1# cameraserver - camera daemon 2type cameraserver, domain; 3type cameraserver_exec, system_file_type, exec_type, file_type; 4type cameraserver_tmpfs, file_type; 5 6binder_use(cameraserver) 7binder_call(cameraserver, binderservicedomain) 8binder_call(cameraserver, appdomain) 9binder_service(cameraserver) 10 11hal_client_domain(cameraserver, hal_camera) 12 13hal_client_domain(cameraserver, hal_graphics_allocator) 14 15allow cameraserver ion_device:chr_file rw_file_perms; 16allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms; 17 18# Talk with graphics composer fences 19allow cameraserver hal_graphics_composer:fd use; 20 21add_service(cameraserver, cameraserver_service) 22add_service(cameraserver, fwk_camera_service) 23add_hwservice(cameraserver, fwk_camera_hwservice) 24 25allow cameraserver activity_service:service_manager find; 26allow cameraserver appops_service:service_manager find; 27allow cameraserver audioserver_service:service_manager find; 28allow cameraserver batterystats_service:service_manager find; 29allow cameraserver cameraproxy_service:service_manager find; 30allow cameraserver mediaserver_service:service_manager find; 31allow cameraserver package_native_service:service_manager find; 32allow cameraserver permission_checker_service:service_manager find; 33allow cameraserver processinfo_service:service_manager find; 34allow cameraserver scheduling_policy_service:service_manager find; 35allow cameraserver sensor_privacy_service:service_manager find; 36allow cameraserver surfaceflinger_service:service_manager find; 37 38allow cameraserver hidl_token_hwservice:hwservice_manager find; 39allow cameraserver hal_camera_service:service_manager find; 40allow cameraserver virtual_camera_service:service_manager find; 41 42# Allow to talk with surfaceflinger through unix stream socket 43allow cameraserver surfaceflinger:unix_stream_socket { read write }; 44 45### 46### neverallow rules 47### 48 49# cameraserver should never execute any executable without a 50# domain transition 51neverallow cameraserver { file_type fs_type }:file execute_no_trans; 52 53# The goal of the mediaserver split is to place media processing code into 54# restrictive sandboxes with limited responsibilities and thus limited 55# permissions. Example: Audioserver is only responsible for controlling audio 56# hardware and processing audio content. Cameraserver does the same for camera 57# hardware/content. Etc. 58# 59# Media processing code is inherently risky and thus should have limited 60# permissions and be isolated from the rest of the system and network. 61# Lengthier explanation here: 62# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html 63neverallow cameraserver domain:{ udp_socket rawip_socket } *; 64neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *; 65 66# Allow shell commands from ADB for CTS testing/dumping 67allow cameraserver adbd:fd use; 68allow cameraserver adbd:unix_stream_socket { read write }; 69allow cameraserver shell:fd use; 70allow cameraserver shell:unix_stream_socket { read write }; 71allow cameraserver shell:fifo_file { read write }; 72 73# Allow to talk with media codec 74allow cameraserver mediametrics_service:service_manager find; 75hal_client_domain(cameraserver, hal_codec2) 76hal_client_domain(cameraserver, hal_omx) 77hal_client_domain(cameraserver, hal_allocator) 78 79# Allow shell commands from ADB for CTS testing/dumping 80userdebug_or_eng(` 81 allow cameraserver su:fd use; 82 allow cameraserver su:fifo_file { read write }; 83 allow cameraserver su:unix_stream_socket { read write }; 84') 85