commit c25621f0e52dbf78159b5aa28b8c19ed6a7a053b
author Christopher Wiley <wiley@google.com> Tue Feb 16 17:07:55 2016 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Tue Feb 16 17:07:55 2016 +0000
tree ab91d928ce11fb77b51a03f35687a53b8716bccf
parent 4be8e17981171d14daa71ff74c538ec41d265497
parent 0039bcf0c4f10b92917c26df70c7847f1ab0b51e

Merge "brillo: Rely on static SELinux policy for camera"

services/camera/libcameraservice/CameraService.cpp

diff --git a/services/camera/libcameraservice/CameraService.cpp b/services/camera/libcameraservice/CameraService.cpp
index 41d812b..1cf1512 100644
--- a/services/camera/libcameraservice/CameraService.cpp
+++ b/services/camera/libcameraservice/CameraService.cpp
@@ -864,17 +864,6 @@
 
     int callingPid = getCallingPid();
 
-    if (clientUid == USE_CALLING_UID) {
-        clientUid = getCallingUid();
-    } else {
-        // We only trust our own process to forward client UIDs
-        if (callingPid != getpid()) {
-            ALOGE("CameraService::connect X (PID %d) rejected (don't trust clientUid %d)",
-                    callingPid, clientUid);
-            return PERMISSION_DENIED;
-        }
-    }
-
     if (!mModule) {
         ALOGE("CameraService::connect X (PID %d) rejected (camera HAL module not loaded)",
                 callingPid);
@@ -887,6 +876,31 @@
         return -ENODEV;
     }
 
+#if !defined(__BRILLO__)
+    status_t allowed = validateClientPermissionsLocked(cameraId, clientUid);
+    if (allowed != OK) {
+        return allowed;
+    }
+#endif  // defined(__BRILLO__)
+
+    return checkIfDeviceIsUsable(cameraId);
+}
+
+status_t CameraService::validateClientPermissionsLocked(const String8& cameraId, int& clientUid)
+        const {
+    int callingPid = getCallingPid();
+
+    if (clientUid == USE_CALLING_UID) {
+        clientUid = getCallingUid();
+    } else {
+        // We only trust our own process to forward client UIDs
+        if (callingPid != getpid()) {
+            ALOGE("CameraService::connect X (PID %d) rejected (don't trust clientUid %d)",
+                    callingPid, clientUid);
+            return PERMISSION_DENIED;
+        }
+    }
+
     // Check device policy for this camera
     char value[PROPERTY_VALUE_MAX];
     char key[PROPERTY_KEY_MAX];
@@ -909,7 +923,7 @@
         return PERMISSION_DENIED;
     }
 
-    return checkIfDeviceIsUsable(cameraId);
+    return OK;
 }
 
 status_t CameraService::checkIfDeviceIsUsable(const String8& cameraId) const {

services/camera/libcameraservice/CameraService.h

diff --git a/services/camera/libcameraservice/CameraService.h b/services/camera/libcameraservice/CameraService.h
index 4b0eeb7..13f6f82 100644
--- a/services/camera/libcameraservice/CameraService.h
+++ b/services/camera/libcameraservice/CameraService.h
@@ -482,6 +482,7 @@
 
     // Check if we can connect, before we acquire the service lock.
     status_t validateConnectLocked(const String8& cameraId, /*inout*/int& clientUid) const;
+    status_t validateClientPermissionsLocked(const String8& cameraId, /*inout*/int& clientUid) const;
 
     // Handle active client evictions, and update service state.
     // Only call with with mServiceLock held.