9139ea1b2a
If a UID is idle (being in the background for more than
cartain amount of time) it should not be able to use the
camera. If the UID becomes idle we generate an eror and
close the cameras for this UID. If an app in an idle UID
tries to use the camera we immediately generate an error.
Since apps already should handle these errors it is safe
to apply this policy to all apps to protect user privacy.
Test: Pass - cts-tradefed run cts -m CtsCameraTestCases
Added - CameraTest#testCameraAccessForIdleUid
Change-Id: I9ab3d6ec99764a93638746f18912ed60d299015f
62 lines
2.3 KiB
Text
62 lines
2.3 KiB
Text
# cameraserver - camera daemon
|
|
type cameraserver, domain;
|
|
type cameraserver_exec, exec_type, file_type;
|
|
|
|
binder_use(cameraserver)
|
|
binder_call(cameraserver, binderservicedomain)
|
|
binder_call(cameraserver, appdomain)
|
|
binder_service(cameraserver)
|
|
|
|
hal_client_domain(cameraserver, hal_camera)
|
|
|
|
hal_client_domain(cameraserver, hal_graphics_allocator)
|
|
|
|
allow cameraserver ion_device:chr_file rw_file_perms;
|
|
|
|
# Talk with graphics composer fences
|
|
allow cameraserver hal_graphics_composer:fd use;
|
|
|
|
add_service(cameraserver, cameraserver_service)
|
|
|
|
allow cameraserver activity_service:service_manager find;
|
|
allow cameraserver appops_service:service_manager find;
|
|
allow cameraserver audioserver_service:service_manager find;
|
|
allow cameraserver batterystats_service:service_manager find;
|
|
allow cameraserver cameraproxy_service:service_manager find;
|
|
allow cameraserver mediaserver_service:service_manager find;
|
|
allow cameraserver processinfo_service:service_manager find;
|
|
allow cameraserver scheduling_policy_service:service_manager find;
|
|
allow cameraserver surfaceflinger_service:service_manager find;
|
|
|
|
allow cameraserver hidl_token_hwservice:hwservice_manager find;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# cameraserver should never execute any executable without a
|
|
# domain transition
|
|
neverallow cameraserver { file_type fs_type }:file execute_no_trans;
|
|
|
|
# The goal of the mediaserver split is to place media processing code into
|
|
# restrictive sandboxes with limited responsibilities and thus limited
|
|
# permissions. Example: Audioserver is only responsible for controlling audio
|
|
# hardware and processing audio content. Cameraserver does the same for camera
|
|
# hardware/content. Etc.
|
|
#
|
|
# Media processing code is inherently risky and thus should have limited
|
|
# permissions and be isolated from the rest of the system and network.
|
|
# Lengthier explanation here:
|
|
# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
|
|
neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
|
|
|
|
# Allow shell commands from ADB for CTS testing/dumping
|
|
allow cameraserver adbd:fd use;
|
|
allow cameraserver adbd:unix_stream_socket { read write };
|
|
|
|
# Allow shell commands from ADB for CTS testing/dumping
|
|
userdebug_or_eng(`
|
|
allow cameraserver su:fd use;
|
|
allow cameraserver su:fifo_file { read write };
|
|
allow cameraserver su:unix_stream_socket { read write };
|
|
')
|