1# HwBinder IPC from clients to server and callbacks 2binder_call(hal_camera_client, hal_camera_server) 3binder_call(hal_camera_server, hal_camera_client) 4 5#binder IPC from client to service manager and callbacks 6binder_use(hal_camera_server) 7 8hal_attribute_hwservice(hal_camera, hal_camera_hwservice) 9hal_attribute_service(hal_camera, hal_camera_service) 10 11allow hal_camera device:dir r_dir_perms; 12allow hal_camera video_device:dir r_dir_perms; 13allow hal_camera video_device:chr_file rw_file_perms; 14allow hal_camera camera_device:chr_file rw_file_perms; 15allow hal_camera ion_device:chr_file rw_file_perms; 16allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms; 17 18# Both the client and the server need to use the graphics allocator 19allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use; 20 21# Allow hal_camera to use fd from app,gralloc,and ashmem HAL 22allow hal_camera { appdomain -isolated_app }:fd use; 23allow hal_camera surfaceflinger:fd use; 24allow hal_camera hal_allocator_server:fd use; 25 26# Needed to provide debug dump output via dumpsys' pipes. 27allow hal_camera shell:fd use; 28allow hal_camera shell:fifo_file write; 29 30### 31### neverallow rules 32### 33 34# hal_camera should never execute any executable without a 35# domain transition 36neverallow hal_camera_server { file_type fs_type }:file execute_no_trans; 37 38# hal_camera should never need network access. Disallow network sockets. 39neverallow hal_camera_server { domain userdebug_or_eng(`-su') }:{ tcp_socket udp_socket rawip_socket } *; 40 41# Only camera HAL may directly access the camera hardware 42neverallow { halserverdomain -hal_camera_server } camera_device:chr_file *; 43