typeattribute cameraserver camera_service_server; typeattribute cameraserver coredomain; init_daemon_domain(cameraserver) tmpfs_domain(cameraserver) allow cameraserver gpu_device:chr_file rw_file_perms; allow cameraserver gpu_device:dir r_dir_perms; allow cameraserver virtual_camera:binder call; binder_use(cameraserver) binder_call(cameraserver, binderservicedomain) binder_call(cameraserver, appdomain) binder_service(cameraserver) hal_client_domain(cameraserver, hal_camera) hal_client_domain(cameraserver, hal_graphics_allocator) allow cameraserver ion_device:chr_file rw_file_perms; allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms; # Talk with graphics composer fences allow cameraserver hal_graphics_composer:fd use; add_service(cameraserver, cameraserver_service) add_service(cameraserver, fwk_camera_service) add_hwservice(cameraserver, fwk_camera_hwservice) allow cameraserver activity_service:service_manager find; allow cameraserver appops_service:service_manager find; allow cameraserver audioserver_service:service_manager find; allow cameraserver batterystats_service:service_manager find; allow cameraserver cameraproxy_service:service_manager find; allow cameraserver mediaserver_service:service_manager find; allow cameraserver package_native_service:service_manager find; allow cameraserver permission_checker_service:service_manager find; allow cameraserver processinfo_service:service_manager find; allow cameraserver scheduling_policy_service:service_manager find; allow cameraserver sensor_privacy_service:service_manager find; allow cameraserver surfaceflinger_service:service_manager find; allow cameraserver hidl_token_hwservice:hwservice_manager find; allow cameraserver hal_camera_service:service_manager find; allow cameraserver virtual_camera_service:service_manager find; # Allow to talk with surfaceflinger through unix stream socket allow cameraserver surfaceflinger:unix_stream_socket { read write }; # Allow shell commands from ADB for CTS testing/dumping allow cameraserver adbd:fd use; allow cameraserver adbd:unix_stream_socket { read write }; allow cameraserver shell:fd use; allow cameraserver shell:unix_stream_socket { read write }; allow cameraserver shell:fifo_file { read write }; # allow self to set SCHED_FIFO allow cameraserver self:global_capability_class_set sys_nice; # Allow to talk with media codec allow cameraserver mediametrics_service:service_manager find; hal_client_domain(cameraserver, hal_codec2) hal_client_domain(cameraserver, hal_omx) hal_client_domain(cameraserver, hal_allocator) # Allow shell commands from ADB for CTS testing/dumping userdebug_or_eng(` allow cameraserver su:fd use; allow cameraserver su:fifo_file { read write }; allow cameraserver su:unix_stream_socket { read write }; ') ### ### neverallow rules ### # cameraserver should never execute any executable without a # domain transition neverallow cameraserver { file_type fs_type }:file execute_no_trans; # The goal of the mediaserver split is to place media processing code into # restrictive sandboxes with limited responsibilities and thus limited # permissions. Example: Audioserver is only responsible for controlling audio # hardware and processing audio content. Cameraserver does the same for camera # hardware/content. Etc. # # Media processing code is inherently risky and thus should have limited # permissions and be isolated from the rest of the system and network. # Lengthier explanation here: # https://android-developers.googleblog.com/2016/05/hardening-media-stack.html neverallow cameraserver domain:{ udp_socket rawip_socket } *; neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *;