1 /******************************************************************************
2 *
3 * Copyright (C) 2021 The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at:
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 *****************************************************************************
18 * Originally developed and contributed by Ittiam Systems Pvt. Ltd, Bangalore
19 */
20
21 #define LOG_TAG "CameraServiceFuzzer"
22 //#define LOG_NDEBUG 0
23
24 #include <AudioFlinger.h>
25 #include <CameraService.h>
26 #include <ISchedulingPolicyService.h>
27 #include <MediaPlayerService.h>
28 #include <android-base/logging.h>
29 #include <android/binder_manager.h>
30 #include <android/content/AttributionSourceState.h>
31 #include <android/hardware/BnCameraServiceListener.h>
32 #include <android/hardware/ICameraServiceListener.h>
33 #include <android/hardware/camera2/BnCameraDeviceCallbacks.h>
34 #include <android/hardware/camera2/ICameraDeviceUser.h>
35 #include <binder/IActivityManager.h>
36 #include <binder/IAppOpsService.h>
37 #include <camera/CameraUtils.h>
38 #include <camera/camera2/OutputConfiguration.h>
39 #include <com_android_graphics_libgui_flags.h>
40 #include <core-mock/ConfigMock.h>
41 #include <core-mock/ModuleMock.h>
42 #include <device3/Camera3StreamInterface.h>
43 #include <effect-mock/FactoryMock.h>
44 #include <fakeservicemanager/FakeServiceManager.h>
45 #include <fuzzbinder/random_binder.h>
46 #include <gui/BufferItemConsumer.h>
47 #include <gui/IGraphicBufferProducer.h>
48 #include <gui/Surface.h>
49 #include <gui/SurfaceComposerClient.h>
50 #include <media/IAudioFlinger.h>
51 #include <private/android_filesystem_config.h>
52 #include "fuzzer/FuzzedDataProvider.h"
53
54 using namespace android;
55 using namespace hardware;
56 using namespace std;
57
58 using ICameraService::ROTATION_OVERRIDE_NONE;
59 using ICameraService::ROTATION_OVERRIDE_OVERRIDE_TO_PORTRAIT;
60 using android::hardware::camera2::CameraMetadataInfo;
61
62 const int32_t kPreviewThreshold = 8;
63 const int32_t kNumRequestsTested = 8;
64 const nsecs_t kPreviewTimeout = 5000000000; // .5 [s.]
65 const nsecs_t kEventTimeout = 10000000000; // 1 [s.]
66 const size_t kMaxNumLines = USHRT_MAX;
67 const size_t kMinArgs = 1;
68 const size_t kMaxArgs = 5;
69 const int32_t kCamType[] = {hardware::ICameraService::CAMERA_TYPE_BACKWARD_COMPATIBLE,
70 hardware::ICameraService::CAMERA_TYPE_ALL};
71 const uint8_t kSensorPixelModes[] = {ANDROID_SENSOR_PIXEL_MODE_DEFAULT,
72 ANDROID_SENSOR_PIXEL_MODE_MAXIMUM_RESOLUTION};
73 const int32_t kRequestTemplates[] = {
74 hardware::camera2::ICameraDeviceUser::TEMPLATE_PREVIEW,
75 hardware::camera2::ICameraDeviceUser::TEMPLATE_STILL_CAPTURE,
76 hardware::camera2::ICameraDeviceUser::TEMPLATE_RECORD,
77 hardware::camera2::ICameraDeviceUser::TEMPLATE_VIDEO_SNAPSHOT,
78 hardware::camera2::ICameraDeviceUser::TEMPLATE_MANUAL,
79 hardware::camera2::ICameraDeviceUser::TEMPLATE_ZERO_SHUTTER_LAG
80 };
81
82 const int32_t kRotations[] = {
83 camera3::CAMERA_STREAM_ROTATION_0,
84 camera3::CAMERA_STREAM_ROTATION_90,
85 camera3::CAMERA_STREAM_ROTATION_270
86 };
87
88 const int kLayerMetadata[] = {
89 0x00100000 /*GRALLOC_USAGE_RENDERSCRIPT*/, 0x00000003 /*GRALLOC_USAGE_SW_READ_OFTEN*/,
90 0x00000100 /*GRALLOC_USAGE_HW_TEXTURE*/, 0x00000800 /*GRALLOC_USAGE_HW_COMPOSER*/,
91 0x00000200 /*GRALLOC_USAGE_HW_RENDER*/, 0x00010000 /*GRALLOC_USAGE_HW_VIDEO_ENCODER*/};
92 const int kCameraMsg[] = {0x001 /*CAMERA_MSG_ERROR*/,
93 0x002 /*CAMERA_MSG_SHUTTER*/,
94 0x004 /*CAMERA_MSG_FOCUS*/,
95 0x008 /*CAMERA_MSG_ZOOM*/,
96 0x010 /*CAMERA_MSG_PREVIEW_FRAME*/,
97 0x020 /*CAMERA_MSG_VIDEO_FRAME */,
98 0x040 /*CAMERA_MSG_POSTVIEW_FRAME*/,
99 0x080 /*CAMERA_MSG_RAW_IMAGE */,
100 0x100 /*CAMERA_MSG_COMPRESSED_IMAGE*/,
101 0x200 /*CAMERA_MSG_RAW_IMAGE_NOTIFY*/,
102 0x400 /*CAMERA_MSG_PREVIEW_METADATA*/,
103 0x800 /*CAMERA_MSG_FOCUS_MOVE*/};
104 const int32_t kEventId[] = {ICameraService::EVENT_USER_SWITCHED, ICameraService::EVENT_NONE};
105 const android::CameraService::sound_kind kSoundKind[] = {
106 android::CameraService::SOUND_SHUTTER, android::CameraService::SOUND_RECORDING_START,
107 android::CameraService::SOUND_RECORDING_STOP};
108 const String16 kShellCmd[] = {String16("set-uid-state"), String16("reset-uid-state"),
109 String16("get-uid-state"), String16("set-rotate-and-crop"),
110 String16("get-rotate-and-crop"), String16("help")};
111 const size_t kNumLayerMetaData = size(kLayerMetadata);
112 const size_t kNumCameraMsg = size(kCameraMsg);
113 const size_t kNumSoundKind = size(kSoundKind);
114 const size_t kNumShellCmd = size(kShellCmd);
115 static std::once_flag gSmOnce;
116 sp<CameraService> gCameraService;
117 sp<FakeServiceManager> gFsm;
118
addService(const String16 & serviceName,const sp<FakeServiceManager> & fakeServiceManager,FuzzedDataProvider * fdp)119 void addService(const String16& serviceName, const sp<FakeServiceManager>& fakeServiceManager,
120 FuzzedDataProvider* fdp) {
121 sp<IBinder> binder = getRandomBinder(fdp);
122 if (!binder) {
123 return;
124 }
125
126 CHECK_EQ(NO_ERROR, fakeServiceManager->addService(serviceName, binder));
127 return;
128 }
129
130 class FuzzerActivityManager : public BnInterface<IActivityManager> {
131 public:
openContentUri(const String16 &)132 int32_t openContentUri(const String16& /*stringUri*/) override { return 0; }
133
registerUidObserver(const sp<IUidObserver> &,const int32_t,const int32_t,const String16 &)134 status_t registerUidObserver(const sp<IUidObserver>& /*observer*/, const int32_t /*event*/,
135 const int32_t /*cutpoint*/,
136 const String16& /*callingPackage*/) override {
137 return OK;
138 }
139
unregisterUidObserver(const sp<IUidObserver> &)140 status_t unregisterUidObserver(const sp<IUidObserver>& /*observer*/) override { return OK; }
141
registerUidObserverForUids(const sp<IUidObserver> &,const int32_t,const int32_t,const String16 &,const int32_t *,size_t,sp<IBinder> &)142 status_t registerUidObserverForUids(const sp<IUidObserver>& /*observer*/,
143 const int32_t /*event*/, const int32_t /*cutpoint*/,
144 const String16& /*callingPackage*/,
145 const int32_t* /*uids[]*/, size_t /*nUids*/,
146 /*out*/ sp<IBinder>& /*observerToken*/) override {
147 return OK;
148 }
149
addUidToObserver(const sp<IBinder> &,const String16 &,int32_t)150 status_t addUidToObserver(const sp<IBinder>& /*observerToken*/,
151 const String16& /*callingPackage*/, int32_t /*uid*/) override {
152 return OK;
153 }
154
removeUidFromObserver(const sp<IBinder> &,const String16 &,int32_t)155 status_t removeUidFromObserver(const sp<IBinder>& /*observerToken*/,
156 const String16& /*callingPackage*/, int32_t /*uid*/) override {
157 return OK;
158 }
159
isUidActive(const uid_t,const String16 &)160 bool isUidActive(const uid_t /*uid*/, const String16& /*callingPackage*/) override {
161 return true;
162 }
163
getUidProcessState(const uid_t,const String16 &)164 int32_t getUidProcessState(const uid_t /*uid*/, const String16& /*callingPackage*/) override {
165 return ActivityManager::PROCESS_STATE_UNKNOWN;
166 }
167
checkPermission(const String16 &,const pid_t,const uid_t,int32_t *)168 status_t checkPermission(const String16& /*permission*/, const pid_t /*pid*/,
169 const uid_t /*uid*/, int32_t* /*outResult*/) override {
170 return NO_ERROR;
171 }
172
logFgsApiBegin(int32_t,int32_t,int32_t)173 status_t logFgsApiBegin(int32_t /*apiType*/, int32_t /*appUid*/, int32_t /*appPid*/) override {
174 return OK;
175 }
logFgsApiEnd(int32_t,int32_t,int32_t)176 status_t logFgsApiEnd(int32_t /*apiType*/, int32_t /*appUid*/, int32_t /*appPid*/) override {
177 return OK;
178 }
logFgsApiStateChanged(int32_t,int32_t,int32_t,int32_t)179 status_t logFgsApiStateChanged(int32_t /*apiType*/, int32_t /*state*/, int32_t /*appUid*/,
180 int32_t /*appPid*/) override {
181 return OK;
182 }
183 };
184
185 class FuzzerSensorPrivacyManager : public BnInterface<hardware::ISensorPrivacyManager> {
186 public:
supportsSensorToggle(int32_t,int32_t,bool *)187 binder::Status supportsSensorToggle(int32_t /*toggleType*/, int32_t /*sensor*/,
188 bool* /*_aidl_return*/) override {
189 return binder::Status::fromStatusT(UNKNOWN_TRANSACTION);
190 }
addSensorPrivacyListener(const sp<hardware::ISensorPrivacyListener> &)191 binder::Status addSensorPrivacyListener(
192 const sp<hardware::ISensorPrivacyListener>& /*listener*/) override {
193 return binder::Status::fromStatusT(::android::UNKNOWN_TRANSACTION);
194 }
addToggleSensorPrivacyListener(const sp<hardware::ISensorPrivacyListener> &)195 binder::Status addToggleSensorPrivacyListener(
196 const sp<hardware::ISensorPrivacyListener>& /*listener*/) override {
197 return binder::Status::fromStatusT(UNKNOWN_TRANSACTION);
198 }
removeSensorPrivacyListener(const sp<hardware::ISensorPrivacyListener> &)199 binder::Status removeSensorPrivacyListener(
200 const sp<hardware::ISensorPrivacyListener>& /*listener*/) override {
201 return binder::Status::fromStatusT(::android::UNKNOWN_TRANSACTION);
202 }
removeToggleSensorPrivacyListener(const sp<hardware::ISensorPrivacyListener> &)203 binder::Status removeToggleSensorPrivacyListener(
204 const sp<hardware::ISensorPrivacyListener>& /*listener*/) override {
205 return binder::Status::fromStatusT(::android::UNKNOWN_TRANSACTION);
206 }
isSensorPrivacyEnabled(bool *)207 binder::Status isSensorPrivacyEnabled(bool* /*_aidl_return*/) override {
208 return binder::Status::fromStatusT(UNKNOWN_TRANSACTION);
209 }
isCombinedToggleSensorPrivacyEnabled(int32_t,bool *)210 binder::Status isCombinedToggleSensorPrivacyEnabled(int32_t /*sensor*/,
211 bool* /*_aidl_return*/) override {
212 return binder::Status::fromStatusT(UNKNOWN_TRANSACTION);
213 }
isToggleSensorPrivacyEnabled(int32_t,int32_t,bool *)214 binder::Status isToggleSensorPrivacyEnabled(int32_t /*toggleType*/, int32_t /*sensor*/,
215 bool* /*_aidl_return*/) override {
216 return binder::Status::fromStatusT(UNKNOWN_TRANSACTION);
217 }
setSensorPrivacy(bool)218 binder::Status setSensorPrivacy(bool /*enable*/) override {
219 return binder::Status::fromStatusT(UNKNOWN_TRANSACTION);
220 }
setToggleSensorPrivacy(int32_t,int32_t,int32_t,bool)221 binder::Status setToggleSensorPrivacy(int32_t /*userId*/, int32_t /*source*/,
222 int32_t /*sensor*/, bool /*enable*/) override {
223 return binder::Status::fromStatusT(UNKNOWN_TRANSACTION);
224 }
setToggleSensorPrivacyForProfileGroup(int32_t,int32_t,int32_t,bool)225 binder::Status setToggleSensorPrivacyForProfileGroup(int32_t /*userId*/, int32_t /*source*/,
226 int32_t /*sensor*/,
227 bool /*enable*/) override {
228 return binder::Status::fromStatusT(UNKNOWN_TRANSACTION);
229 }
getCameraPrivacyAllowlist(::std::vector<::android::String16> *)230 binder::Status getCameraPrivacyAllowlist(
231 ::std::vector<::android::String16>* /*_aidl_return*/) override {
232 return binder::Status::fromStatusT(UNKNOWN_TRANSACTION);
233 }
getToggleSensorPrivacyState(int32_t,int32_t,int32_t *)234 binder::Status getToggleSensorPrivacyState(int32_t /*toggleType*/, int32_t /*sensor*/,
235 int32_t* /* _aidl_return*/) override {
236 return binder::Status::fromStatusT(UNKNOWN_TRANSACTION);
237 }
setToggleSensorPrivacyState(int32_t,int32_t,int32_t,int32_t)238 binder::Status setToggleSensorPrivacyState(int32_t /*userId*/, int32_t /*source*/,
239 int32_t /*sensor*/, int32_t /*state*/) override {
240 return binder::Status::fromStatusT(UNKNOWN_TRANSACTION);
241 }
setToggleSensorPrivacyStateForProfileGroup(int32_t,int32_t,int32_t,int32_t)242 binder::Status setToggleSensorPrivacyStateForProfileGroup(int32_t /*userId*/,
243 int32_t /*source*/,
244 int32_t /*sensor*/,
245 int32_t /*state*/) override {
246 return binder::Status::fromStatusT(UNKNOWN_TRANSACTION);
247 }
isCameraPrivacyEnabled(const::android::String16 &,bool *)248 binder::Status isCameraPrivacyEnabled(const ::android::String16& /*packageName*/,
249 bool* /*_aidl_return*/) override {
250 return binder::Status::fromStatusT(UNKNOWN_TRANSACTION);
251 }
252 };
253
254 class FuzzAppOpsService : public BnAppOpsService {
255 public:
checkOperation(int32_t,int32_t,const String16 &)256 int32_t checkOperation(int32_t /*code*/, int32_t /*uid*/,
257 const String16& /*packageName*/) override {
258 return 0;
259 }
260
noteOperation(int32_t,int32_t,const String16 &,const std::optional<String16> &,bool,const String16 &,bool)261 int32_t noteOperation(int32_t /*code*/, int32_t /*uid*/, const String16& /*packageName*/,
262 const std::optional<String16>& /*attributionTag*/,
263 bool /*shouldCollectAsyncNotedOp*/, const String16& /*message*/,
264 bool /*shouldCollectMessage*/) override {
265 return 0;
266 }
267
startWatchingModeWithFlags(int32_t,const String16 &,int32_t,const sp<IAppOpsCallback> &)268 void startWatchingModeWithFlags(int32_t /*op*/, const String16& /*packageName*/,
269 int32_t /*flags*/,
270 const sp<IAppOpsCallback>& /*callback*/) override {
271 return;
272 }
273
startOperation(const sp<IBinder> &,int32_t,int32_t,const String16 &,const std::optional<String16> &,bool,bool,const String16 &,bool)274 int32_t startOperation(const sp<IBinder>& /*token*/, int32_t /*code*/, int32_t /*uid*/,
275 const String16& /*packageName*/,
276 const std::optional<String16>& /*attributionTag*/,
277 bool /*startIfModeDefault*/, bool /*shouldCollectAsyncNotedOp*/,
278 const String16& /*message*/, bool /*shouldCollectMessage*/) override {
279 return 0;
280 }
281
finishOperation(const sp<IBinder> &,int32_t,int32_t,const String16 &,const std::optional<String16> &)282 void finishOperation(const sp<IBinder>& /*token*/, int32_t /*code*/, int32_t /*uid*/,
283 const String16& /*packageName*/,
284 const std::optional<String16>& /*attributionTag*/) override {
285 return;
286 }
287
startWatchingMode(int32_t,const String16 &,const sp<IAppOpsCallback> &)288 void startWatchingMode(int32_t /*op*/, const String16& /*packageName*/,
289 const sp<IAppOpsCallback>& /*callback*/) override {
290 return;
291 }
292
stopWatchingMode(const sp<IAppOpsCallback> &)293 void stopWatchingMode(const sp<IAppOpsCallback>& /*callback*/) override { return; }
294
permissionToOpCode(const String16 &)295 int32_t permissionToOpCode(const String16& /*permission*/) override { return 0; }
296
checkAudioOperation(int32_t,int32_t,int32_t,const String16 &)297 int32_t checkAudioOperation(int32_t /*code*/, int32_t /*usage*/, int32_t /*uid*/,
298 const String16& /*packageName*/) override {
299 return 0;
300 }
301
setCameraAudioRestriction(int32_t)302 void setCameraAudioRestriction(int32_t /*mode*/) override { return; }
303
shouldCollectNotes(int32_t)304 bool shouldCollectNotes(int32_t /*opCode*/) override { return true; }
305 };
306
307 class CameraFuzzer : public ::android::hardware::BnCameraClient {
308 public:
CameraFuzzer(sp<CameraService> cs,std::shared_ptr<FuzzedDataProvider> fp)309 CameraFuzzer(sp<CameraService> cs, std::shared_ptr<FuzzedDataProvider> fp) :
310 mCameraService(cs), mFuzzedDataProvider(fp) {};
~CameraFuzzer()311 ~CameraFuzzer() { deInit(); }
312 void process();
313 void deInit();
314
315 private:
316 sp<CameraService> mCameraService = nullptr;
317 std::shared_ptr<FuzzedDataProvider> mFuzzedDataProvider = nullptr;
318 sp<SurfaceComposerClient> mComposerClient = nullptr;
319 int32_t mNumCameras = 0;
320 size_t mPreviewBufferCount = 0;
321 bool mAutoFocusMessage = false;
322 bool mSnapshotNotification = false;
323 bool mRecordingNotification = false;
324 mutable Mutex mPreviewLock;
325 mutable Condition mPreviewCondition;
326 mutable Mutex mAutoFocusLock;
327 mutable Condition mAutoFocusCondition;
328 mutable Mutex mSnapshotLock;
329 mutable Condition mSnapshotCondition;
330 mutable Mutex mRecordingLock;
331 mutable Condition mRecordingCondition;
332
333 void getNumCameras();
334 void getCameraInformation(int32_t cameraId);
335 void invokeCameraAPIs();
336 void invokeCameraSound();
337 void invokeDump();
338 void invokeShellCommand();
339 void invokeNotifyCalls();
340 void invokeTorchAPIs(int32_t cameraId);
341
342 // CameraClient interface
343 void notifyCallback(int32_t msgType, int32_t, int32_t) override;
344 void dataCallback(int32_t msgType, const sp<IMemory> &, camera_frame_metadata_t *) override;
dataCallbackTimestamp(nsecs_t,int32_t,const sp<IMemory> &)345 void dataCallbackTimestamp(nsecs_t, int32_t, const sp<IMemory> &) override{};
recordingFrameHandleCallbackTimestamp(nsecs_t,native_handle_t *)346 void recordingFrameHandleCallbackTimestamp(nsecs_t, native_handle_t *) override{};
recordingFrameHandleCallbackTimestampBatch(const std::vector<nsecs_t> &,const std::vector<native_handle_t * > &)347 void recordingFrameHandleCallbackTimestampBatch(
348 const std::vector<nsecs_t> &, const std::vector<native_handle_t *> &) override{};
349 status_t waitForPreviewStart();
350 status_t waitForEvent(Mutex &mutex, Condition &condition, bool &flag);
351 };
352
notifyCallback(int32_t msgType,int32_t,int32_t)353 void CameraFuzzer::notifyCallback(int32_t msgType, int32_t, int32_t) {
354 if (CAMERA_MSG_FOCUS == msgType) {
355 Mutex::Autolock l(mAutoFocusLock);
356 mAutoFocusMessage = true;
357 mAutoFocusCondition.broadcast();
358 }
359 }
360
dataCallback(int32_t msgType,const sp<IMemory> &,camera_frame_metadata_t *)361 void CameraFuzzer::dataCallback(int32_t msgType, const sp<IMemory> & /*data*/,
362 camera_frame_metadata_t *) {
363 switch (msgType) {
364 case CAMERA_MSG_PREVIEW_FRAME: {
365 Mutex::Autolock l(mPreviewLock);
366 ++mPreviewBufferCount;
367 mPreviewCondition.broadcast();
368 mRecordingNotification = true;
369 mRecordingCondition.broadcast();
370 break;
371 }
372 case CAMERA_MSG_COMPRESSED_IMAGE: {
373 Mutex::Autolock l(mSnapshotLock);
374 mSnapshotNotification = true;
375 mSnapshotCondition.broadcast();
376 break;
377 }
378 default:
379 break;
380 }
381 }
382
waitForPreviewStart()383 status_t CameraFuzzer::waitForPreviewStart() {
384 status_t rc = NO_ERROR;
385 Mutex::Autolock l(mPreviewLock);
386 mPreviewBufferCount = 0;
387
388 while (mPreviewBufferCount < kPreviewThreshold) {
389 rc = mPreviewCondition.waitRelative(mPreviewLock, kPreviewTimeout);
390 if (NO_ERROR != rc) {
391 break;
392 }
393 }
394
395 return rc;
396 }
397
waitForEvent(Mutex & mutex,Condition & condition,bool & flag)398 status_t CameraFuzzer::waitForEvent(Mutex &mutex, Condition &condition, bool &flag) {
399 status_t rc = NO_ERROR;
400 Mutex::Autolock l(mutex);
401 flag = false;
402
403 while (!flag) {
404 rc = condition.waitRelative(mutex, kEventTimeout);
405 if (NO_ERROR != rc) {
406 break;
407 }
408 }
409
410 return rc;
411 }
412
deInit()413 void CameraFuzzer::deInit() {
414 if (mComposerClient) {
415 mComposerClient->dispose();
416 }
417 }
418
getNumCameras()419 void CameraFuzzer::getNumCameras() {
420 bool shouldPassInvalidCamType = mFuzzedDataProvider->ConsumeBool();
421 int32_t camType;
422 if (shouldPassInvalidCamType) {
423 camType = mFuzzedDataProvider->ConsumeIntegral<int32_t>();
424 } else {
425 camType = kCamType[mFuzzedDataProvider->ConsumeBool()];
426 }
427 AttributionSourceState clientAttribution;
428 clientAttribution.deviceId = kDefaultDeviceId;
429 mCameraService->getNumberOfCameras(camType, clientAttribution, /*devicePolicy*/0, &mNumCameras);
430 }
431
getCameraInformation(int32_t cameraId)432 void CameraFuzzer::getCameraInformation(int32_t cameraId) {
433 std::string cameraIdStr = std::to_string(cameraId);
434 bool isSupported = false;
435 mCameraService->isHiddenPhysicalCamera(cameraIdStr, &isSupported);
436
437 std::string parameters;
438 mCameraService->getLegacyParameters(cameraId, ¶meters);
439
440 std::vector<hardware::camera2::utils::ConcurrentCameraIdCombination> concurrentCameraIds;
441 mCameraService->getConcurrentCameraIds(&concurrentCameraIds);
442
443 hardware::camera2::params::VendorTagDescriptorCache cache;
444 mCameraService->getCameraVendorTagCache(&cache);
445
446 AttributionSourceState clientAttribution;
447 clientAttribution.deviceId = kDefaultDeviceId;
448
449 CameraInfo cameraInfo;
450 mCameraService->getCameraInfo(cameraId, ROTATION_OVERRIDE_NONE, clientAttribution,
451 /*devicePolicy*/0, &cameraInfo);
452
453 CameraMetadata metadata;
454 mCameraService->getCameraCharacteristics(cameraIdStr,
455 /*targetSdkVersion*/__ANDROID_API_FUTURE__, ROTATION_OVERRIDE_NONE,
456 clientAttribution, /*devicePolicy*/0, &metadata);
457 }
458
invokeCameraSound()459 void CameraFuzzer::invokeCameraSound() {
460 mCameraService->increaseSoundRef();
461 mCameraService->decreaseSoundRef();
462 bool shouldPassInvalidPlaySound = mFuzzedDataProvider->ConsumeBool();
463 bool shouldPassInvalidLockSound = mFuzzedDataProvider->ConsumeBool();
464 android::CameraService::sound_kind playSound, lockSound;
465 if (shouldPassInvalidPlaySound) {
466 playSound = static_cast<android::CameraService::sound_kind>(
467 mFuzzedDataProvider->ConsumeIntegral<size_t>());
468 } else {
469 playSound =
470 kSoundKind[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, kNumSoundKind - 1)];
471 }
472
473 if (shouldPassInvalidLockSound) {
474 lockSound = static_cast<android::CameraService::sound_kind>(
475 mFuzzedDataProvider->ConsumeIntegral<size_t>());
476 } else {
477 lockSound =
478 kSoundKind[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, kNumSoundKind - 1)];
479 }
480 mCameraService->playSound(playSound);
481 mCameraService->loadSoundLocked(lockSound);
482 }
483
invokeDump()484 void CameraFuzzer::invokeDump() {
485 Vector<String16> args;
486 size_t numberOfLines = mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, kMaxNumLines);
487 for (size_t lineIdx = 0; lineIdx < numberOfLines; ++lineIdx) {
488 args.add(static_cast<String16>(mFuzzedDataProvider->ConsumeRandomLengthString().c_str()));
489 }
490 const char *fileName = "logDumpFile";
491 int fd = memfd_create(fileName, MFD_ALLOW_SEALING);
492 mCameraService->dump(fd, args);
493 close(fd);
494 }
495
invokeShellCommand()496 void CameraFuzzer::invokeShellCommand() {
497 int in = mFuzzedDataProvider->ConsumeIntegral<int>();
498 int out = mFuzzedDataProvider->ConsumeIntegral<int>();
499 int err = mFuzzedDataProvider->ConsumeIntegral<int>();
500 Vector<String16> args;
501 size_t numArgs = mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(kMinArgs, kMaxArgs);
502 for (size_t argsIdx = 0; argsIdx < numArgs; ++argsIdx) {
503 bool shouldPassInvalidCommand = mFuzzedDataProvider->ConsumeBool();
504 if (shouldPassInvalidCommand) {
505 args.add(
506 static_cast<String16>(mFuzzedDataProvider->ConsumeRandomLengthString().c_str()));
507 } else {
508 args.add(kShellCmd[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
509 0, kNumShellCmd - 1)]);
510 }
511 }
512 mCameraService->shellCommand(in, out, err, args);
513 }
514
invokeNotifyCalls()515 void CameraFuzzer::invokeNotifyCalls() {
516 mCameraService->notifyMonitoredUids();
517 int64_t newState = mFuzzedDataProvider->ConsumeIntegral<int64_t>();
518 mCameraService->notifyDeviceStateChange(newState);
519 std::vector<int32_t> args;
520 size_t numArgs = mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(kMinArgs, kMaxArgs);
521 for (size_t argsIdx = 0; argsIdx < numArgs; ++argsIdx) {
522 args.push_back(mFuzzedDataProvider->ConsumeIntegral<int32_t>());
523 }
524 bool shouldPassInvalidEvent = mFuzzedDataProvider->ConsumeBool();
525 int32_t eventId;
526 if (shouldPassInvalidEvent) {
527 eventId = mFuzzedDataProvider->ConsumeIntegral<int32_t>();
528 } else {
529 eventId = kEventId[mFuzzedDataProvider->ConsumeBool()];
530 }
531 mCameraService->notifySystemEvent(eventId, args);
532 }
533
invokeTorchAPIs(int32_t cameraId)534 void CameraFuzzer::invokeTorchAPIs(int32_t cameraId) {
535 std::string cameraIdStr = std::to_string(cameraId);
536 sp<IBinder> binder = new BBinder;
537
538 AttributionSourceState clientAttribution;
539 clientAttribution.deviceId = kDefaultDeviceId;
540 mCameraService->setTorchMode(cameraIdStr, true, binder, clientAttribution, /*devicePolicy*/0);
541 ALOGV("Turned torch on.");
542 int32_t torchStrength = rand() % 5 + 1;
543 ALOGV("Changing torch strength level to %d", torchStrength);
544 mCameraService->turnOnTorchWithStrengthLevel(cameraIdStr, torchStrength, binder,
545 clientAttribution, /*devicePolicy*/0);
546 mCameraService->setTorchMode(cameraIdStr, false, binder, clientAttribution, /*devicePolicy*/0);
547 ALOGV("Turned torch off.");
548 }
549
invokeCameraAPIs()550 void CameraFuzzer::invokeCameraAPIs() {
551 /** In order to avoid the timeout issue caused due to multiple iteration of loops, the 'for'
552 * loops are removed and the 'cameraId', 'pictureSize' and 'videoSize' are derived using the
553 * FuzzedDataProvider from the available cameras and vectors of 'pictureSizes' and 'videoSizes'
554 */
555 int32_t cameraId = mFuzzedDataProvider->ConsumeIntegralInRange<int32_t>(0, mNumCameras - 1);
556 getCameraInformation(cameraId);
557 invokeTorchAPIs(cameraId);
558
559 ::android::binder::Status rc;
560 sp<ICamera> cameraDevice;
561
562 AttributionSourceState clientAttribution;
563 clientAttribution.deviceId = kDefaultDeviceId;
564 clientAttribution.uid = android::CameraService::USE_CALLING_UID;
565 clientAttribution.pid = android::CameraService::USE_CALLING_PID;
566 rc = mCameraService->connect(this, cameraId,
567 /*targetSdkVersion*/ __ANDROID_API_FUTURE__,
568 ROTATION_OVERRIDE_OVERRIDE_TO_PORTRAIT,
569 /*forceSlowJpegMode*/false,
570 clientAttribution, /*devicePolicy*/0, &cameraDevice);
571 if (!rc.isOk()) {
572 // camera not connected
573 return;
574 }
575 if (cameraDevice) {
576 sp<Surface> previewSurface;
577 sp<SurfaceControl> surfaceControl;
578 CameraParameters params(cameraDevice->getParameters());
579 String8 focusModes(params.get(CameraParameters::KEY_SUPPORTED_FOCUS_MODES));
580 bool isAFSupported = false;
581 const char* focusMode = nullptr;
582
583 if (focusModes.contains(CameraParameters::FOCUS_MODE_AUTO)) {
584 isAFSupported = true;
585 } else if (focusModes.contains(CameraParameters::FOCUS_MODE_CONTINUOUS_PICTURE)) {
586 isAFSupported = true;
587 focusMode = CameraParameters::FOCUS_MODE_CONTINUOUS_PICTURE;
588 } else if (focusModes.contains(CameraParameters::FOCUS_MODE_CONTINUOUS_VIDEO)) {
589 isAFSupported = true;
590 focusMode = CameraParameters::FOCUS_MODE_CONTINUOUS_VIDEO;
591 } else if (focusModes.contains(CameraParameters::FOCUS_MODE_MACRO)) {
592 isAFSupported = true;
593 focusMode = CameraParameters::FOCUS_MODE_MACRO;
594 }
595 if (nullptr != focusMode) {
596 params.set(CameraParameters::KEY_FOCUS_MODE, focusMode);
597 cameraDevice->setParameters(params.flatten());
598 }
599 int previewWidth, previewHeight;
600 params.getPreviewSize(&previewWidth, &previewHeight);
601
602 mComposerClient = new SurfaceComposerClient;
603 mComposerClient->initCheck();
604
605 bool shouldPassInvalidLayerMetaData = mFuzzedDataProvider->ConsumeBool();
606 int layerMetaData;
607 if (shouldPassInvalidLayerMetaData) {
608 layerMetaData = mFuzzedDataProvider->ConsumeIntegral<int>();
609 } else {
610 layerMetaData = kLayerMetadata[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
611 0, kNumLayerMetaData - 1)];
612 }
613 surfaceControl = mComposerClient->createSurface(
614 String8("Test Surface"), previewWidth, previewHeight,
615 CameraParameters::previewFormatToEnum(params.getPreviewFormat()), layerMetaData);
616
617 if (surfaceControl.get()) {
618 SurfaceComposerClient::Transaction{}
619 .setLayer(surfaceControl, 0x7fffffff)
620 .show(surfaceControl)
621 .apply();
622
623 previewSurface = surfaceControl->getSurface();
624 if (previewSurface.get()) {
625 cameraDevice->setPreviewTarget(previewSurface
626 #if !WB_LIBCAMERASERVICE_WITH_DEPENDENCIES
627 ->getIGraphicBufferProducer()
628 #endif
629 );
630 }
631 }
632 cameraDevice->setPreviewCallbackFlag(CAMERA_FRAME_CALLBACK_FLAG_CAMCORDER);
633
634 Vector<Size> pictureSizes;
635 params.getSupportedPictureSizes(pictureSizes);
636
637 if (pictureSizes.size()) {
638 Size pictureSize = pictureSizes[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
639 0, pictureSizes.size() - 1)];
640 params.setPictureSize(pictureSize.width, pictureSize.height);
641 cameraDevice->setParameters(params.flatten());
642 cameraDevice->startPreview();
643 waitForPreviewStart();
644 cameraDevice->autoFocus();
645 waitForEvent(mAutoFocusLock, mAutoFocusCondition, mAutoFocusMessage);
646 bool shouldPassInvalidCameraMsg = mFuzzedDataProvider->ConsumeBool();
647 int msgType;
648 if (shouldPassInvalidCameraMsg) {
649 msgType = mFuzzedDataProvider->ConsumeIntegral<int>();
650 } else {
651 msgType = kCameraMsg[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
652 0, kNumCameraMsg - 1)];
653 }
654 cameraDevice->takePicture(msgType);
655
656 waitForEvent(mSnapshotLock, mSnapshotCondition, mSnapshotNotification);
657 cameraDevice->stopPreview();
658 }
659
660 Vector<Size> videoSizes;
661 params.getSupportedVideoSizes(videoSizes);
662
663 if (videoSizes.size()) {
664 Size videoSize = videoSizes[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(
665 0, videoSizes.size() - 1)];
666 params.setVideoSize(videoSize.width, videoSize.height);
667
668 cameraDevice->setParameters(params.flatten());
669 cameraDevice->startPreview();
670 waitForPreviewStart();
671 cameraDevice->setVideoBufferMode(
672 android::hardware::BnCamera::VIDEO_BUFFER_MODE_BUFFER_QUEUE);
673 sp<SurfaceControl> surfaceControlVideo = mComposerClient->createSurface(
674 String8("Test Surface Video"), previewWidth, previewHeight,
675 CameraParameters::previewFormatToEnum(params.getPreviewFormat()),
676 layerMetaData);
677 if (surfaceControlVideo.get()) {
678 SurfaceComposerClient::Transaction{}
679 .setLayer(surfaceControlVideo, 0x7fffffff)
680 .show(surfaceControlVideo)
681 .apply();
682 sp<Surface> previewSurfaceVideo = surfaceControlVideo->getSurface();
683 if (previewSurfaceVideo.get()) {
684 cameraDevice->setVideoTarget(previewSurfaceVideo
685 #if !WB_LIBCAMERASERVICE_WITH_DEPENDENCIES
686 ->getIGraphicBufferProducer()
687 #endif
688 );
689 }
690 }
691 cameraDevice->stopPreview();
692 cameraDevice->startRecording();
693 waitForEvent(mRecordingLock, mRecordingCondition, mRecordingNotification);
694 cameraDevice->stopRecording();
695 }
696 cameraDevice->disconnect();
697 }
698 }
699
process()700 void CameraFuzzer::process() {
701 getNumCameras();
702 invokeCameraSound();
703 if (mNumCameras > 0) {
704 invokeCameraAPIs();
705 }
706 invokeDump();
707 invokeShellCommand();
708 invokeNotifyCalls();
709 }
710
711 class TestCameraServiceListener : public hardware::BnCameraServiceListener {
712 public:
~TestCameraServiceListener()713 virtual ~TestCameraServiceListener() {};
714
onStatusChanged(int32_t,const std::string &,int32_t)715 virtual binder::Status onStatusChanged(int32_t /*status*/, const std::string& /*cameraId*/,
716 int32_t /*deviceId*/) {
717 return binder::Status::ok();
718 }
719
onPhysicalCameraStatusChanged(int32_t,const std::string &,const std::string &,int32_t)720 virtual binder::Status onPhysicalCameraStatusChanged(int32_t /*status*/,
721 const std::string& /*cameraId*/, const std::string& /*physicalCameraId*/,
722 int32_t /*deviceId*/) {
723 // No op
724 return binder::Status::ok();
725 }
726
onTorchStatusChanged(int32_t,const std::string &,int32_t)727 virtual binder::Status onTorchStatusChanged(int32_t /*status*/,
728 const std::string& /*cameraId*/, int32_t /*deviceId*/) {
729 return binder::Status::ok();
730 }
731
onCameraAccessPrioritiesChanged()732 virtual binder::Status onCameraAccessPrioritiesChanged() {
733 // No op
734 return binder::Status::ok();
735 }
736
onCameraOpened(const std::string &,const std::string &,int32_t)737 virtual binder::Status onCameraOpened(const std::string& /*cameraId*/,
738 const std::string& /*clientPackageName*/, int32_t /*deviceId*/) {
739 // No op
740 return binder::Status::ok();
741 }
742
onCameraClosed(const std::string &,int32_t)743 virtual binder::Status onCameraClosed(const std::string& /*cameraId*/, int32_t /*deviceId*/) {
744 // No op
745 return binder::Status::ok();
746 }
747
onTorchStrengthLevelChanged(const std::string &,int32_t,int32_t)748 virtual binder::Status onTorchStrengthLevelChanged(const std::string& /*cameraId*/,
749 int32_t /*torchStrength*/, int32_t /*deviceId*/) {
750 // No op
751 return binder::Status::ok();
752 }
753
onCameraOpenedInSharedMode(const std::string &,const std::string &,int32_t,bool)754 virtual binder::Status onCameraOpenedInSharedMode(const std::string& /*cameraId*/,
755 const std::string& /*clientPackageName*/, int32_t /*deviceId*/,
756 bool /*isPrimaryClient*/) {
757 // No op
758 return binder::Status::ok();
759 }
760 };
761
762 class TestCameraDeviceCallbacks : public hardware::camera2::BnCameraDeviceCallbacks {
763 public:
TestCameraDeviceCallbacks()764 TestCameraDeviceCallbacks() {}
765
~TestCameraDeviceCallbacks()766 virtual ~TestCameraDeviceCallbacks() {}
767
onDeviceError(int,const CaptureResultExtras &)768 virtual binder::Status onDeviceError(int /*errorCode*/,
769 const CaptureResultExtras& /*resultExtras*/) {
770 return binder::Status::ok();
771 }
772
onDeviceIdle()773 virtual binder::Status onDeviceIdle() {
774 return binder::Status::ok();
775 }
776
onCaptureStarted(const CaptureResultExtras &,int64_t)777 virtual binder::Status onCaptureStarted(const CaptureResultExtras& /*resultExtras*/,
778 int64_t /*timestamp*/) {
779 return binder::Status::ok();
780 }
781
onResultReceived(const CameraMetadataInfo &,const CaptureResultExtras &,const std::vector<PhysicalCaptureResultInfo> &)782 virtual binder::Status onResultReceived(const CameraMetadataInfo& /*metadata*/,
783 const CaptureResultExtras& /*resultExtras*/,
784 const std::vector<PhysicalCaptureResultInfo>& /*physicalResultInfos*/) {
785 return binder::Status::ok();
786 }
787
onPrepared(int)788 virtual binder::Status onPrepared(int /*streamId*/) {
789 return binder::Status::ok();
790 }
791
onRepeatingRequestError(int64_t,int32_t)792 virtual binder::Status onRepeatingRequestError(
793 int64_t /*lastFrameNumber*/, int32_t /*stoppedSequenceId*/) {
794 return binder::Status::ok();
795 }
796
onRequestQueueEmpty()797 virtual binder::Status onRequestQueueEmpty() {
798 return binder::Status::ok();
799 }
800
onClientSharedAccessPriorityChanged(bool)801 virtual binder::Status onClientSharedAccessPriorityChanged(bool /*isPrimaryClient*/) {
802 return binder::Status::ok();
803 }
804
805 };
806
807 class Camera2Fuzzer {
808 public:
Camera2Fuzzer(sp<CameraService> cs,std::shared_ptr<FuzzedDataProvider> fp)809 Camera2Fuzzer(sp<CameraService> cs, std::shared_ptr<FuzzedDataProvider> fp) :
810 mCameraService(cs), mFuzzedDataProvider(fp) { };
~Camera2Fuzzer()811 ~Camera2Fuzzer() {}
812 void process();
813 private:
814 sp<CameraService> mCameraService = nullptr;
815 std::shared_ptr<FuzzedDataProvider> mFuzzedDataProvider = nullptr;
816 };
817
process()818 void Camera2Fuzzer::process() {
819 sp<TestCameraServiceListener> listener = new TestCameraServiceListener();
820 std::vector<hardware::CameraStatus> statuses;
821 mCameraService->addListenerTest(listener, &statuses);
822 for (auto s : statuses) {
823 sp<TestCameraDeviceCallbacks> callbacks(new TestCameraDeviceCallbacks());
824 sp<hardware::camera2::ICameraDeviceUser> device;
825
826 AttributionSourceState clientAttribution;
827 clientAttribution.deviceId = kDefaultDeviceId;
828 clientAttribution.uid = android::CameraService::USE_CALLING_UID;
829 clientAttribution.pid = android::CameraService::USE_CALLING_PID;
830 mCameraService->connectDevice(callbacks, s.cameraId,
831 0/*oomScoreDiff*/, /*targetSdkVersion*/__ANDROID_API_FUTURE__,
832 ROTATION_OVERRIDE_OVERRIDE_TO_PORTRAIT,
833 clientAttribution, /*devicePolicy*/0, /*sharedMode*/false, &device);
834 if (device == nullptr) {
835 continue;
836 }
837 device->beginConfigure();
838 auto [opaqueConsumer, surface] = BufferItemConsumer::create(
839 GRALLOC_USAGE_SW_READ_NEVER, /*maxImages*/ 8, /*controlledByApp*/ true);
840 opaqueConsumer->setName(String8("Roger"));
841
842 // Set to VGA dimension for default, as that is guaranteed to be present
843 opaqueConsumer->setDefaultBufferSize(640, 480);
844 opaqueConsumer->setDefaultBufferFormat(HAL_PIXEL_FORMAT_IMPLEMENTATION_DEFINED);
845
846 std::string noPhysicalId;
847 size_t rotations = sizeof(kRotations) / sizeof(int32_t) - 1;
848 ParcelableSurfaceType pSurface = flagtools::surfaceToParcelableSurfaceType(surface);
849 OutputConfiguration output(
850 pSurface,
851 kRotations[mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, rotations)],
852 noPhysicalId);
853
854 int streamId;
855 device->createStream(output, &streamId);
856 CameraMetadata sessionParams;
857 std::vector<int> offlineStreamIds;
858 device->endConfigure(/*isConstrainedHighSpeed*/ mFuzzedDataProvider->ConsumeBool(),
859 sessionParams, ns2ms(systemTime()), &offlineStreamIds);
860
861 CameraMetadata requestTemplate;
862 size_t requestTemplatesSize = sizeof(kRequestTemplates) /sizeof(int32_t) - 1;
863 device->createDefaultRequest(kRequestTemplates[
864 mFuzzedDataProvider->ConsumeIntegralInRange<size_t>(0, requestTemplatesSize)],
865 /*out*/&requestTemplate);
866 hardware::camera2::CaptureRequest request;
867 request.mSurfaceList.add(surface);
868 request.mIsReprocess = false;
869 hardware::camera2::utils::SubmitInfo info;
870 for (int i = 0; i < kNumRequestsTested; i++) {
871 uint8_t sensorPixelMode =
872 kSensorPixelModes[mFuzzedDataProvider->ConsumeBool() ? 1 : 0];
873 requestTemplate.update(ANDROID_SENSOR_PIXEL_MODE, &sensorPixelMode, 1);
874 request.mPhysicalCameraSettings.clear();
875 request.mPhysicalCameraSettings.push_back({s.cameraId, requestTemplate});
876 device->submitRequest(request, /*streaming*/false, /*out*/&info);
877 ALOGV("%s : camera id %s submit request id %d",__FUNCTION__, s.cameraId.c_str(),
878 info.mRequestId);
879 }
880 device->disconnect();
881 }
882 }
883
LLVMFuzzerInitialize(int *,char ***)884 extern "C" int LLVMFuzzerInitialize(int* /*argc*/, char*** /*argv*/) {
885 /* Create a FakeServiceManager instance and add required services */
886 gFsm = sp<FakeServiceManager>::make();
887 setDefaultServiceManager(gFsm);
888
889 auto configService = ndk::SharedRefBase::make<ConfigMock>();
890 CHECK_EQ(NO_ERROR, AServiceManager_addService(configService.get()->asBinder().get(),
891 "android.hardware.audio.core.IConfig/default"));
892
893 auto factoryService = ndk::SharedRefBase::make<FactoryMock>();
894 CHECK_EQ(NO_ERROR,
895 AServiceManager_addService(factoryService.get()->asBinder().get(),
896 "android.hardware.audio.effect.IFactory/default"));
897
898 auto moduleService = ndk::SharedRefBase::make<ModuleMock>();
899 CHECK_EQ(NO_ERROR, AServiceManager_addService(moduleService.get()->asBinder().get(),
900 "android.hardware.audio.core.IModule/default"));
901
902 // Disable creating thread pool for fuzzer instance of audio flinger
903 AudioSystem::disableThreadPool();
904
905 return 0;
906 }
907
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)908 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
909 if (size < 1) {
910 return 0;
911 }
912 setuid(AID_CAMERASERVER);
913 std::shared_ptr<FuzzedDataProvider> fp = std::make_shared<FuzzedDataProvider>(data, size);
914
915 for (const char* service :
916 {"sensor_privacy", "permission", "media.camera.proxy", "batterystats", "media.metrics",
917 "media.extractor", "drm.drmManager", "permission_checker"}) {
918 addService(String16(service), gFsm, fp.get());
919 }
920
921 std::call_once(gSmOnce, [&] {
922 const auto audioFlinger = sp<AudioFlinger>::make();
923 const auto afAdapter = sp<AudioFlingerServerAdapter>::make(audioFlinger);
924 CHECK_EQ(NO_ERROR,
925 gFsm->addService(String16(IAudioFlinger::DEFAULT_SERVICE_NAME),
926 IInterface::asBinder(afAdapter), false /* allowIsolated */,
927 IServiceManager::DUMP_FLAG_PRIORITY_DEFAULT));
928 sp<FuzzerActivityManager> am = new FuzzerActivityManager();
929 CHECK_EQ(NO_ERROR, gFsm->addService(String16("activity"), IInterface::asBinder(am)));
930 sp<FuzzerSensorPrivacyManager> sensorPrivacyManager = new FuzzerSensorPrivacyManager();
931 CHECK_EQ(NO_ERROR, gFsm->addService(String16("sensor_privacy"),
932 IInterface::asBinder(sensorPrivacyManager)));
933 sp<FuzzAppOpsService> appops = new FuzzAppOpsService();
934 CHECK_EQ(NO_ERROR, gFsm->addService(String16("appops"), IInterface::asBinder(appops)));
935 MediaPlayerService::instantiate();
936 gCameraService = new CameraService();
937 });
938 sp<CameraFuzzer> camerafuzzer = new CameraFuzzer(gCameraService, fp);
939 if (!camerafuzzer) {
940 return 0;
941 }
942 camerafuzzer->process();
943 Camera2Fuzzer camera2fuzzer(gCameraService, fp);
944 camera2fuzzer.process();
945 return 0;
946 }
947