Merge "Add selinux permissions for DeviceAsWebcam Service"
diff --git a/private/app.te b/private/app.te
index 90ea7cd..db32be0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -503,4 +503,20 @@
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
-}:file no_x_file_perms;
\ No newline at end of file
+}:file no_x_file_perms;
+
+# Don't allow apps access to any of the following character devices.
+neverallow appdomain {
+ audio_device
+ camera_device
+ dm_device
+ radio_device
+ rpmsg_device
+}:chr_file { read write };
+
+# Block video device access for all apps except the DeviceAsWebcam Service which
+# needs access to /dev/video* for interfacing with the host
+neverallow {
+ appdomain
+ -device_as_webcam
+} video_device:chr_file { read write };
diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index d531647..55d3840 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -11,6 +11,7 @@
bt_device
build_attestation_prop
credential_service
+ device_as_webcam
device_config_camera_native_prop
device_config_memory_safety_native_boot_prop
device_config_memory_safety_native_prop
diff --git a/private/device_as_webcam.te b/private/device_as_webcam.te
new file mode 100644
index 0000000..98c91c2
--- /dev/null
+++ b/private/device_as_webcam.te
@@ -0,0 +1,21 @@
+# Domain for DeviceAsWebcam Service
+type device_as_webcam, domain, coredomain, mlstrustedsubject;
+
+app_domain(device_as_webcam)
+
+allow device_as_webcam system_app_data_file:dir create_dir_perms;
+allow device_as_webcam system_app_data_file:file create_file_perms;
+
+allow device_as_webcam { app_api_service cameraserver_service }:service_manager find;
+
+# Allow DeviceAsWebcam Service needs to access ro.usb.uvc.enabled property to
+# enale/disable itself
+get_prop(device_as_webcam, usb_uvc_enabled_prop)
+
+# need to access /dev to list all devices
+allow device_as_webcam device:dir r_dir_perms;
+
+# UVC nodes are mounted as V4L2 nodes (/dev/video*) on the device. These need to
+# be accessed by the DeviceAsWebcam Service.
+allow device_as_webcam video_device:dir r_dir_perms;
+allow device_as_webcam video_device:chr_file rw_file_perms;
diff --git a/private/seapp_contexts b/private/seapp_contexts
index edfa198..878d50e 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -154,6 +154,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
+user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
@@ -190,4 +191,3 @@
user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
user=_app fromRunAs=true domain=runas_app levelFrom=user
-
diff --git a/public/app.te b/public/app.te
index 9ce0255..da59f32 100644
--- a/public/app.te
+++ b/public/app.te
@@ -21,16 +21,6 @@
# Block device access.
neverallow appdomain dev_type:blk_file { read write };
-# Access to any of the following character devices.
-neverallow appdomain {
- audio_device
- camera_device
- dm_device
- radio_device
- rpmsg_device
- video_device
-}:chr_file { read write };
-
# Note: Try expanding list of app domains in the future.
neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };
