1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
|
# ==============================================================================
# Policy File of /vendor/bin/camerahalserver Executable File
# ==============================================================================
# Type Declaration
# ==============================================================================
type mtk_hal_camera, domain;
type mtk_hal_camera_exec, exec_type, file_type, vendor_file_type;
# ==============================================================================
# MTK Policy Rule
# ==============================================================================
# -----------------------------------
# Purpose: Binderized HAL Server
# -----------------------------------
# Set up a transition from init to the camerahalserver upon executing its binary.
init_daemon_domain(mtk_hal_camera)
# Allow a base set of permissions required for a domain to offer a
# HAL implementation of the specified type over HwBinder.
hal_server_domain(mtk_hal_camera, hal_camera)
# Allow camerahalserver to use HwBinder and vendor binder IPC.
hwbinder_use(mtk_hal_camera)
vndbinder_use(mtk_hal_camera)
allow mtk_hal_camera hwservicemanager_prop:file { open read getattr };
# -----------------------------------
# Purpose: Allow camerahalserver to perform binder IPC to servers and callbacks.
# -----------------------------------
# callback to cameraserver
binder_call(mtk_hal_camera, cameraserver)
# callback to shell for debugging
binder_call(mtk_hal_camera, shell)
# callback to /vendor/bin/aee_aedv for aee debugging
binder_call(mtk_hal_camera, aee_aedv)
# call the graphics allocator hal
binder_call(mtk_hal_camera, hal_graphics_allocator)
# call PowerHal
binder_call(mtk_hal_camera, mtk_hal_power)
# -----------------------------------
# Purpose: Allow camerahalserver to find a service from hwservice_manager
# -----------------------------------
allow mtk_hal_camera hal_graphics_mapper_hwservice:hwservice_manager find;
allow mtk_hal_camera hal_graphics_allocator_hwservice:hwservice_manager find;
allow mtk_hal_camera fwk_sensor_hwservice:hwservice_manager find;
allow mtk_hal_camera mtk_hal_power_hwservice:hwservice_manager find;
allow mtk_hal_camera nvram_data_file:lnk_file { read write getattr setattr read create open };
allow mtk_hal_camera nvdata_file:lnk_file { read write getattr setattr read create open };
# -----------------------------------
# Purpose: Camera-related devices (driver)
# -----------------------------------
allow mtk_hal_camera proc:file { read ioctl open };
allow mtk_hal_camera sysfs:file { read write open getattr };
allow mtk_hal_camera camera_sysram_device:chr_file r_file_perms;
allow mtk_hal_camera camera_pipemgr_device:chr_file r_file_perms;
allow mtk_hal_camera camera_isp_device:chr_file rw_file_perms;
allow mtk_hal_camera camera_dip_device:chr_file rw_file_perms;
allow mtk_hal_camera camera_tsf_device:chr_file rw_file_perms;
allow mtk_hal_camera kd_camera_hw_device:chr_file rw_file_perms;
allow mtk_hal_camera kd_camera_flashlight_device:chr_file rw_file_perms;
allow mtk_hal_camera lens_device:chr_file rw_file_perms;
# FDVT Driver
allow mtk_hal_camera camera_fdvt_device:chr_file rw_file_perms;
# DPE Driver
allow mtk_hal_camera camera_dpe_device:chr_file rw_file_perms;
# MFB Driver
allow mtk_hal_camera camera_mfb_device:chr_file rw_file_perms;
# WPE Driver
allow mtk_hal_camera camera_wpe_device:chr_file rw_file_perms;
# mtk_jpeg
allow mtk_hal_camera mtk_jpeg_device:chr_file r_file_perms;
allow mtk_hal_camera ccu_device:chr_file rw_file_perms;
allow mtk_hal_camera vpu_device:chr_file rw_file_perms;
# Purpose: RSC driver
allow mtk_hal_camera camera_rsc_device:chr_file rw_file_perms;
# Purpose: OWE driver
allow mtk_hal_camera camera_owe_device:chr_file rw_file_perms;
# Purpose: AF related
allow mtk_hal_camera MAINAF_device:chr_file rw_file_perms;
allow mtk_hal_camera MAIN2AF_device:chr_file rw_file_perms;
allow mtk_hal_camera SUBAF_device:chr_file rw_file_perms;
allow mtk_hal_camera FM50AF_device:chr_file rw_file_perms;
allow mtk_hal_camera AD5820AF_device:chr_file rw_file_perms;
allow mtk_hal_camera DW9714AF_device:chr_file rw_file_perms;
allow mtk_hal_camera DW9814AF_device:chr_file rw_file_perms;
allow mtk_hal_camera AK7345AF_device:chr_file rw_file_perms;
allow mtk_hal_camera DW9714A_device:chr_file rw_file_perms;
allow mtk_hal_camera LC898122AF_device:chr_file rw_file_perms;
allow mtk_hal_camera LC898212AF_device:chr_file rw_file_perms;
allow mtk_hal_camera BU6429AF_device:chr_file rw_file_perms;
allow mtk_hal_camera DW9718AF_device:chr_file rw_file_perms;
allow mtk_hal_camera BU64745GWZAF_device:chr_file rw_file_perms;
# Purpose: Camera EEPROM Calibration
allow mtk_hal_camera CAM_CAL_DRV_device:chr_file rw_file_perms;
allow mtk_hal_camera CAM_CAL_DRV1_device:chr_file rw_file_perms;
allow mtk_hal_camera CAM_CAL_DRV2_device:chr_file rw_file_perms;
# -----------------------------------
# Purpose: Other device drivers used by camera
# -----------------------------------
allow mtk_hal_camera ion_device:chr_file rw_file_perms;
allow mtk_hal_camera sw_sync_device:chr_file getattr;
allow mtk_hal_camera MTK_SMI_device:chr_file r_file_perms;
# -----------------------------------
# Purpose: Filesystem in Userspace (FUSE)
# - sdcard access (buffer dump for EM mode)
# -----------------------------------
allow mtk_hal_camera fuse:dir { search read write };
allow mtk_hal_camera fuse:file rw_file_perms;
# -----------------------------------
# Purpose: Storage access
# -----------------------------------
## Date : WK14.XX-15.XX
## nvram access
allow mtk_hal_camera block_device:dir { write search };
allow mtk_hal_camera nvram_data_file:dir { search add_name write create};
allow mtk_hal_camera nvram_data_file:file { write getattr setattr read create open };
## nvram access (dumchar case for nand and legacy chip)
allow mtk_hal_camera nvram_device:chr_file rw_file_perms;
allow mtk_hal_camera self:netlink_kobject_uevent_socket { create setopt bind };
## Date : WK14.XX-15.XX
## sdcard access - dump for debug
allow mtk_hal_camera sdcard_type:dir { write add_name create };
allow mtk_hal_camera sdcard_type:file { append create getattr };
# -----------------------------------
# Purpose: property access
# -----------------------------------
allow mtk_hal_camera mtkcam_prop:file { open read getattr };
# -----------------------------------
# Android O
# Purpose: Shell Debugging
# -----------------------------------
# Purpose: Allow shell to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
# (used in user build)
allow mtk_hal_camera shell:unix_stream_socket { read write };
allow mtk_hal_camera shell:fifo_file write;
# -----------------------------------
# Android O
# Purpose: AEE Debugging
# -----------------------------------
# Purpose: Allow aee_dumpstate to invoke "lshal debug <interface>", where <interface> is "ICameraProvider".
allow mtk_hal_camera dumpstate:binder { call };
allow mtk_hal_camera dumpstate:unix_stream_socket { read write };
allow mtk_hal_camera dumpstate:fd { use };
allow mtk_hal_camera dumpstate:fifo_file write;
# -----------------------------------
# Android O
# Purpose: Debugging
# -----------------------------------
# Purpose: libmemunreachable.so/GetUnreachableMemory()
allow mtk_hal_camera self:process { ptrace };
################################################################################
# Date : WK14.XX-15.XX
# Operation : Copy from Media server
allow mtk_hal_camera self:capability { setuid ipc_lock sys_nice };
allow mtk_hal_camera sysfs_wake_lock:file rw_file_perms;
allow mtk_hal_camera nvdata_file:dir { write search add_name };
allow mtk_hal_camera nvdata_file:file { read write getattr setattr open create };
allow mtk_hal_camera proc_meminfo:file { read getattr open };
## Purpose : for low SD card latency issue
allow mtk_hal_camera sysfs_lowmemorykiller:file { read open };
## Purpose : for change thermal policy when needed
allow mtk_hal_camera proc_mtkcooler:dir search;
allow mtk_hal_camera proc_mtktz:dir search;
allow mtk_hal_camera proc_thermal:dir search;
allow mtk_hal_camera thermal_manager_data_file:file create_file_perms;
allow mtk_hal_camera thermal_manager_data_file:dir { rw_dir_perms setattr };
## Purpose : cts search strange app
allow mtk_hal_camera untrusted_app:dir search;
## Purpose : offloadservice
allow mtk_hal_camera offloadservice_device:chr_file rw_file_perms;
## Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
allow mtk_hal_camera storage_file:lnk_file {read write};
allow mtk_hal_camera mnt_user_file:dir {write read search};
allow mtk_hal_camera mnt_user_file:lnk_file {read write};
## Purpose: Allow mtk_hal_camera to read binder from surfaceflinger
allow mtk_hal_camera surfaceflinger:fifo_file {read write};
## Purpose : camera read/write /nvcfg/camera data
allow mtk_hal_camera nvcfg_file:dir create_dir_perms;
allow mtk_hal_camera nvcfg_file:file create_file_perms;
# Purpose : for camera init
allow mtk_hal_camera system_server:unix_stream_socket { read write };
################################################################################
# Date : WK16
# Operation : N Migration
## Purpose: research root dir "/"
allow mtk_hal_camera tmpfs:dir search;
## Purpose : EGL file access
allow mtk_hal_camera system_file:dir { read open };
allow mtk_hal_camera gpu_device:dir search;
allow mtk_hal_camera gpu_device:chr_file { read open write getattr ioctl };
## Purpose: Allow to access ged for gralloc_extra functions
allow mtk_hal_camera proc_ged:file {open read write ioctl getattr};
################################################################################
# Date : WK17
# Operation : O Migration
## Purpose: Allow to call hal_graphics_allocator binder.
allow mtk_hal_camera system_data_file:lnk_file read;
allow mtk_hal_camera debugfs_tracing:file { write open };
## Purpose : camera3 IT/CTS
allow mtk_hal_camera debugfs_ion:dir search;
allow mtk_hal_camera hal_graphics_composer_default:fd use;
allow mtk_hal_camera property_socket:sock_file write;
# Date : WK17.30
# Operation : O Migration
# Purpose: Allow to access cmdq driver
allow mtk_hal_camera mtk_cmdq_device:chr_file { read ioctl open };
# Date : WK17.36
# Operation : O Migration
# Purpose: Allow to access battery status
allow mtk_hal_camera sysfs_batteryinfo:dir search;
allow mtk_hal_camera sysfs_batteryinfo:file { getattr open read };
# Date : WK17.39
# Operation : O Migration
# Purpose: Change thermal config
allow mtk_hal_camera mtk_thermal_config_prop:property_service set;
# Date : WK18.31
# Stage: P Migration
# Purpose: CCT
allow mtk_hal_camera graphics_device:chr_file { read write ioctl open };
allow mtk_hal_camera graphics_device:dir search;
allow mtk_hal_camera cct_data_file:dir create_dir_perms;
allow mtk_hal_camera cct_data_file:file create_file_perms;
allow mtk_hal_camera cct_data_file:fifo_file create_file_perms;
allow mtk_hal_camera sysfs_boot_mode:file { read open };
allow mtk_hal_camera mnt_vendor_file:dir create_dir_perms;
allow mtk_hal_camera mnt_vendor_file:fifo_file create_file_perms;
# Date : WK18.01
# Operation : label aee_aed sockets
# Purpose : Engineering mode need access for aee commmand
userdebug_or_eng(`
allow mtk_hal_camera aee_aedv:unix_stream_socket connectto;
')
# Date : WK18.02
# Stage: O Migration
# Purpose: ISP tuning remapping
allow mtk_hal_camera mediatek_prop:property_service set;
# Date : WK18.22
# Stage: p Migration
# Purpose: NVRAM
allow mtk_hal_camera nvram_data_file:dir search;
allow mtk_hal_camera nvram_data_file:file rw_file_perms;
allow mtk_hal_camera nvram_data_file:lnk_file read;
allow mtk_hal_camera nvdata_file:lnk_file read;
allow mtk_hal_camera nvdata_file:dir create_dir_perms;
allow mtk_hal_camera nvdata_file:file { read write getattr setattr open create };
allow mtk_hal_camera nvcfg_file:lnk_file read;
allow mtk_hal_camera nvcfg_file:dir create_dir_perms;
allow mtk_hal_camera nvcfg_file:file { read write getattr setattr open create };
allow mtk_hal_camera mnt_vendor_file:dir search;
allow mtk_hal_camera mnt_vendor_file:file create_file_perms;
|
