Merge "Policy for virtual_camera" into main am: bb59231998 am: 2199233cfd am: 3674481782

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/2655420

Change-Id: I50e5361dbd21b189292b771c38764ab082aa9b05
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

build/soong/service_fuzzer_bindings.go

@@ -51,6 +51,7 @@ var (
 		"android.hardware.broadcastradio.IBroadcastRadio/dab":                     EXCEPTION_NO_FUZZER,
 		"android.hardware.bluetooth.IBluetoothHci/default":                        EXCEPTION_NO_FUZZER,
 		"android.hardware.camera.provider.ICameraProvider/internal/0":             EXCEPTION_NO_FUZZER,
+		"android.hardware.camera.provider.ICameraProvider/virtual/0":              EXCEPTION_NO_FUZZER,
 		"android.hardware.cas.IMediaCasService/default":                           EXCEPTION_NO_FUZZER,
 		"android.hardware.confirmationui.IConfirmationUI/default":                 []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
 		"android.hardware.contexthub.IContextHub/default":                         EXCEPTION_NO_FUZZER,
@@ -449,6 +450,7 @@ var (
 		"vibrator":                     EXCEPTION_NO_FUZZER,
 		"vibrator_manager":             EXCEPTION_NO_FUZZER,
 		"virtualdevice":                EXCEPTION_NO_FUZZER,
+		"virtual_camera_service":       EXCEPTION_NO_FUZZER,
 		"virtual_touchpad":             EXCEPTION_NO_FUZZER,
 		"voiceinteraction":             EXCEPTION_NO_FUZZER,
 		"vold":                         []string{"vold_native_service_fuzzer"},

private/compat/34.0/34.0.ignore.cil

@@ -8,4 +8,5 @@
     ota_build_prop
     snapuserd_log_data_file
     hal_threadnetwork_service
+    virtual_camera_service
   ))

private/seapp_contexts

@@ -161,6 +161,7 @@ neverallow user=_sdksandbox domain=((?!sdk_sandbox).)*
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
+user=system seinfo=platform isPrivApp=true name=com.android.virtualcamera domain=virtual_camera type=app_data_file levelFrom=all
 user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
 user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file

private/service_contexts

@@ -33,6 +33,7 @@ android.hardware.broadcastradio.IBroadcastRadio/dab                  u:object_r:
 # The instance here is internal/0 following naming convention for ICameraProvider.
 # It advertises internal camera devices.
 android.hardware.camera.provider.ICameraProvider/internal/0          u:object_r:hal_camera_service:s0
+android.hardware.camera.provider.ICameraProvider/virtual/0           u:object_r:virtual_camera_service:s0
 android.hardware.cas.IMediaCasService/default                        u:object_r:hal_cas_service:s0
 android.hardware.confirmationui.IConfirmationUI/default              u:object_r:hal_confirmationui_service:s0
 android.hardware.contexthub.IContextHub/default                      u:object_r:hal_contexthub_service:s0

private/system_server.te

@@ -960,6 +960,7 @@ allow system_server stats_service:service_manager find;
 allow system_server storaged_service:service_manager find;
 allow system_server surfaceflinger_service:service_manager find;
 allow system_server update_engine_service:service_manager find;
+allow system_server virtual_camera_service:service_manager find;
 allow system_server vold_service:service_manager find;
 allow system_server wifinl80211_service:service_manager find;
 allow system_server logd_service:service_manager find;

private/virtual_camera.te

@@ -0,0 +1,16 @@
+# virtual_camera - virtual camera daemon
+
+type virtual_camera, domain, coredomain;
+
+app_domain(virtual_camera)
+
+allow virtual_camera system_app_data_file:dir create_dir_perms;
+allow virtual_camera system_app_data_file:file create_file_perms;
+
+allow virtual_camera activity_service:service_manager find;
+
+# hal_server_domain adds this rule to prevent any other domain from adding
+# a virtual_camera_service. We cannot mix app_domain and hal_server_domain
+# so we use app_domain and manully add the neverallow
+allow virtual_camera virtual_camera_service:service_manager add;
+neverallow { domain -virtual_camera} virtual_camera_service:service_manager add;

public/cameraserver.te

@@ -37,6 +37,7 @@ allow cameraserver surfaceflinger_service:service_manager find;
 
 allow cameraserver hidl_token_hwservice:hwservice_manager find;
 allow cameraserver hal_camera_service:service_manager find;
+allow cameraserver virtual_camera_service:service_manager find;
 
 # Allow to talk with surfaceflinger through unix stream socket
 allow cameraserver surfaceflinger:unix_stream_socket { read write };

public/service.te

@@ -49,6 +49,7 @@ type system_suspend_control_service, service_manager_type;
 type update_engine_service,     service_manager_type;
 type update_engine_stable_service, service_manager_type;
 type virtualization_service,    service_manager_type;
+type virtual_camera_service,    service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
 type vold_service,              service_manager_type;
 type vr_hwc_service,            service_manager_type;