Merge "Move camera's coredomain sepolicy to product" into main

camera/dump.mk

@@ -1,4 +1,6 @@
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/vendor
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/product/public
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/product/private
 
 PRODUCT_PACKAGES_DEBUG += dump_camera
 

camera/sepolicy/product/private/vendor_pbcs_app.te

@@ -0,0 +1,9 @@
+typeattribute vendor_pbcs_app coredomain;
+
+app_domain(vendor_pbcs_app);
+
+dontaudit vendor_pbcs_app system_app_data_file:dir *;
+
+allow vendor_pbcs_app app_api_service:service_manager find;
+# Allow PBCS to find Camera Service.
+allow vendor_pbcs_app cameraserver_service:service_manager find;

camera/sepolicy/product/private/vendor_pcs_app.te

@@ -0,0 +1,12 @@
+typeattribute vendor_pcs_app coredomain;
+
+app_domain(vendor_pcs_app);
+
+allow vendor_pcs_app {
+    app_api_service
+    audioserver_service
+    cameraserver_service
+    mediametrics_service
+    mediaserver_service
+    radio_service
+}:service_manager find;

camera/sepolicy/product/public/vendor_pbcs_app.te

@@ -0,0 +1 @@
+type vendor_pbcs_app, domain;

camera/sepolicy/product/public/vendor_pcs_app.te

@@ -0,0 +1 @@
+type vendor_pcs_app, domain;

camera/sepolicy/vendor/vendor_pbcs_app.te

@@ -1,16 +1,3 @@
-type vendor_pbcs_app, domain, coredomain;
-
-# TODO(b/296512192): move vendor_pbcs_app out of vendor sepolicy
-typeattribute vendor_pbcs_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(vendor_pbcs_app);
-
-dontaudit vendor_pbcs_app system_app_data_file:dir *;
-
-allow vendor_pbcs_app app_api_service:service_manager find;
-# Allow PBCS to find Camera Service.
-allow vendor_pbcs_app cameraserver_service:service_manager find;
-
 # Allow PBCS to add the ServiceBinder service to ServiceManager.
 add_service(vendor_pbcs_app, vendor_camera_binder_service);
 # Allow PBCS to add the LyricConfigProvider service to ServiceManager.
@@ -18,8 +5,8 @@ add_service(vendor_pbcs_app, vendor_camera_lyricconfigprovider_service);
 # Allow PBCS to add the CameraIdRemapper service to ServiceManager.
 add_service(vendor_pbcs_app, vendor_camera_cameraidremapper_service);
 
-binder_call(vendor_pbcs_app, hal_camera_default);
-
 # Allow PBCS to read debug system properties of the form vendor.camera.pbcs.debug.*
 # and persist.vendor.camera.pbcs.debug.*
 get_prop(vendor_pbcs_app, vendor_camera_pbcs_debug_prop);
+
+binder_call(vendor_pbcs_app, hal_camera_default);

camera/sepolicy/vendor/vendor_pcs_app.te

@@ -1,19 +1,3 @@
-type vendor_pcs_app, domain, coredomain;
-
-# TODO(b/296512192): move vendor_pcs_app out of vendor sepolicy
-typeattribute vendor_pcs_app vendor_seapp_assigns_coredomain_violators;
-
-app_domain(vendor_pcs_app);
-
-allow vendor_pcs_app {
-    app_api_service
-    audioserver_service
-    cameraserver_service
-    mediametrics_service
-    mediaserver_service
-    radio_service
-}:service_manager find;
-
 # Allow PCS to find the LyricConfigProvider service through ServiceManager.
 allow vendor_pcs_app vendor_camera_lyricconfigprovider_service:service_manager find;
 # Allow PCS to find the CameraIdRemapper service through ServiceManager.
@@ -21,6 +5,6 @@ allow vendor_pcs_app vendor_camera_cameraidremapper_service:service_manager find
 
 allow vendor_pcs_app hal_pixel_remote_camera_service:service_manager add;
 
-binder_call(vendor_pcs_app, hal_camera_default);
-
 binder_call(vendor_pcs_app, hal_pixel_remote_camera_service);
+
+binder_call(vendor_pcs_app, hal_camera_default);