1# ============================================================================== 2# Policy File of /vendor/bin/camerahalserver Executable File 3 4# ============================================================================== 5# Type Declaration 6# ============================================================================== 7 8type mtk_hal_camera, domain; 9type mtk_hal_camera_exec, exec_type, file_type, vendor_file_type; 10 11# ============================================================================== 12# MTK Policy Rule 13# ============================================================================== 14 15# ----------------------------------- 16# Purpose: Binderized HAL Server 17# ----------------------------------- 18 19# Set up a transition from init to the camerahalserver upon executing its binary. 20init_daemon_domain(mtk_hal_camera) 21 22# Allow a base set of permissions required for a domain to offer a 23# HAL implementation of the specified type over HwBinder. 24hal_server_domain(mtk_hal_camera, hal_camera) 25 26hal_server_domain(mtk_hal_camera, mtk_hal_bgs) 27 28# Allow camerahalserver to use HwBinder and vendor binder IPC. 29hwbinder_use(mtk_hal_camera) 30vndbinder_use(mtk_hal_camera) 31 32get_prop(mtk_hal_camera, hwservicemanager_prop) 33 34# ----------------------------------- 35# Purpose: Allow camerahalserver to perform binder IPC to servers and callbacks. 36# ----------------------------------- 37 38# callback to cameraserver 39binder_call(mtk_hal_camera, cameraserver) 40 41# callback to shell for debugging 42binder_call(mtk_hal_camera, shell) 43 44# callback to /vendor/bin/aee_aedv for aee debugging 45binder_call(mtk_hal_camera, aee_aedv) 46 47# call the graphics allocator hal 48binder_call(mtk_hal_camera, hal_graphics_allocator) 49 50# call PowerHal 51hal_client_domain(mtk_hal_camera, hal_power) 52 53# ----------------------------------- 54# Purpose: Allow camerahalserver to find a service from hwservice_manager 55# ----------------------------------- 56allow mtk_hal_camera hal_graphics_mapper_hwservice:hwservice_manager find; 57#allow mtk_hal_camera hal_graphics_allocator_hwservice:hwservice_manager find; 58allow mtk_hal_camera fwk_sensor_hwservice:hwservice_manager find; 59allow mtk_hal_camera nvram_data_file:lnk_file { read write getattr setattr read create open }; 60allow mtk_hal_camera nvdata_file:lnk_file { read write getattr setattr read create open }; 61hal_client_domain(mtk_hal_camera, hal_graphics_allocator) 62 63# ----------------------------------- 64# Purpose: Camera-related devices (driver) 65# ----------------------------------- 66allow mtk_hal_camera proc_mtk_jpeg:file r_file_perms; 67allowxperm mtk_hal_camera proc_mtk_jpeg:file ioctl { 68 JPG_BRIDGE_ENC_IO_INIT 69 JPG_BRIDGE_ENC_IO_CONFIG 70 JPG_BRIDGE_ENC_IO_WAIT 71 JPG_BRIDGE_ENC_IO_DEINIT 72 JPG_BRIDGE_ENC_IO_START 73 }; 74 75allow mtk_hal_camera camera_sysram_device:chr_file r_file_perms; 76allow mtk_hal_camera camera_pipemgr_device:chr_file r_file_perms; 77allow mtk_hal_camera camera_isp_device:chr_file rw_file_perms; 78allow mtk_hal_camera camera_dip_device:chr_file rw_file_perms; 79allow mtk_hal_camera camera_tsf_device:chr_file rw_file_perms; 80allow mtk_hal_camera kd_camera_hw_device:chr_file rw_file_perms; 81allow mtk_hal_camera kd_camera_flashlight_device:chr_file rw_file_perms; 82allow mtk_hal_camera flashlight_device:chr_file rw_file_perms; 83allow mtk_hal_camera lens_device:chr_file rw_file_perms; 84 85# FDVT Driver 86allow mtk_hal_camera camera_fdvt_device:chr_file rw_file_perms; 87 88# DPE Driver 89allow mtk_hal_camera camera_dpe_device:chr_file rw_file_perms; 90 91# MFB Driver 92allow mtk_hal_camera camera_mfb_device:chr_file rw_file_perms; 93 94# WPE Driver 95allow mtk_hal_camera camera_wpe_device:chr_file rw_file_perms; 96 97# mtk_jpeg 98allow mtk_hal_camera mtk_jpeg_device:chr_file r_file_perms; 99 100allow mtk_hal_camera ccu_device:chr_file rw_file_perms; 101 102# APUSYS 103allow mtk_hal_camera vpu_device:chr_file rw_file_perms; 104allow mtk_hal_camera mdla_device:chr_file rw_file_perms; 105allow mtk_hal_camera apusys_device:chr_file rw_file_perms; 106allow mtk_hal_camera debugfs_apusys_midware_queue_vpu:file r_file_perms; 107allow mtk_hal_camera debugfs_apusys_midware_queue_mdla:file r_file_perms; 108 109# Purpose: RSC driver 110allow mtk_hal_camera camera_rsc_device:chr_file rw_file_perms; 111 112# Purpose: OWE driver 113allow mtk_hal_camera camera_owe_device:chr_file rw_file_perms; 114 115# Purpose: AF related 116allow mtk_hal_camera MAINAF_device:chr_file rw_file_perms; 117allow mtk_hal_camera MAIN2AF_device:chr_file rw_file_perms; 118allow mtk_hal_camera MAIN3AF_device:chr_file rw_file_perms; 119allow mtk_hal_camera MAIN4AF_device:chr_file rw_file_perms; 120allow mtk_hal_camera SUBAF_device:chr_file rw_file_perms; 121allow mtk_hal_camera SUB2AF_device:chr_file rw_file_perms; 122allow mtk_hal_camera FM50AF_device:chr_file rw_file_perms; 123allow mtk_hal_camera AD5820AF_device:chr_file rw_file_perms; 124allow mtk_hal_camera DW9714AF_device:chr_file rw_file_perms; 125allow mtk_hal_camera DW9814AF_device:chr_file rw_file_perms; 126allow mtk_hal_camera AK7345AF_device:chr_file rw_file_perms; 127allow mtk_hal_camera DW9714A_device:chr_file rw_file_perms; 128allow mtk_hal_camera LC898122AF_device:chr_file rw_file_perms; 129allow mtk_hal_camera LC898212AF_device:chr_file rw_file_perms; 130allow mtk_hal_camera BU6429AF_device:chr_file rw_file_perms; 131allow mtk_hal_camera DW9718AF_device:chr_file rw_file_perms; 132allow mtk_hal_camera BU64745GWZAF_device:chr_file rw_file_perms; 133 134# Purpose: Camera EEPROM Calibration 135allow mtk_hal_camera CAM_CAL_DRV_device:chr_file rw_file_perms; 136allow mtk_hal_camera CAM_CAL_DRV1_device:chr_file rw_file_perms; 137allow mtk_hal_camera CAM_CAL_DRV2_device:chr_file rw_file_perms; 138allow mtk_hal_camera camera_eeprom_device:chr_file rw_file_perms; 139 140# ----------------------------------- 141# Purpose: Other device drivers used by camera 142# ----------------------------------- 143allow mtk_hal_camera ion_device:chr_file rw_file_perms; 144allow mtk_hal_camera sw_sync_device:chr_file rw_file_perms; 145allow mtk_hal_camera MTK_SMI_device:chr_file r_file_perms; 146 147# ----------------------------------- 148# Purpose: Filesystem in Userspace (FUSE) 149# - sdcard access (buffer dump for EM mode) 150# ----------------------------------- 151allow mtk_hal_camera fuse:dir { search read write }; 152allow mtk_hal_camera fuse:file rw_file_perms; 153 154# ----------------------------------- 155# Purpose: Storage access 156# ----------------------------------- 157## Date : WK14.XX-15.XX 158## nvram access 159allow mtk_hal_camera block_device:dir { write search }; 160allow mtk_hal_camera nvram_data_file:dir { search add_name write create}; 161allow mtk_hal_camera nvram_data_file:file { write getattr setattr read create open }; 162## nvram access (dumchar case for nand and legacy chip) 163allow mtk_hal_camera nvram_device:chr_file rw_file_perms; 164allow mtk_hal_camera self:netlink_kobject_uevent_socket { create setopt bind }; 165 166## Date : WK14.XX-15.XX 167## sdcard access - dump for debug 168allow mtk_hal_camera sdcard_type:dir { write add_name create }; 169allow mtk_hal_camera sdcard_type:file { append create getattr }; 170 171# ----------------------------------- 172# Android O 173# Purpose: Shell Debugging 174# ----------------------------------- 175# Purpose: Allow shell to invoke "lshal debug <interface>", where <interface> is "ICameraProvider". 176# (used in user build) 177allow mtk_hal_camera shell:unix_stream_socket { read write }; 178allow mtk_hal_camera shell:fifo_file write; 179 180# ----------------------------------- 181# Android O 182# Purpose: AEE Debugging 183# ----------------------------------- 184# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider". 185allow mtk_hal_camera dumpstate:binder { call }; 186allow mtk_hal_camera dumpstate:unix_stream_socket { read write }; 187allow mtk_hal_camera dumpstate:fd { use }; 188allow mtk_hal_camera dumpstate:fifo_file write; 189 190# Purpose: Allow camerahalserver to dump debug info to SYS_DEBUG_MTKCAM via aee_aedv. 191# avc: denied { write } for path="/data/vendor/mtklog/aee_exp/temp/db.9oRG8O/SYS_DEBUG_MTKCAM" 192# dev="dm-2" ino=1458278 scontext=u:r:mtk_hal_camera:s0 tcontext=u:object_r:aee_exp_vendor_file:s0 193# tclass=file permissive=0 194allow mtk_hal_camera aee_exp_vendor_file:dir { w_dir_perms }; 195allow mtk_hal_camera aee_exp_vendor_file:file { create_file_perms }; 196 197# ----------------------------------- 198# Android O 199# Purpose: Debugging 200# ----------------------------------- 201# Purpose: libmemunreachable.so/GetUnreachableMemory() 202allow mtk_hal_camera self:process { ptrace }; 203 204################################################################################ 205# Date : WK14.XX-15.XX 206# Operation : Copy from Media server 207allow mtk_hal_camera self:capability { setuid ipc_lock sys_nice }; 208allow mtk_hal_camera sysfs_wake_lock:file rw_file_perms; 209allow mtk_hal_camera nvdata_file:dir { write search add_name }; 210allow mtk_hal_camera nvdata_file:file { read write getattr setattr open create }; 211allow mtk_hal_camera proc_meminfo:file { read getattr open }; 212 213## Purpose : for low SD card latency issue 214allow mtk_hal_camera sysfs_lowmemorykiller:file { read open }; 215 216## Purpose : for change thermal policy when needed 217allow mtk_hal_camera proc_mtkcooler:dir search; 218allow mtk_hal_camera proc_mtktz:dir search; 219allow mtk_hal_camera proc_thermal:dir search; 220allow mtk_hal_camera thermal_manager_data_file:file create_file_perms; 221allow mtk_hal_camera thermal_manager_data_file:dir { rw_dir_perms setattr }; 222 223## Purpose : cts search strange app 224allow mtk_hal_camera untrusted_app:dir search; 225 226## Purpose : offloadservice 227allow mtk_hal_camera offloadservice_device:chr_file rw_file_perms; 228 229## Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump 230allow mtk_hal_camera storage_file:lnk_file {read write}; 231allow mtk_hal_camera mnt_user_file:dir {write read search}; 232allow mtk_hal_camera mnt_user_file:lnk_file {read write}; 233 234## Purpose: Allow mtk_hal_camera to read binder from surfaceflinger 235allow mtk_hal_camera surfaceflinger:fifo_file {read write}; 236 237## Purpose : camera read/write /nvcfg/camera data 238allow mtk_hal_camera nvcfg_file:dir create_dir_perms; 239allow mtk_hal_camera nvcfg_file:file create_file_perms; 240 241# Purpose : for camera init 242allow mtk_hal_camera system_server:unix_stream_socket { read write }; 243 244################################################################################ 245# Date : WK16 246# Operation : N Migration 247## Purpose: research root dir "/" 248allow mtk_hal_camera tmpfs:dir search; 249 250## Purpose : EGL file access 251allow mtk_hal_camera system_file:dir { read open }; 252allow mtk_hal_camera gpu_device:dir search; 253allow mtk_hal_camera gpu_device:chr_file rw_file_perms; 254 255## Purpose: Allow to access ged for gralloc_extra functions 256allow mtk_hal_camera proc_ged:file rw_file_perms; 257allowxperm mtk_hal_camera proc_ged:file ioctl { proc_ged_ioctls }; 258 259allow mtk_hal_camera debugfs_tracing:file { write open }; 260 261## Purpose : camera3 IT/CTS 262allow mtk_hal_camera debugfs_ion:dir search; 263allow mtk_hal_camera hal_graphics_composer_default:fd use; 264 265# Date : WK17.30 266# Operation : O Migration 267# Purpose: Allow to access cmdq driver 268allow mtk_hal_camera mtk_cmdq_device:chr_file r_file_perms; 269allow mtk_hal_camera mtk_mdp_device:chr_file r_file_perms; 270allow mtk_hal_camera mtk_mdp_sync:chr_file r_file_perms; 271 272# Date : WK17.36 273# Operation : O Migration 274# Purpose: Allow to access battery status 275allow mtk_hal_camera sysfs_batteryinfo:dir search; 276allow mtk_hal_camera sysfs_batteryinfo:file { getattr open read }; 277 278# Date : WK17.39 279# Operation : O Migration 280# Purpose: Change thermal config 281set_prop(mtk_hal_camera, vendor_mtk_thermal_config_prop) 282 283# Date : WK18.31 284# Stage: P Migration 285# Purpose: CCT 286allow mtk_hal_camera graphics_device:chr_file { read write ioctl open }; 287allow mtk_hal_camera graphics_device:dir search; 288allow mtk_hal_camera cct_data_file:dir create_dir_perms; 289allow mtk_hal_camera cct_data_file:file create_file_perms; 290allow mtk_hal_camera cct_data_file:fifo_file create_file_perms; 291allow mtk_hal_camera sysfs_boot_mode:file { read open }; 292allow mtk_hal_camera mnt_vendor_file:dir create_dir_perms; 293allow mtk_hal_camera mnt_vendor_file:fifo_file create_file_perms; 294 295# Date : WK18.01 296# Operation : label aee_aed sockets 297# Purpose : Engineering mode need access for aee commmand 298userdebug_or_eng(` 299allow mtk_hal_camera aee_aedv:unix_stream_socket connectto; 300') 301 302# Date : WK18.02 303# Stage: O Migration 304# Purpose: ISP tuning remapping 305set_prop(mtk_hal_camera, vendor_mtk_mediatek_prop) 306 307# Date : WK18.22 308# Stage: p Migration 309# Purpose: NVRAM 310allow mtk_hal_camera nvram_data_file:dir search; 311allow mtk_hal_camera nvram_data_file:file rw_file_perms; 312allow mtk_hal_camera nvram_data_file:lnk_file read; 313allow mtk_hal_camera nvdata_file:lnk_file read; 314allow mtk_hal_camera nvdata_file:dir create_dir_perms; 315allow mtk_hal_camera nvdata_file:file { read write getattr setattr open create }; 316allow mtk_hal_camera nvcfg_file:lnk_file read; 317allow mtk_hal_camera nvcfg_file:dir create_dir_perms; 318allow mtk_hal_camera nvcfg_file:file { read write getattr setattr open create }; 319allow mtk_hal_camera mnt_vendor_file:dir search; 320allow mtk_hal_camera mnt_vendor_file:file create_file_perms; 321 322# AAO 323allow mtk_hal_camera data_vendor_aao_file:dir create_dir_perms; 324allow mtk_hal_camera data_vendor_aao_file:file create_file_perms; 325allow mtk_hal_camera data_vendor_aaoHwBuf_file:dir create_dir_perms; 326allow mtk_hal_camera data_vendor_aaoHwBuf_file:file create_file_perms; 327allow mtk_hal_camera data_vendor_AAObitTrue_file:dir create_dir_perms; 328allow mtk_hal_camera data_vendor_AAObitTrue_file:file create_file_perms; 329 330# Flash 331allow mtk_hal_camera data_vendor_flash_file:dir create_dir_perms; 332allow mtk_hal_camera data_vendor_flash_file:file create_file_perms; 333 334# Flicker 335allow mtk_hal_camera data_vendor_flicker_file:dir create_dir_perms; 336allow mtk_hal_camera data_vendor_flicker_file:file create_file_perms; 337 338# AFO 339allow mtk_hal_camera data_vendor_afo_file:dir create_dir_perms; 340allow mtk_hal_camera data_vendor_afo_file:file create_file_perms; 341 342# PDO 343allow mtk_hal_camera data_vendor_pdo_file:dir create_dir_perms; 344allow mtk_hal_camera data_vendor_pdo_file:file create_file_perms; 345 346# Date : WK18.35 347# Purpose: allow mtk_hal_camera to access gz_device node 348allow mtk_hal_camera gz_device:chr_file rw_file_perms; 349 350#data/dipdebug 351allow mtk_hal_camera aee_dipdebug_vendor_file:dir rw_dir_perms; 352allow mtk_hal_camera aee_dipdebug_vendor_file:file { create_file_perms }; 353 354allow mtk_hal_camera proc_isp_p2:dir search; 355allow mtk_hal_camera proc_isp_p2:file {create_file_perms}; 356 357# Date: 2019/06/14 358# Operation : Migration 359allow mtk_hal_camera sysfs_dt_firmware_android:dir search; 360 361# Date: 2019/07/09 362# Operation : For M4U security 363allow mtk_hal_camera proc_m4u:file r_file_perms; 364allowxperm mtk_hal_camera proc_m4u:file ioctl{ 365MTK_M4U_T_ALLOC_MVA 366MTK_M4U_T_DEALLOC_MVA 367MTK_M4U_T_CONFIG_PORT 368MTK_M4U_T_DMA_OP 369MTK_M4U_T_SEC_INIT 370}; 371 372# Date: 2019/08/27 373# Operation : For android Q allowing ioctl 374allow mtk_hal_camera mtk_hal_camera:unix_stream_socket { ioctl }; 375allowxperm mtk_hal_camera mtk_hal_camera:unix_stream_socket ioctl IIOCNETAIF; 376 377# TODO(b/152082918): Hacks to get OpenCamera/CameraGo "work"ing. 378allow mtk_hal_camera sysfs:file rw_file_perms; 379allow mtk_hal_camera system_server:binder call; 380allow mtk_hal_camera Vcodec_device:chr_file rw_file_perms; 381 382# Allow ReadDefaultFstab(). 383read_fstab(mtk_hal_camera) 384