1typeattribute cameraserver camera_service_server; 2typeattribute cameraserver coredomain; 3 4init_daemon_domain(cameraserver) 5tmpfs_domain(cameraserver) 6 7allow cameraserver gpu_device:chr_file rw_file_perms; 8allow cameraserver gpu_device:dir r_dir_perms; 9allow cameraserver virtual_camera:binder call; 10 11binder_use(cameraserver) 12binder_call(cameraserver, binderservicedomain) 13binder_call(cameraserver, appdomain) 14binder_service(cameraserver) 15 16hal_client_domain(cameraserver, hal_camera) 17allow cameraserver hal_camera_server:process signal; 18hal_client_domain(cameraserver, hal_graphics_allocator) 19 20allow cameraserver ion_device:chr_file rw_file_perms; 21allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms; 22 23# Talk with graphics composer fences 24allow cameraserver hal_graphics_composer:fd use; 25 26add_service(cameraserver, cameraserver_service) 27add_service(cameraserver, fwk_camera_service) 28add_hwservice(cameraserver, fwk_camera_hwservice) 29 30allow cameraserver activity_service:service_manager find; 31allow cameraserver appops_service:service_manager find; 32allow cameraserver audioserver_service:service_manager find; 33allow cameraserver batterystats_service:service_manager find; 34allow cameraserver cameraproxy_service:service_manager find; 35allow cameraserver mediaserver_service:service_manager find; 36allow cameraserver package_native_service:service_manager find; 37allow cameraserver permission_checker_service:service_manager find; 38allow cameraserver processinfo_service:service_manager find; 39allow cameraserver scheduling_policy_service:service_manager find; 40allow cameraserver sensor_privacy_service:service_manager find; 41allow cameraserver surfaceflinger_service:service_manager find; 42 43allow cameraserver hidl_token_hwservice:hwservice_manager find; 44allow cameraserver hal_camera_service:service_manager find; 45allow cameraserver virtual_camera_service:service_manager find; 46 47# Allow to talk with surfaceflinger through unix stream socket 48allow cameraserver surfaceflinger:unix_stream_socket { read write }; 49 50# Allow shell commands from ADB for CTS testing/dumping 51allow cameraserver adbd:fd use; 52allow cameraserver adbd:unix_stream_socket { read write }; 53allow cameraserver shell:fd use; 54allow cameraserver shell:unix_stream_socket { read write }; 55allow cameraserver shell:fifo_file { read write }; 56 57# allow self to set SCHED_FIFO 58allow cameraserver self:global_capability_class_set sys_nice; 59 60# Allow to talk with media codec 61allow cameraserver mediametrics_service:service_manager find; 62hal_client_domain(cameraserver, hal_codec2) 63hal_client_domain(cameraserver, hal_omx) 64hal_client_domain(cameraserver, hal_allocator) 65 66# Allow shell commands from ADB for CTS testing/dumping 67userdebug_or_eng(` 68 allow cameraserver su:fd use; 69 allow cameraserver su:fifo_file { read write }; 70 allow cameraserver su:unix_stream_socket { read write }; 71') 72 73### 74### neverallow rules 75### 76 77# cameraserver should never execute any executable without a 78# domain transition 79neverallow cameraserver { file_type fs_type }:file execute_no_trans; 80 81# The goal of the mediaserver split is to place media processing code into 82# restrictive sandboxes with limited responsibilities and thus limited 83# permissions. Example: Audioserver is only responsible for controlling audio 84# hardware and processing audio content. Cameraserver does the same for camera 85# hardware/content. Etc. 86# 87# Media processing code is inherently risky and thus should have limited 88# permissions and be isolated from the rest of the system and network. 89# Lengthier explanation here: 90# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html 91neverallow cameraserver domain:{ udp_socket rawip_socket } *; 92neverallow cameraserver { domain userdebug_or_eng(`-su') }:tcp_socket *; 93