From dc624c53116dadad108f4e420ca4ec6d3d7c6d01 Mon Sep 17 00:00:00 2001
From: Inseob Kim <inseob@google.com>
Date: Tue, 5 Sep 2023 13:13:01 +0900
Subject: [PATCH] Move camera's coredomain sepolicy to product

Because they are installed to product partition and it's Treble
violation to assign them with vendor sepolicy

Bug: 296512192
Test: lunch panther and build
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85f9b1e5bc9320a4ab8dc3f6d26027dba76882c6)
Merged-In: I2d2c2a8027eed2b3e2ee1a78d629d44b99867128
Change-Id: I2d2c2a8027eed2b3e2ee1a78d629d44b99867128
---
 camera/dump.mk                                |  4 +++-
 .../{ => product/private}/seapp_contexts      |  0
 .../product/private/vendor_pbcs_app.te        |  9 +++++++++
 .../product/private/vendor_pcs_app.te         | 12 +++++++++++
 .../product/public/vendor_pbcs_app.te         |  1 +
 .../sepolicy/product/public/vendor_pcs_app.te |  1 +
 camera/sepolicy/{ => vendor}/dump_camera.te   |  0
 camera/sepolicy/{ => vendor}/file.te          |  0
 camera/sepolicy/{ => vendor}/file_contexts    |  0
 .../{ => vendor}/hal_camera_default.te        |  0
 .../init.camera.set-interrupts-ownership.te   |  0
 camera/sepolicy/{ => vendor}/property.te      |  0
 .../sepolicy/{ => vendor}/property_contexts   |  0
 camera/sepolicy/{ => vendor}/service.te       |  0
 camera/sepolicy/{ => vendor}/service_contexts |  0
 .../sepolicy/{ => vendor}/vendor_pbcs_app.te  | 17 ++--------------
 .../sepolicy/{ => vendor}/vendor_pcs_app.te   | 20 ++-----------------
 17 files changed, 30 insertions(+), 34 deletions(-)
 rename camera/sepolicy/{ => product/private}/seapp_contexts (100%)
 create mode 100644 camera/sepolicy/product/private/vendor_pbcs_app.te
 create mode 100644 camera/sepolicy/product/private/vendor_pcs_app.te
 create mode 100644 camera/sepolicy/product/public/vendor_pbcs_app.te
 create mode 100644 camera/sepolicy/product/public/vendor_pcs_app.te
 rename camera/sepolicy/{ => vendor}/dump_camera.te (100%)
 rename camera/sepolicy/{ => vendor}/file.te (100%)
 rename camera/sepolicy/{ => vendor}/file_contexts (100%)
 rename camera/sepolicy/{ => vendor}/hal_camera_default.te (100%)
 rename camera/sepolicy/{ => vendor}/init.camera.set-interrupts-ownership.te (100%)
 rename camera/sepolicy/{ => vendor}/property.te (100%)
 rename camera/sepolicy/{ => vendor}/property_contexts (100%)
 rename camera/sepolicy/{ => vendor}/service.te (100%)
 rename camera/sepolicy/{ => vendor}/service_contexts (100%)
 rename camera/sepolicy/{ => vendor}/vendor_pbcs_app.te (59%)
 rename camera/sepolicy/{ => vendor}/vendor_pcs_app.te (56%)

diff --git a/camera/dump.mk b/camera/dump.mk
index a3a5c7a..8569610 100644
--- a/camera/dump.mk
+++ b/camera/dump.mk
@@ -1,4 +1,6 @@
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/vendor
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/product/private
 
 PRODUCT_PACKAGES_DEBUG += dump_camera
 
diff --git a/camera/sepolicy/seapp_contexts b/camera/sepolicy/product/private/seapp_contexts
similarity index 100%
rename from camera/sepolicy/seapp_contexts
rename to camera/sepolicy/product/private/seapp_contexts
diff --git a/camera/sepolicy/product/private/vendor_pbcs_app.te b/camera/sepolicy/product/private/vendor_pbcs_app.te
new file mode 100644
index 0000000..d77162e
--- /dev/null
+++ b/camera/sepolicy/product/private/vendor_pbcs_app.te
@@ -0,0 +1,9 @@
+typeattribute vendor_pbcs_app coredomain;
+
+app_domain(vendor_pbcs_app);
+
+dontaudit vendor_pbcs_app system_app_data_file:dir *;
+
+allow vendor_pbcs_app app_api_service:service_manager find;
+# Allow PBCS to find Camera Service.
+allow vendor_pbcs_app cameraserver_service:service_manager find;
diff --git a/camera/sepolicy/product/private/vendor_pcs_app.te b/camera/sepolicy/product/private/vendor_pcs_app.te
new file mode 100644
index 0000000..6bf0451
--- /dev/null
+++ b/camera/sepolicy/product/private/vendor_pcs_app.te
@@ -0,0 +1,12 @@
+typeattribute vendor_pcs_app coredomain;
+
+app_domain(vendor_pcs_app);
+
+allow vendor_pcs_app {
+    app_api_service
+    audioserver_service
+    cameraserver_service
+    mediametrics_service
+    mediaserver_service
+    radio_service
+}:service_manager find;
diff --git a/camera/sepolicy/product/public/vendor_pbcs_app.te b/camera/sepolicy/product/public/vendor_pbcs_app.te
new file mode 100644
index 0000000..7180719
--- /dev/null
+++ b/camera/sepolicy/product/public/vendor_pbcs_app.te
@@ -0,0 +1 @@
+type vendor_pbcs_app, domain;
diff --git a/camera/sepolicy/product/public/vendor_pcs_app.te b/camera/sepolicy/product/public/vendor_pcs_app.te
new file mode 100644
index 0000000..fb8b0a1
--- /dev/null
+++ b/camera/sepolicy/product/public/vendor_pcs_app.te
@@ -0,0 +1 @@
+type vendor_pcs_app, domain;
diff --git a/camera/sepolicy/dump_camera.te b/camera/sepolicy/vendor/dump_camera.te
similarity index 100%
rename from camera/sepolicy/dump_camera.te
rename to camera/sepolicy/vendor/dump_camera.te
diff --git a/camera/sepolicy/file.te b/camera/sepolicy/vendor/file.te
similarity index 100%
rename from camera/sepolicy/file.te
rename to camera/sepolicy/vendor/file.te
diff --git a/camera/sepolicy/file_contexts b/camera/sepolicy/vendor/file_contexts
similarity index 100%
rename from camera/sepolicy/file_contexts
rename to camera/sepolicy/vendor/file_contexts
diff --git a/camera/sepolicy/hal_camera_default.te b/camera/sepolicy/vendor/hal_camera_default.te
similarity index 100%
rename from camera/sepolicy/hal_camera_default.te
rename to camera/sepolicy/vendor/hal_camera_default.te
diff --git a/camera/sepolicy/init.camera.set-interrupts-ownership.te b/camera/sepolicy/vendor/init.camera.set-interrupts-ownership.te
similarity index 100%
rename from camera/sepolicy/init.camera.set-interrupts-ownership.te
rename to camera/sepolicy/vendor/init.camera.set-interrupts-ownership.te
diff --git a/camera/sepolicy/property.te b/camera/sepolicy/vendor/property.te
similarity index 100%
rename from camera/sepolicy/property.te
rename to camera/sepolicy/vendor/property.te
diff --git a/camera/sepolicy/property_contexts b/camera/sepolicy/vendor/property_contexts
similarity index 100%
rename from camera/sepolicy/property_contexts
rename to camera/sepolicy/vendor/property_contexts
diff --git a/camera/sepolicy/service.te b/camera/sepolicy/vendor/service.te
similarity index 100%
rename from camera/sepolicy/service.te
rename to camera/sepolicy/vendor/service.te
diff --git a/camera/sepolicy/service_contexts b/camera/sepolicy/vendor/service_contexts
similarity index 100%
rename from camera/sepolicy/service_contexts
rename to camera/sepolicy/vendor/service_contexts
diff --git a/camera/sepolicy/vendor_pbcs_app.te b/camera/sepolicy/vendor/vendor_pbcs_app.te
similarity index 59%
rename from camera/sepolicy/vendor_pbcs_app.te
rename to camera/sepolicy/vendor/vendor_pbcs_app.te
index 880ff5d..7b9c5e2 100644
--- a/camera/sepolicy/vendor_pbcs_app.te
+++ b/camera/sepolicy/vendor/vendor_pbcs_app.te
@@ -1,16 +1,3 @@
-type vendor_pbcs_app, domain, coredomain;
-
-# TODO(b/296512192): move vendor_pbcs_app out of vendor sepolicy
-typeattribute vendor_pbcs_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(vendor_pbcs_app);
-
-dontaudit vendor_pbcs_app system_app_data_file:dir *;
-
-allow vendor_pbcs_app app_api_service:service_manager find;
-# Allow PBCS to find Camera Service.
-allow vendor_pbcs_app cameraserver_service:service_manager find;
-
 # Allow PBCS to add the ServiceBinder service to ServiceManager.
 add_service(vendor_pbcs_app, vendor_camera_binder_service);
 # Allow PBCS to add the LyricConfigProvider service to ServiceManager.
@@ -18,8 +5,8 @@ add_service(vendor_pbcs_app, vendor_camera_lyricconfigprovider_service);
 # Allow PBCS to add the CameraIdRemapper service to ServiceManager.
 add_service(vendor_pbcs_app, vendor_camera_cameraidremapper_service);
 
-binder_call(vendor_pbcs_app, hal_camera_default);
-
 # Allow PBCS to read debug system properties of the form vendor.camera.pbcs.debug.*
 # and persist.vendor.camera.pbcs.debug.*
 get_prop(vendor_pbcs_app, vendor_camera_pbcs_debug_prop);
+
+binder_call(vendor_pbcs_app, hal_camera_default);
diff --git a/camera/sepolicy/vendor_pcs_app.te b/camera/sepolicy/vendor/vendor_pcs_app.te
similarity index 56%
rename from camera/sepolicy/vendor_pcs_app.te
rename to camera/sepolicy/vendor/vendor_pcs_app.te
index a736be5..99a9bea 100644
--- a/camera/sepolicy/vendor_pcs_app.te
+++ b/camera/sepolicy/vendor/vendor_pcs_app.te
@@ -1,19 +1,3 @@
-type vendor_pcs_app, domain, coredomain;
-
-# TODO(b/296512192): move vendor_pcs_app out of vendor sepolicy
-typeattribute vendor_pcs_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(vendor_pcs_app);
-
-allow vendor_pcs_app {
-    app_api_service
-    audioserver_service
-    cameraserver_service
-    mediametrics_service
-    mediaserver_service
-    radio_service
-}:service_manager find;
-
 # Allow PCS to find the LyricConfigProvider service through ServiceManager.
 allow vendor_pcs_app vendor_camera_lyricconfigprovider_service:service_manager find;
 # Allow PCS to find the CameraIdRemapper service through ServiceManager.
@@ -21,6 +5,6 @@ allow vendor_pcs_app vendor_camera_cameraidremapper_service:service_manager find
 
 allow vendor_pcs_app hal_pixel_remote_camera_service:service_manager add;
 
-binder_call(vendor_pcs_app, hal_camera_default);
-
 binder_call(vendor_pcs_app, hal_pixel_remote_camera_service);
+
+binder_call(vendor_pcs_app, hal_camera_default);