tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/hal_camera.te
Alex Klyubin ab2c681fb1 Policy for Camera HAL HwBinder service 
This adds restrictions on which domains can register this HwBinder
service with hwservicemanager and which domains can obtain tokens for
this service from hwservicemanager.

Test: Use Google Camera app to take HDR+ photo, conventional photo,
      record video with sound, record slow motion video with sound.
      Check that the photos display correctly and that videos play
      back fine and with sound. Check that there are no SELinux
      denials to do with camera.
Bug: 34454312
Change-Id: Icfaeed917423510d9f97d18b013775596883ff64
2017-04-13 10:31:04 -07:00

36 lines
1.4 KiB
Text
Raw Blame History

# HwBinder IPC from clients to server and callbacks
binder_call(hal_camera_client, hal_camera_server)
binder_call(hal_camera_server, hal_camera_client)
add_hwservice(hal_camera_server, hw_camera_provider_ICameraProvider)
# access /data/misc/camera
allow hal_camera camera_data_file:dir create_dir_perms;
allow hal_camera camera_data_file:file create_file_perms;
allow hal_camera video_device:dir r_dir_perms;
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
allow hal_camera ion_device:chr_file rw_file_perms;
# Both the client and the server need to use the graphics allocator
allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
# Allow hal_camera to use fd from app,gralloc,and ashmem HAL
allow hal_camera { appdomain -isolated_app }:fd use;
allow hal_camera surfaceflinger:fd use;
allow hal_camera hal_allocator_server:fd use;
###
### neverallow rules
###
# hal_camera should never execute any executable without a
# domain transition
neverallow hal_camera { file_type fs_type }:file execute_no_trans;
# hal_camera should never need network access. Disallow network sockets.
neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;
# Only camera HAL may directly access the camera and video hardware
neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *;
neverallow { halserverdomain -hal_camera_server } video_device:chr_file *;
Reference in a new issue View git blame Copy permalink