexts | 2 ++ non_plat/mtk_hal_camera.te | 4 ++++ 3 files changed, 9 insertions(+) diff --git a/non_plat/file.te b/non_plat/file.te index 6e82e16..5cd6420 100644 --- a/non_plat/file.te +++ b/non_plat/file.te @@ -440,3 +440,6 @@ type sysfs_chipid, fs_type, sysfs_type; # Date : 2019/12/12 # Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/* type sysfs_concurrency_scenario, fs_type, sysfs_type; + +# Camera file types +type camera_vendor_data_file, file_type, data_file_type; diff --git a/non_plat/file_contexts b/non_plat/file_contexts index c17da3a..6f77b25 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -686,3 +686,5 @@ /(system\/vendor|vendor)/bin/aee_aedv64 u:object_r:aee_aedv_exec:s0 /vendor/bin/aeev u:object_r:aee_aedv_exec:s0 +# Camera data files +/data/vendor/camera(/.*)? u:object_r:camera_vendor_data_file:s0 diff --git a/non_plat/mtk_hal_camera.te b/non_plat/mtk_hal_camera.te index 4c7e68d..a06a7d0 100644 --- a/non_plat/mtk_hal_camera.te +++ b/non_plat/mtk_hal_camera.te @@ -359,3 +359,7 @@ allowxperm mtk_hal_camera mtk_hal_camera:unix_stream_socket ioctl IIOCNETAIF; # MTK camera property set_prop(mtk_hal_camera, mtk_camera_prop) + +# Camera data files +allow mtk_hal_camera camera_vendor_data_file:dir create_dir_perms; +allow mtk_hal_camera camera_vendor_data_file:file create_file_perms;