ab2c681fb1
This adds restrictions on which domains can register this HwBinder
service with hwservicemanager and which domains can obtain tokens for
this service from hwservicemanager.
Test: Use Google Camera app to take HDR+ photo, conventional photo,
record video with sound, record slow motion video with sound.
Check that the photos display correctly and that videos play
back fine and with sound. Check that there are no SELinux
denials to do with camera.
Bug: 34454312
Change-Id: Icfaeed917423510d9f97d18b013775596883ff64
45 lines
1.8 KiB
Text
45 lines
1.8 KiB
Text
# cameraserver - camera daemon
|
|
type cameraserver, domain;
|
|
type cameraserver_exec, exec_type, file_type;
|
|
|
|
binder_use(cameraserver)
|
|
binder_call(cameraserver, binderservicedomain)
|
|
binder_call(cameraserver, appdomain)
|
|
binder_service(cameraserver)
|
|
|
|
hal_client_domain(cameraserver, hal_camera)
|
|
allow cameraserver hw_camera_provider_ICameraProvider:hwservice_manager find;
|
|
|
|
hal_client_domain(cameraserver, hal_graphics_allocator)
|
|
|
|
allow cameraserver ion_device:chr_file rw_file_perms;
|
|
|
|
add_service(cameraserver, cameraserver_service)
|
|
allow cameraserver appops_service:service_manager find;
|
|
allow cameraserver audioserver_service:service_manager find;
|
|
allow cameraserver batterystats_service:service_manager find;
|
|
allow cameraserver cameraproxy_service:service_manager find;
|
|
allow cameraserver mediaserver_service:service_manager find;
|
|
allow cameraserver processinfo_service:service_manager find;
|
|
allow cameraserver scheduling_policy_service:service_manager find;
|
|
allow cameraserver surfaceflinger_service:service_manager find;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# cameraserver should never execute any executable without a
|
|
# domain transition
|
|
neverallow cameraserver { file_type fs_type }:file execute_no_trans;
|
|
|
|
# The goal of the mediaserver split is to place media processing code into
|
|
# restrictive sandboxes with limited responsibilities and thus limited
|
|
# permissions. Example: Audioserver is only responsible for controlling audio
|
|
# hardware and processing audio content. Cameraserver does the same for camera
|
|
# hardware/content. Etc.
|
|
#
|
|
# Media processing code is inherently risky and thus should have limited
|
|
# permissions and be isolated from the rest of the system and network.
|
|
# Lengthier explanation here:
|
|
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
|
neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
|