tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/virtual_camera.te
Jan Sebechlebsky 9999b0a332 Add missing SELinux rule for accessing GPU 
Bug: 301023410
Test: atest virtual_camera_tests CtsVirtualDevicesCameraTestCases CtsVirtualDevicesCameraCtsTestCases
Merged-In: Iaaab570fc2cb3b2bfe17f964a52b09a0549e0a8b
Change-Id: Iaaab570fc2cb3b2bfe17f964a52b09a0549e0a8b
2024-06-13 14:23:22 +00:00

58 lines
2.1 KiB
Text
Raw Blame History

# virtual_camera - virtual camera daemon
type virtual_camera, domain, coredomain;
type virtual_camera_exec, system_file_type, exec_type, file_type;
init_daemon_domain(virtual_camera)
# Since virtual_camera is not a real HAL we don't set the
# hal_server_domain(virtual_camera, hal_camera) macro but only the rules that
# we actually need from halserverdomain and hal_camera_server:
binder_use(virtual_camera)
binder_call(virtual_camera, cameraserver)
binder_call(virtual_camera, system_server)
# Allow virtual_camera to communicate with
# mediaserver (required for using Surface originating
# from virtual camera in mediaserver).
binder_call(virtual_camera, mediaserver)
# Required for the codecs to be able to decode
# video into surface provided by virtual camera.
hal_client_domain(virtual_camera, hal_codec2)
hal_client_domain(virtual_camera, hal_omx)
# Allow virtualCamera to call apps via binder.
binder_call(virtual_camera, appdomain)
# Allow virtual_camera to use fd from apps
allow virtual_camera { appdomain -isolated_app }:fd use;
# Allow virtual_camera to use fd from surface flinger
allow virtual_camera surfaceflinger:fd use;
# Only allow virtual_camera to add a virtual_camera_service and no one else.
add_service(virtual_camera, virtual_camera_service);
# Allow virtual_camera to map graphic buffers
hal_client_domain(virtual_camera, hal_graphics_allocator)
# Allow virtual_camera to use GPU
allow virtual_camera gpu_device:chr_file rw_file_perms;
allow virtual_camera gpu_device:dir r_dir_perms;
allow virtual_camera sysfs_gpu:file r_file_perms;
# Allow virtual camera to use graphics composer fd-s (fences).
allow virtual_camera hal_graphics_composer:fd use;
# For collecting bugreports.
allow virtual_camera dumpstate:fd use;
allow virtual_camera dumpstate:fifo_file write;
# Needed for permission checks.
allow virtual_camera permission_service:service_manager find;
# Allow 'adb shell cmd' to configure test instances of camera.
allow virtual_camera adbd:fd use;
allow virtual_camera adbd:unix_stream_socket { getattr read write };
allow virtual_camera shell:fifo_file { getattr read write };
Reference in a new issue View git blame Copy permalink