Merge "Allow BPF programs from vendor."
diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil
index 34f6ff8..f1307ad 100644
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@@ -24,6 +24,7 @@
fs_bpf_vendor
gesture_prop
hal_contexthub_service
+ hal_camera_service
hal_dice_service
hal_drm_service
hal_dumpstate_service
diff --git a/private/service_contexts b/private/service_contexts
index 1ada543..7075f4d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -4,6 +4,9 @@
android.hardware.biometrics.face.IFace/default u:object_r:hal_face_service:s0
android.hardware.biometrics.fingerprint.IFingerprint/default u:object_r:hal_fingerprint_service:s0
android.hardware.bluetooth.audio.IBluetoothAudioProviderFactory/default u:object_r:hal_audio_service:s0
+# The instance here is internal/0 following naming convention for ICameraProvider.
+# It advertises internal camera devices.
+android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
android.hardware.drm.IDrmFactory/clearkey u:object_r:hal_drm_service:s0
android.hardware.drm.ICryptoFactory/clearkey u:object_r:hal_drm_service:s0
diff --git a/public/cameraserver.te b/public/cameraserver.te
index 577a465..d41339a 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -35,6 +35,7 @@
allow cameraserver surfaceflinger_service:service_manager find;
allow cameraserver hidl_token_hwservice:hwservice_manager find;
+allow cameraserver hal_camera_service:service_manager find;
# Allow to talk with surfaceflinger through unix stream socket
allow cameraserver surfaceflinger:unix_stream_socket { read write };
diff --git a/public/hal_camera.te b/public/hal_camera.te
index 45fad56..df70ab6 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -2,7 +2,11 @@
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
+#binder IPC from client to service manager and callbacks
+binder_use(hal_camera_server)
+
hal_attribute_hwservice(hal_camera, hal_camera_hwservice)
+hal_attribute_service(hal_camera, hal_camera_service)
allow hal_camera device:dir r_dir_perms;
allow hal_camera video_device:dir r_dir_perms;
@@ -32,7 +36,7 @@
neverallow hal_camera_server { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets.
-neverallow hal_camera_server domain:{ tcp_socket udp_socket rawip_socket } *;
+neverallow hal_camera_server { domain userdebug_or_eng(`-su') }:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
diff --git a/public/service.te b/public/service.te
index 012a781..46eaff1 100644
--- a/public/service.te
+++ b/public/service.te
@@ -268,6 +268,7 @@
type hal_audio_service, vendor_service, protected_service, service_manager_type;
type hal_audiocontrol_service, vendor_service, service_manager_type;
type hal_authsecret_service, vendor_service, protected_service, service_manager_type;
+type hal_camera_service, vendor_service, protected_service, service_manager_type;
type hal_contexthub_service, vendor_service, protected_service, service_manager_type;
type hal_dice_service, vendor_service, protected_service, service_manager_type;
type hal_drm_service, vendor_service, service_manager_type;
