platform_system_sepolicy/public/hal_camera.te

hwbinder_use(hal_camera)
binder_call(hal_camera, cameraserver)

# access /data/misc/camera
allow hal_camera camera_data_file:dir create_dir_perms;
allow hal_camera camera_data_file:file create_file_perms;

allow hal_camera video_device:dir r_dir_perms;
allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms;
allow hal_camera ion_device:chr_file rw_file_perms;
allow hal_camera hal_graphics_allocator:fd use;


###
### neverallow rules
###

# hal_camera should never execute any executable without a
# domain transition
neverallow hal_camera { file_type fs_type }:file execute_no_trans;

# hal_camera should never need network access. Disallow network sockets.
neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *;