xref: /aosp_15_r20/system/sepolicy/private/virtual_camera.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# virtual_camera - virtual camera daemon
2
3type virtual_camera, domain, coredomain;
4type virtual_camera_exec, system_file_type, exec_type, file_type;
5
6init_daemon_domain(virtual_camera)
7
8# Since virtual_camera is not a real HAL we don't set the
9# hal_server_domain(virtual_camera, hal_camera) macro but only the rules that
10# we actually need from halserverdomain and hal_camera_server:
11binder_use(virtual_camera)
12binder_call(virtual_camera, cameraserver)
13binder_call(virtual_camera, system_server)
14
15# Allow virtual_camera to communicate with
16# mediaserver (required for using Surface originating
17# from virtual camera in mediaserver).
18binder_call(virtual_camera, mediaserver)
19
20# Required for the codecs to be able to decode
21# video into surface provided by virtual camera.
22hal_client_domain(virtual_camera, hal_codec2)
23hal_client_domain(virtual_camera, hal_omx)
24
25# Allow virtualCamera to call apps via binder.
26binder_call(virtual_camera, appdomain)
27
28# Allow virtual_camera to use fd from apps
29allow virtual_camera { appdomain -isolated_app }:fd use;
30
31binder_call(virtual_camera, surfaceflinger);
32
33# Only allow virtual_camera to add a virtual_camera_service and no one else.
34add_service(virtual_camera, virtual_camera_service);
35
36# Allow virtual_camera to map graphic buffers
37hal_client_domain(virtual_camera, hal_graphics_allocator)
38
39# Allow virtual_camera to use GPU
40allow virtual_camera gpu_device:chr_file rw_file_perms;
41allow virtual_camera gpu_device:dir r_dir_perms;
42r_dir_file(virtual_camera, sysfs_gpu)
43
44# Allow virtual camera to use graphics composer fd-s (fences).
45allow virtual_camera hal_graphics_composer:fd use;
46
47# For collecting bugreports.
48allow virtual_camera dumpstate:fd use;
49allow virtual_camera dumpstate:fifo_file write;
50
51# Needed for permission checks.
52allow virtual_camera permission_service:service_manager find;
53
54# Allow 'adb shell cmd' to configure test instances of camera.
55allow virtual_camera adbd:fd use;
56allow virtual_camera adbd:unix_stream_socket { getattr read write };
57allow virtual_camera shell:fifo_file { getattr read write };
58