From 8a5b714f8d63dfd187f1516838c9554eceff032c Mon Sep 17 00:00:00 2001 From: malikakash Date: Tue, 18 Jul 2023 05:37:00 +0000 Subject: [PATCH] Add sepolicy configs for LyricConfigProvider Service - Introduce service_context for ILyricConfigProvider service - Allow adding the ILyricConfigProvider to the service manager. - Allow HAL to find ILyricConfigProvider from servicemanager - Allow all proceses in com.google.pixel.services:* to have the same domain as the app (vendor_pbcs_app) -- We'll be running services in their own processes so this is needed. - TODO: binder_call(vendor_pbcs_app, vendor_pcs_app); Allow PBCS appdomain to make binder calls into PCS appdomain after ag/24030784 lands. Bug: 280340307 Test: We can successfully start and register the LyricConfigProvider service with the servicemanager. Change-Id: Ia0a74065e98761e48aa041bf7f2f34188017cee4 --- camera/sepolicy/hal_camera_default.te | 2 ++ camera/sepolicy/seapp_contexts | 2 ++ camera/sepolicy/service.te | 2 ++ camera/sepolicy/service_contexts | 2 ++ camera/sepolicy/vendor_pbcs_app.te | 5 ++++- 5 files changed, 12 insertions(+), 1 deletion(-) diff --git a/camera/sepolicy/hal_camera_default.te b/camera/sepolicy/hal_camera_default.te index 35eea3c..62eef4a 100644 --- a/camera/sepolicy/hal_camera_default.te +++ b/camera/sepolicy/hal_camera_default.te @@ -1,4 +1,6 @@ allow hal_camera_default vendor_camera_binder_service:service_manager find; +# Allow Lyric Hal to find the LyricConfigProvider service through ServiceManager. +allow hal_camera_default vendor_camera_lyricconfigprovider_service:service_manager find; allow hal_camera_default hal_pixel_remote_camera_service:service_manager find; diff --git a/camera/sepolicy/seapp_contexts b/camera/sepolicy/seapp_contexts index 9059600..f956929 100644 --- a/camera/sepolicy/seapp_contexts +++ b/camera/sepolicy/seapp_contexts @@ -1,5 +1,7 @@ # Pixel PeristentBackgroundCameraServices user=system seinfo=platform name=com.google.pixel.camera.services domain=vendor_pbcs_app type=system_app_data_file levelFrom=all +# The :* will allow all services, which run in their own processes, to use the same vendor_pbcs_app domain. +user=system seinfo=platform name=com.google.pixel.camera.services:* domain=vendor_pbcs_app type=system_app_data_file levelFrom=all # Pixel Camera Services user=_app seinfo=CameraServices name=com.google.android.apps.camera.services domain=vendor_pcs_app type=app_data_file levelFrom=all diff --git a/camera/sepolicy/service.te b/camera/sepolicy/service.te index 4a2dcbb..330c7ff 100644 --- a/camera/sepolicy/service.te +++ b/camera/sepolicy/service.te @@ -1,3 +1,5 @@ type vendor_camera_binder_service, hal_service_type, protected_service, service_manager_type; type hal_pixel_remote_camera_service, hal_service_type, protected_service, service_manager_type; + +type vendor_camera_lyricconfigprovider_service, hal_service_type, protected_service, service_manager_type; diff --git a/camera/sepolicy/service_contexts b/camera/sepolicy/service_contexts index 5ea067f..bec3402 100644 --- a/camera/sepolicy/service_contexts +++ b/camera/sepolicy/service_contexts @@ -1,3 +1,5 @@ com.google.pixel.camera.services.binder.IServiceBinder/default u:object_r:vendor_camera_binder_service:s0 com.google.pixel.camera.connectivity.hal.provider.ICameraProvider/default u:object_r:hal_pixel_remote_camera_service:s0 + +com.google.pixel.camera.services.lyricconfigprovider.ILyricConfigProvider/default u:object_r:vendor_camera_lyricconfigprovider_service:s0 diff --git a/camera/sepolicy/vendor_pbcs_app.te b/camera/sepolicy/vendor_pbcs_app.te index 1ee663f..1a3a0ef 100644 --- a/camera/sepolicy/vendor_pbcs_app.te +++ b/camera/sepolicy/vendor_pbcs_app.te @@ -6,6 +6,9 @@ dontaudit vendor_pbcs_app system_app_data_file:dir *; allow vendor_pbcs_app app_api_service:service_manager find; -allow vendor_pbcs_app vendor_camera_binder_service:service_manager add; +# Allow PBCS to add the ServiceBinder service to ServiceManager. +add_service(vendor_pbcs_app, vendor_camera_binder_service); +# Allow PBCS to add the LyricConfigProvider service to ServiceManager. +add_service(vendor_pbcs_app, vendor_camera_lyricconfigprovider_service); binder_call(vendor_pbcs_app, hal_camera_default);