I'm proposing two items: 1. Adding a neverallow on appdomain to video_device 2. Killing camera_device
Where item 2 is a dependency of item 1, but item 1 can stand alone. Camera device: Looking at this, it appears that it would open up a device off limits to surfaceflinger in the base policy currently. external/sepolicy$ grep -rn camera_device * app.te:243: camera_device device.te:9:type camera_device, dev_type; file_contexts:63:/dev/cam u:object_r:camera_device:s0 mediaserver.te:51:allow mediaserver camera_device:chr_file rw_file_perms; external/sepolicy$ grep -rn video_device * device.te:41:type video_device, dev_type; file_contexts:92:/dev/nvhdcp1 u:object_r:video_device:s0 file_contexts:125:/dev/tegra.* u:object_r:video_device:s0 file_contexts:137:/dev/video[0-9]* u:object_r:video_device:s0 mediaserver.te:27:allow mediaserver video_device:dir r_dir_perms; mediaserver.te:28:allow mediaserver video_device:chr_file rw_file_perms; surfaceflinger.te:30:allow surfaceflinger video_device:dir r_dir_perms; surfaceflinger.te:31:allow surfaceflinger video_device:chr_file rw_file_perms; system_server.te:172:allow system_server video_device:dir r_dir_perms; system_server.te:173:allow system_server video_device:chr_file rw_file_perms; This could also simplify policy for: ./lge/hammerhead/sepolicy/file_contexts:76:/dev/video([0-9])+ u:object_r:camera_device:s0 ./asus/flo/sepolicy/file_contexts:78:/dev/video([0-9])+ u:object_r:camera_device:s0 Also, I noticed that Angler is doing some weird override: ./huawei/angler/sepolicy/file_contexts:32:/dev/video([0-9])+ u:object_r:video_device:s0 I don't know what they intended since file_contexts in base policy covers that. Appdomain neverallow on video_device: Additionally, there is a neverallow in app.te restricting application access to the camera_device, this could be changed to video_device. I am not super familiar with how video devices should be brought up for image processing, etc within the Android system, but it appears that mediaserver would be the right spot: https://source.android.com/devices. _______________________________________________ Seandroid-list mailing list [email protected] To unsubscribe, send email to [email protected]. To get help, send an email containing "help" to [email protected].
