Merge "brillo: Rely on static SELinux policy for camera"
diff --git a/services/camera/libcameraservice/CameraService.cpp b/services/camera/libcameraservice/CameraService.cpp
index 41d812b..1cf1512 100644
--- a/services/camera/libcameraservice/CameraService.cpp
+++ b/services/camera/libcameraservice/CameraService.cpp
@@ -864,17 +864,6 @@
int callingPid = getCallingPid();
- if (clientUid == USE_CALLING_UID) {
- clientUid = getCallingUid();
- } else {
- // We only trust our own process to forward client UIDs
- if (callingPid != getpid()) {
- ALOGE("CameraService::connect X (PID %d) rejected (don't trust clientUid %d)",
- callingPid, clientUid);
- return PERMISSION_DENIED;
- }
- }
-
if (!mModule) {
ALOGE("CameraService::connect X (PID %d) rejected (camera HAL module not loaded)",
callingPid);
@@ -887,6 +876,31 @@
return -ENODEV;
}
+#if !defined(__BRILLO__)
+ status_t allowed = validateClientPermissionsLocked(cameraId, clientUid);
+ if (allowed != OK) {
+ return allowed;
+ }
+#endif // defined(__BRILLO__)
+
+ return checkIfDeviceIsUsable(cameraId);
+}
+
+status_t CameraService::validateClientPermissionsLocked(const String8& cameraId, int& clientUid)
+ const {
+ int callingPid = getCallingPid();
+
+ if (clientUid == USE_CALLING_UID) {
+ clientUid = getCallingUid();
+ } else {
+ // We only trust our own process to forward client UIDs
+ if (callingPid != getpid()) {
+ ALOGE("CameraService::connect X (PID %d) rejected (don't trust clientUid %d)",
+ callingPid, clientUid);
+ return PERMISSION_DENIED;
+ }
+ }
+
// Check device policy for this camera
char value[PROPERTY_VALUE_MAX];
char key[PROPERTY_KEY_MAX];
@@ -909,7 +923,7 @@
return PERMISSION_DENIED;
}
- return checkIfDeviceIsUsable(cameraId);
+ return OK;
}
status_t CameraService::checkIfDeviceIsUsable(const String8& cameraId) const {
diff --git a/services/camera/libcameraservice/CameraService.h b/services/camera/libcameraservice/CameraService.h
index 4b0eeb7..13f6f82 100644
--- a/services/camera/libcameraservice/CameraService.h
+++ b/services/camera/libcameraservice/CameraService.h
@@ -482,6 +482,7 @@
// Check if we can connect, before we acquire the service lock.
status_t validateConnectLocked(const String8& cameraId, /*inout*/int& clientUid) const;
+ status_t validateClientPermissionsLocked(const String8& cameraId, /*inout*/int& clientUid) const;
// Handle active client evictions, and update service state.
// Only call with with mServiceLock held.