You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
384 lines
15 KiB
384 lines
15 KiB
# ==============================================================================
|
|
# Policy File of /vendor/bin/camerahalserver Executable File
|
|
|
|
# ==============================================================================
|
|
# Type Declaration
|
|
# ==============================================================================
|
|
|
|
type mtk_hal_camera, domain;
|
|
type mtk_hal_camera_exec, exec_type, file_type, vendor_file_type;
|
|
|
|
# ==============================================================================
|
|
# MTK Policy Rule
|
|
# ==============================================================================
|
|
|
|
# -----------------------------------
|
|
# Purpose: Binderized HAL Server
|
|
# -----------------------------------
|
|
|
|
# Set up a transition from init to the camerahalserver upon executing its binary.
|
|
init_daemon_domain(mtk_hal_camera)
|
|
|
|
# Allow a base set of permissions required for a domain to offer a
|
|
# HAL implementation of the specified type over HwBinder.
|
|
hal_server_domain(mtk_hal_camera, hal_camera)
|
|
|
|
hal_server_domain(mtk_hal_camera, mtk_hal_bgs)
|
|
|
|
# Allow camerahalserver to use HwBinder and vendor binder IPC.
|
|
hwbinder_use(mtk_hal_camera)
|
|
vndbinder_use(mtk_hal_camera)
|
|
|
|
get_prop(mtk_hal_camera, hwservicemanager_prop)
|
|
|
|
# -----------------------------------
|
|
# Purpose: Allow camerahalserver to perform binder IPC to servers and callbacks.
|
|
# -----------------------------------
|
|
|
|
# callback to cameraserver
|
|
binder_call(mtk_hal_camera, cameraserver)
|
|
|
|
# callback to shell for debugging
|
|
binder_call(mtk_hal_camera, shell)
|
|
|
|
# callback to /vendor/bin/aee_aedv for aee debugging
|
|
binder_call(mtk_hal_camera, aee_aedv)
|
|
|
|
# call the graphics allocator hal
|
|
binder_call(mtk_hal_camera, hal_graphics_allocator)
|
|
|
|
# call PowerHal
|
|
hal_client_domain(mtk_hal_camera, hal_power)
|
|
|
|
# -----------------------------------
|
|
# Purpose: Allow camerahalserver to find a service from hwservice_manager
|
|
# -----------------------------------
|
|
allow mtk_hal_camera hal_graphics_mapper_hwservice:hwservice_manager find;
|
|
#allow mtk_hal_camera hal_graphics_allocator_hwservice:hwservice_manager find;
|
|
allow mtk_hal_camera fwk_sensor_hwservice:hwservice_manager find;
|
|
allow mtk_hal_camera nvram_data_file:lnk_file { read write getattr setattr read create open };
|
|
allow mtk_hal_camera nvdata_file:lnk_file { read write getattr setattr read create open };
|
|
hal_client_domain(mtk_hal_camera, hal_graphics_allocator)
|
|
|
|
# -----------------------------------
|
|
# Purpose: Camera-related devices (driver)
|
|
# -----------------------------------
|
|
allow mtk_hal_camera proc_mtk_jpeg:file r_file_perms;
|
|
allowxperm mtk_hal_camera proc_mtk_jpeg:file ioctl {
|
|
JPG_BRIDGE_ENC_IO_INIT
|
|
JPG_BRIDGE_ENC_IO_CONFIG
|
|
JPG_BRIDGE_ENC_IO_WAIT
|
|
JPG_BRIDGE_ENC_IO_DEINIT
|
|
JPG_BRIDGE_ENC_IO_START
|
|
};
|
|
|
|
allow mtk_hal_camera camera_sysram_device:chr_file r_file_perms;
|
|
allow mtk_hal_camera camera_pipemgr_device:chr_file r_file_perms;
|
|
allow mtk_hal_camera camera_isp_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera camera_dip_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera camera_tsf_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera kd_camera_hw_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera kd_camera_flashlight_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera flashlight_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera lens_device:chr_file rw_file_perms;
|
|
|
|
# FDVT Driver
|
|
allow mtk_hal_camera camera_fdvt_device:chr_file rw_file_perms;
|
|
|
|
# DPE Driver
|
|
allow mtk_hal_camera camera_dpe_device:chr_file rw_file_perms;
|
|
|
|
# MFB Driver
|
|
allow mtk_hal_camera camera_mfb_device:chr_file rw_file_perms;
|
|
|
|
# WPE Driver
|
|
allow mtk_hal_camera camera_wpe_device:chr_file rw_file_perms;
|
|
|
|
# mtk_jpeg
|
|
allow mtk_hal_camera mtk_jpeg_device:chr_file r_file_perms;
|
|
|
|
allow mtk_hal_camera ccu_device:chr_file rw_file_perms;
|
|
|
|
# APUSYS
|
|
allow mtk_hal_camera vpu_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera mdla_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera apusys_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera debugfs_apusys_midware_queue_vpu:file r_file_perms;
|
|
allow mtk_hal_camera debugfs_apusys_midware_queue_mdla:file r_file_perms;
|
|
|
|
# Purpose: RSC driver
|
|
allow mtk_hal_camera camera_rsc_device:chr_file rw_file_perms;
|
|
|
|
# Purpose: OWE driver
|
|
allow mtk_hal_camera camera_owe_device:chr_file rw_file_perms;
|
|
|
|
# Purpose: AF related
|
|
allow mtk_hal_camera MAINAF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera MAIN2AF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera MAIN3AF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera MAIN4AF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera SUBAF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera SUB2AF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera FM50AF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera AD5820AF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera DW9714AF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera DW9814AF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera AK7345AF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera DW9714A_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera LC898122AF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera LC898212AF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera BU6429AF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera DW9718AF_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera BU64745GWZAF_device:chr_file rw_file_perms;
|
|
|
|
# Purpose: Camera EEPROM Calibration
|
|
allow mtk_hal_camera CAM_CAL_DRV_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera CAM_CAL_DRV1_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera CAM_CAL_DRV2_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera camera_eeprom_device:chr_file rw_file_perms;
|
|
|
|
# -----------------------------------
|
|
# Purpose: Other device drivers used by camera
|
|
# -----------------------------------
|
|
allow mtk_hal_camera ion_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera sw_sync_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera MTK_SMI_device:chr_file r_file_perms;
|
|
|
|
# -----------------------------------
|
|
# Purpose: Filesystem in Userspace (FUSE)
|
|
# - sdcard access (buffer dump for EM mode)
|
|
# -----------------------------------
|
|
allow mtk_hal_camera fuse:dir { search read write };
|
|
allow mtk_hal_camera fuse:file rw_file_perms;
|
|
|
|
# -----------------------------------
|
|
# Purpose: Storage access
|
|
# -----------------------------------
|
|
## Date : WK14.XX-15.XX
|
|
## nvram access
|
|
allow mtk_hal_camera block_device:dir { write search };
|
|
allow mtk_hal_camera nvram_data_file:dir { search add_name write create};
|
|
allow mtk_hal_camera nvram_data_file:file { write getattr setattr read create open };
|
|
## nvram access (dumchar case for nand and legacy chip)
|
|
allow mtk_hal_camera nvram_device:chr_file rw_file_perms;
|
|
allow mtk_hal_camera self:netlink_kobject_uevent_socket { create setopt bind };
|
|
|
|
## Date : WK14.XX-15.XX
|
|
## sdcard access - dump for debug
|
|
allow mtk_hal_camera sdcard_type:dir { write add_name create };
|
|
allow mtk_hal_camera sdcard_type:file { append create getattr };
|
|
|
|
# -----------------------------------
|
|
# Android O
|
|
# Purpose: Shell Debugging
|
|
# -----------------------------------
|
|
# Purpose: Allow shell to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
|
|
# (used in user build)
|
|
allow mtk_hal_camera shell:unix_stream_socket { read write };
|
|
allow mtk_hal_camera shell:fifo_file write;
|
|
|
|
# -----------------------------------
|
|
# Android O
|
|
# Purpose: AEE Debugging
|
|
# -----------------------------------
|
|
# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
|
|
allow mtk_hal_camera dumpstate:binder { call };
|
|
allow mtk_hal_camera dumpstate:unix_stream_socket { read write };
|
|
allow mtk_hal_camera dumpstate:fd { use };
|
|
allow mtk_hal_camera dumpstate:fifo_file write;
|
|
|
|
# Purpose: Allow camerahalserver to dump debug info to SYS_DEBUG_MTKCAM via aee_aedv.
|
|
# avc: denied { write } for path="/data/vendor/mtklog/aee_exp/temp/db.9oRG8O/SYS_DEBUG_MTKCAM"
|
|
# dev="dm-2" ino=1458278 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:aee_exp_vendor_file:s0
|
|
# tclass=file permissive=0
|
|
allow mtk_hal_camera aee_exp_vendor_file:dir { w_dir_perms };
|
|
allow mtk_hal_camera aee_exp_vendor_file:file { create_file_perms };
|
|
|
|
# -----------------------------------
|
|
# Android O
|
|
# Purpose: Debugging
|
|
# -----------------------------------
|
|
# Purpose: libmemunreachable.so/GetUnreachableMemory()
|
|
allow mtk_hal_camera self:process { ptrace };
|
|
|
|
################################################################################
|
|
# Date : WK14.XX-15.XX
|
|
# Operation : Copy from Media server
|
|
allow mtk_hal_camera self:capability { setuid ipc_lock sys_nice };
|
|
allow mtk_hal_camera sysfs_wake_lock:file rw_file_perms;
|
|
allow mtk_hal_camera nvdata_file:dir { write search add_name };
|
|
allow mtk_hal_camera nvdata_file:file { read write getattr setattr open create };
|
|
allow mtk_hal_camera proc_meminfo:file { read getattr open };
|
|
|
|
## Purpose : for low SD card latency issue
|
|
allow mtk_hal_camera sysfs_lowmemorykiller:file { read open };
|
|
|
|
## Purpose : for change thermal policy when needed
|
|
allow mtk_hal_camera proc_mtkcooler:dir search;
|
|
allow mtk_hal_camera proc_mtktz:dir search;
|
|
allow mtk_hal_camera proc_thermal:dir search;
|
|
allow mtk_hal_camera thermal_manager_data_file:file create_file_perms;
|
|
allow mtk_hal_camera thermal_manager_data_file:dir { rw_dir_perms setattr };
|
|
|
|
## Purpose : cts search strange app
|
|
allow mtk_hal_camera untrusted_app:dir search;
|
|
|
|
## Purpose : offloadservice
|
|
allow mtk_hal_camera offloadservice_device:chr_file rw_file_perms;
|
|
|
|
## Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
|
|
allow mtk_hal_camera storage_file:lnk_file {read write};
|
|
allow mtk_hal_camera mnt_user_file:dir {write read search};
|
|
allow mtk_hal_camera mnt_user_file:lnk_file {read write};
|
|
|
|
## Purpose: Allow mtk_hal_camera to read binder from surfaceflinger
|
|
allow mtk_hal_camera surfaceflinger:fifo_file {read write};
|
|
|
|
## Purpose : camera read/write /nvcfg/camera data
|
|
allow mtk_hal_camera nvcfg_file:dir create_dir_perms;
|
|
allow mtk_hal_camera nvcfg_file:file create_file_perms;
|
|
|
|
# Purpose : for camera init
|
|
allow mtk_hal_camera system_server:unix_stream_socket { read write };
|
|
|
|
################################################################################
|
|
# Date : WK16
|
|
# Operation : N Migration
|
|
## Purpose: research root dir "/"
|
|
allow mtk_hal_camera tmpfs:dir search;
|
|
|
|
## Purpose : EGL file access
|
|
allow mtk_hal_camera system_file:dir { read open };
|
|
allow mtk_hal_camera gpu_device:dir search;
|
|
allow mtk_hal_camera gpu_device:chr_file rw_file_perms;
|
|
|
|
## Purpose: Allow to access ged for gralloc_extra functions
|
|
allow mtk_hal_camera proc_ged:file rw_file_perms;
|
|
allowxperm mtk_hal_camera proc_ged:file ioctl { proc_ged_ioctls };
|
|
|
|
allow mtk_hal_camera debugfs_tracing:file { write open };
|
|
|
|
## Purpose : camera3 IT/CTS
|
|
allow mtk_hal_camera debugfs_ion:dir search;
|
|
allow mtk_hal_camera hal_graphics_composer_default:fd use;
|
|
|
|
# Date : WK17.30
|
|
# Operation : O Migration
|
|
# Purpose: Allow to access cmdq driver
|
|
allow mtk_hal_camera mtk_cmdq_device:chr_file r_file_perms;
|
|
allow mtk_hal_camera mtk_mdp_device:chr_file r_file_perms;
|
|
allow mtk_hal_camera mtk_mdp_sync:chr_file r_file_perms;
|
|
|
|
# Date : WK17.36
|
|
# Operation : O Migration
|
|
# Purpose: Allow to access battery status
|
|
allow mtk_hal_camera sysfs_batteryinfo:dir search;
|
|
allow mtk_hal_camera sysfs_batteryinfo:file { getattr open read };
|
|
|
|
# Date : WK17.39
|
|
# Operation : O Migration
|
|
# Purpose: Change thermal config
|
|
set_prop(mtk_hal_camera, vendor_mtk_thermal_config_prop)
|
|
|
|
# Date : WK18.31
|
|
# Stage: P Migration
|
|
# Purpose: CCT
|
|
allow mtk_hal_camera graphics_device:chr_file { read write ioctl open };
|
|
allow mtk_hal_camera graphics_device:dir search;
|
|
allow mtk_hal_camera cct_data_file:dir create_dir_perms;
|
|
allow mtk_hal_camera cct_data_file:file create_file_perms;
|
|
allow mtk_hal_camera cct_data_file:fifo_file create_file_perms;
|
|
allow mtk_hal_camera sysfs_boot_mode:file { read open };
|
|
allow mtk_hal_camera mnt_vendor_file:dir create_dir_perms;
|
|
allow mtk_hal_camera mnt_vendor_file:fifo_file create_file_perms;
|
|
|
|
# Date : WK18.01
|
|
# Operation : label aee_aed sockets
|
|
# Purpose : Engineering mode need access for aee commmand
|
|
userdebug_or_eng(`
|
|
allow mtk_hal_camera aee_aedv:unix_stream_socket connectto;
|
|
')
|
|
|
|
# Date : WK18.02
|
|
# Stage: O Migration
|
|
# Purpose: ISP tuning remapping
|
|
set_prop(mtk_hal_camera, vendor_mtk_mediatek_prop)
|
|
|
|
# Date : WK18.22
|
|
# Stage: p Migration
|
|
# Purpose: NVRAM
|
|
allow mtk_hal_camera nvram_data_file:dir search;
|
|
allow mtk_hal_camera nvram_data_file:file rw_file_perms;
|
|
allow mtk_hal_camera nvram_data_file:lnk_file read;
|
|
allow mtk_hal_camera nvdata_file:lnk_file read;
|
|
allow mtk_hal_camera nvdata_file:dir create_dir_perms;
|
|
allow mtk_hal_camera nvdata_file:file { read write getattr setattr open create };
|
|
allow mtk_hal_camera nvcfg_file:lnk_file read;
|
|
allow mtk_hal_camera nvcfg_file:dir create_dir_perms;
|
|
allow mtk_hal_camera nvcfg_file:file { read write getattr setattr open create };
|
|
allow mtk_hal_camera mnt_vendor_file:dir search;
|
|
allow mtk_hal_camera mnt_vendor_file:file create_file_perms;
|
|
|
|
# AAO
|
|
allow mtk_hal_camera data_vendor_aao_file:dir create_dir_perms;
|
|
allow mtk_hal_camera data_vendor_aao_file:file create_file_perms;
|
|
allow mtk_hal_camera data_vendor_aaoHwBuf_file:dir create_dir_perms;
|
|
allow mtk_hal_camera data_vendor_aaoHwBuf_file:file create_file_perms;
|
|
allow mtk_hal_camera data_vendor_AAObitTrue_file:dir create_dir_perms;
|
|
allow mtk_hal_camera data_vendor_AAObitTrue_file:file create_file_perms;
|
|
|
|
# Flash
|
|
allow mtk_hal_camera data_vendor_flash_file:dir create_dir_perms;
|
|
allow mtk_hal_camera data_vendor_flash_file:file create_file_perms;
|
|
|
|
# Flicker
|
|
allow mtk_hal_camera data_vendor_flicker_file:dir create_dir_perms;
|
|
allow mtk_hal_camera data_vendor_flicker_file:file create_file_perms;
|
|
|
|
# AFO
|
|
allow mtk_hal_camera data_vendor_afo_file:dir create_dir_perms;
|
|
allow mtk_hal_camera data_vendor_afo_file:file create_file_perms;
|
|
|
|
# PDO
|
|
allow mtk_hal_camera data_vendor_pdo_file:dir create_dir_perms;
|
|
allow mtk_hal_camera data_vendor_pdo_file:file create_file_perms;
|
|
|
|
# Date : WK18.35
|
|
# Purpose: allow mtk_hal_camera to access gz_device node
|
|
allow mtk_hal_camera gz_device:chr_file rw_file_perms;
|
|
|
|
#data/dipdebug
|
|
allow mtk_hal_camera aee_dipdebug_vendor_file:dir rw_dir_perms;
|
|
allow mtk_hal_camera aee_dipdebug_vendor_file:file { create_file_perms };
|
|
|
|
allow mtk_hal_camera proc_isp_p2:dir search;
|
|
allow mtk_hal_camera proc_isp_p2:file {create_file_perms};
|
|
|
|
# Date: 2019/06/14
|
|
# Operation : Migration
|
|
allow mtk_hal_camera sysfs_dt_firmware_android:dir search;
|
|
|
|
# Date: 2019/07/09
|
|
# Operation : For M4U security
|
|
allow mtk_hal_camera proc_m4u:file r_file_perms;
|
|
allowxperm mtk_hal_camera proc_m4u:file ioctl{
|
|
MTK_M4U_T_ALLOC_MVA
|
|
MTK_M4U_T_DEALLOC_MVA
|
|
MTK_M4U_T_CONFIG_PORT
|
|
MTK_M4U_T_DMA_OP
|
|
MTK_M4U_T_SEC_INIT
|
|
};
|
|
|
|
# Date: 2019/08/27
|
|
# Operation : For android Q allowing ioctl
|
|
allow mtk_hal_camera mtk_hal_camera:unix_stream_socket { ioctl };
|
|
allowxperm mtk_hal_camera mtk_hal_camera:unix_stream_socket ioctl IIOCNETAIF;
|
|
|
|
# TODO(b/152082918): Hacks to get OpenCamera/CameraGo "work"ing.
|
|
allow mtk_hal_camera sysfs:file rw_file_perms;
|
|
allow mtk_hal_camera system_server:binder call;
|
|
allow mtk_hal_camera Vcodec_device:chr_file rw_file_perms;
|
|
|
|
# Allow ReadDefaultFstab().
|
|
read_fstab(mtk_hal_camera)
|