Add selinux permissions for DeviceAsWebcam Service

DeviceAsWebcam is a new service that turns an android device into a
webcam. It requires access to all services that a
regular app needs access to, and it requires read/write permission to
/dev/video* nodes which is how the linux kernel mounts the UVC gadget.

Bug: 242344221
Bug: 242344229
Test: Manually tested that the service can access all the nodes it
      needs, and no selinux exceptions are reported for the service
      when running.
Change-Id: I45c5df105f5b0c31dd6a733f50eb764479d18e9f

private/app.te

@@ -503,4 +503,20 @@ neverallow {
   -dalvikcache_data_file
   -system_data_file # shared libs in apks
   -apk_data_file
-}:file no_x_file_perms;
+}:file no_x_file_perms;
+
+# Don't allow apps access to any of the following character devices.
+neverallow appdomain {
+    audio_device
+    camera_device
+    dm_device
+    radio_device
+    rpmsg_device
+}:chr_file { read write };
+
+# Block video device access for all apps except the DeviceAsWebcam Service which
+# needs access to /dev/video* for interfacing with the host
+neverallow {
+    appdomain
+    -device_as_webcam
+} video_device:chr_file { read write };

private/compat/33.0/33.0.ignore.cil

@@ -11,6 +11,7 @@
     bt_device
     build_attestation_prop
     credential_service
+    device_as_webcam
     device_config_camera_native_prop
     device_config_memory_safety_native_boot_prop
     device_config_memory_safety_native_prop

private/device_as_webcam.te

@@ -0,0 +1,21 @@
+# Domain for DeviceAsWebcam Service
+type device_as_webcam, domain, coredomain, mlstrustedsubject;
+
+app_domain(device_as_webcam)
+
+allow device_as_webcam system_app_data_file:dir create_dir_perms;
+allow device_as_webcam system_app_data_file:file create_file_perms;
+
+allow device_as_webcam { app_api_service cameraserver_service }:service_manager find;
+
+# Allow DeviceAsWebcam Service needs to access ro.usb.uvc.enabled property to
+# enale/disable itself
+get_prop(device_as_webcam, usb_uvc_enabled_prop)
+
+# need to access /dev to list all devices
+allow device_as_webcam device:dir r_dir_perms;
+
+# UVC nodes are mounted as V4L2 nodes (/dev/video*) on the device. These need to
+# be accessed by the DeviceAsWebcam Service.
+allow device_as_webcam video_device:dir r_dir_perms;
+allow device_as_webcam video_device:chr_file rw_file_perms;

private/seapp_contexts

@@ -154,6 +154,7 @@ neverallow name=com.android.sdksandbox domain=((?!sdk_sandbox).)*
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=_app isPrivApp=true name=com.android.remoteprovisioner domain=remote_prov_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
+user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
 user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
 user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
@@ -190,4 +191,3 @@ user=_app minTargetSdkVersion=26 domain=untrusted_app_27 type=app_data_file leve
 user=_app domain=untrusted_app_25 type=app_data_file levelFrom=user
 user=_app minTargetSdkVersion=28 fromRunAs=true domain=runas_app levelFrom=all
 user=_app fromRunAs=true domain=runas_app levelFrom=user
-

public/app.te

@@ -21,16 +21,6 @@ neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
 # Block device access.
 neverallow appdomain dev_type:blk_file { read write };
 
-# Access to any of the following character devices.
-neverallow appdomain {
-    audio_device
-    camera_device
-    dm_device
-    radio_device
-    rpmsg_device
-    video_device
-}:chr_file { read write };
-
 # Note: Try expanding list of app domains in the future.
 neverallow { untrusted_app isolated_app shell } graphics_device:chr_file { read write };