Cleanup unused permissions
Remove all references to mm-qcamera-daemon. It is no longer used.
Clean up some unused system_server permissions.
Bug: 36613917
Test: Launch camera app. Take pictures and videos. Verify no new
denials in the logs.
Change-Id: Iea657bbd10dbccc8b2a59491c404a9c76c040032
diff --git a/marlin/android_filesystem_config.h b/marlin/android_filesystem_config.h
index bc92bd4..00aa6bb 100644
--- a/marlin/android_filesystem_config.h
+++ b/marlin/android_filesystem_config.h
@@ -32,7 +32,6 @@
** and will allow partial matches.
*/
static const struct fs_path_config android_device_files[] = {
- { 00700, AID_CAMERA, AID_SHELL, (1ULL << CAP_SYS_NICE), "vendor/bin/mm-qcamera-daemon" },
{ 00755, AID_SYSTEM, AID_SYSTEM, (1ULL << CAP_NET_BIND_SERVICE), "vendor/bin/pm-service" },
{ 00755, AID_SYSTEM, AID_SYSTEM, (1ULL << CAP_NET_BIND_SERVICE), "vendor/bin/imsdatadaemon" },
{ 00755, AID_SYSTEM, AID_RADIO, (1ULL << CAP_NET_BIND_SERVICE), "vendor/bin/ims_rtp_daemon" },
diff --git a/sailfish/android_filesystem_config.h b/sailfish/android_filesystem_config.h
index bc92bd4..00aa6bb 100644
--- a/sailfish/android_filesystem_config.h
+++ b/sailfish/android_filesystem_config.h
@@ -32,7 +32,6 @@
** and will allow partial matches.
*/
static const struct fs_path_config android_device_files[] = {
- { 00700, AID_CAMERA, AID_SHELL, (1ULL << CAP_SYS_NICE), "vendor/bin/mm-qcamera-daemon" },
{ 00755, AID_SYSTEM, AID_SYSTEM, (1ULL << CAP_NET_BIND_SERVICE), "vendor/bin/pm-service" },
{ 00755, AID_SYSTEM, AID_SYSTEM, (1ULL << CAP_NET_BIND_SERVICE), "vendor/bin/imsdatadaemon" },
{ 00755, AID_SYSTEM, AID_RADIO, (1ULL << CAP_NET_BIND_SERVICE), "vendor/bin/ims_rtp_daemon" },
diff --git a/sepolicy/camera.te b/sepolicy/camera.te
deleted file mode 100644
index 591d63b..0000000
--- a/sepolicy/camera.te
+++ /dev/null
@@ -1,32 +0,0 @@
-type camera, domain;
-type camera_exec, exec_type, vendor_file_type, file_type;
-
-# Started by init
-init_daemon_domain(camera)
-
-allow camera self:capability sys_nice;
-
-binder_call(camera, system_server)
-binder_call(camera, cameraserver)
-allow camera system_server:unix_stream_socket { read write };
-
-allow camera ion_device:chr_file rw_file_perms;
-allow camera sysfs_msm_subsys:file r_file_perms;
-allow camera camera_device:chr_file rw_file_perms;
-allow camera gpu_device:chr_file rw_file_perms;
-allow camera graphics_device:chr_file rw_file_perms;
-allow camera video_device:chr_file rw_file_perms;
-allow camera sysfs_camera:dir search;
-allow camera sysfs_camera:file rw_file_perms;
-allow camera sysfs_video:dir search;
-allow camera sysfs_video:file r_file_perms;
-allow camera system_file:dir r_dir_perms;
-
-set_prop(camera, camera_prop)
-
-allow camera surfaceflinger:fd use;
-allow camera hal_graphics_allocator:fd use;
-allow camera cameraserver:fd use;
-
-allow camera input_device:dir r_dir_perms;
-allow camera input_device:chr_file r_file_perms;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 299b8f8..f9650ce 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -81,7 +81,6 @@
/system/bin/preloads_copy\.sh u:object_r:preloads_copy_exec:s0
# files in /vendor
-/vendor/bin/mm-qcamera-daemon u:object_r:camera_exec:s0
/vendor/bin/qsee_logger u:object_r:qsee_logger_exec:s0
/vendor/bin/smlog_dump u:object_r:smlog_dump_exec:s0
/vendor/bin/irsc_util u:object_r:irsc_util_exec:s0
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index ddf847b..82d811e 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -8,11 +8,7 @@
# /dev/uhid
allow system_server uhid_device:chr_file rw_file_perms;
-# TODO(b/36613917): Remove this once system_server no longer communicates with netmgrd over sockets.
-typeattribute netmgrd socket_between_core_and_vendor_violators;
-allow system_server netmgrd_socket:dir search;
-unix_socket_connect(system_server, netmgrd, netmgrd)
-
+# used to access the fwk_sensor_hwservice over hwbinder
binder_call(system_server, hal_camera_default)
binder_call(system_server, location)