25 lines
785 B
Text
25 lines
785 B
Text
|
hwbinder_use(hal_camera)
|
||
|
|
binder_call(hal_camera, cameraserver)
|
||
|
|
|
||
|
|
# access /data/misc/camera
|
||
|
|
allow hal_camera camera_data_file:dir create_dir_perms;
|
||
|
|
allow hal_camera camera_data_file:file create_file_perms;
|
||
|
|
|
||
|
|
allow hal_camera video_device:dir r_dir_perms;
|
||
|
|
allow hal_camera video_device:chr_file rw_file_perms;
|
||
|
|
allow hal_camera camera_device:chr_file rw_file_perms;
|
||
|
|
allow hal_camera ion_device:chr_file rw_file_perms;
|
||
|
|
allow hal_camera hal_graphics_allocator:fd use;
|
||
|
|
|
||
|
|
|
||
|
|
###
|
||
|
|
### neverallow rules
|
||
|
|
###
|
||
|
|
|
||
|
|
# hal_camera should never execute any executable without a
|
||
|
|
# domain transition
|
||
|
|
neverallow hal_camera { file_type fs_type }:file execute_no_trans;
|
||
|
|
|
||
|
|
# hal_camera should never need network access. Disallow network sockets.
|
||
|
|
neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
|