diff options
author | Ryan Savitski <rsavitski@google.com> | 2019-05-20 11:48:18 +0100 |
---|---|---|
committer | Ryan Savitski <rsavitski@google.com> | 2019-05-20 20:25:01 +0100 |
commit | c980fb1369687d665ae9b9d9dea5a2c338706df6 (patch) | |
tree | 39006299bc93dc9b472c65eb44d1fd5cdbdef600 | |
parent | 956eefd7af0660450351266c41ec60d7fddadf49 (diff) | |
download | marlin-c980fb1369687d665ae9b9d9dea5a2c338706df6.tar.gz |
Allow camera to notify traced of a notable event (marlin/sailfish)
Most apps already have the permission to act as full producers
(isolated_app, ephemeral_app, priv_app, untrusted_app_all), but
the camera doesn't inherit that as it runs in its own domain.
Granting only the socket (i.e. ipc) permission, as:
* only that is needed at the moment.
* granting the shmem/fd permissions would require a broader change, as traced_tmpfs is declared in private/.
Specific denial:
05-20 13:56:20.303 7751 7751 W trigger_perfett: type=1400 audit(0.0:19): avc: denied { write } for name="traced_producer" dev="tmpfs" ino=7061 scontext=u:r:google_camera_app:s0:c181,c256,c512,c768 tcontext=u:object_r:traced_producer_socket:s0 tclass=sock_file permissive=0 app=com.google.android.GoogleCamera
Bug: 130543265
Tested: extrapolating from the same fix on crosshatch, tested manually on blueline-userdebug.
Merged-In: Ie34f60051b33eb6e4d4e95d96988e4223e7dc0d4
Change-Id: Ie34f60051b33eb6e4d4e95d96988e4223e7dc0d4
(cherry picked from commit ef1060c885767ccd2b71e17eaf7c32f907537d15)
-rw-r--r-- | sepolicy/google_camera_app.te | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/sepolicy/google_camera_app.te b/sepolicy/google_camera_app.te index c5c417ac..3689ce8c 100644 --- a/sepolicy/google_camera_app.te +++ b/sepolicy/google_camera_app.te @@ -46,3 +46,6 @@ allow google_camera_app system_app_data_file:file { read write getattr }; # /vendor for the application. The policy build MUST also catch the violations typeattribute google_camera_app system_executes_vendor_violators; r_dir_file(google_camera_app, vendor_file) + +# Allow notifying Perfetto traced daemon that a notable event has occurred. +unix_socket_connect(google_camera_app, traced_producer, traced) |