1# cameraserver - camera daemon
2type cameraserver, domain;
3type cameraserver_exec, system_file_type, exec_type, file_type;
4type cameraserver_tmpfs, file_type;
5
6binder_use(cameraserver)
7binder_call(cameraserver, binderservicedomain)
8binder_call(cameraserver, appdomain)
9binder_service(cameraserver)
10
11hal_client_domain(cameraserver, hal_camera)
12
13hal_client_domain(cameraserver, hal_graphics_allocator)
14
15allow cameraserver ion_device:chr_file rw_file_perms;
16allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
17
18# Talk with graphics composer fences
19allow cameraserver hal_graphics_composer:fd use;
20
21add_service(cameraserver, cameraserver_service)
22add_hwservice(cameraserver, fwk_camera_hwservice)
23
24allow cameraserver activity_service:service_manager find;
25allow cameraserver appops_service:service_manager find;
26allow cameraserver audioserver_service:service_manager find;
27allow cameraserver batterystats_service:service_manager find;
28allow cameraserver cameraproxy_service:service_manager find;
29allow cameraserver mediaserver_service:service_manager find;
30allow cameraserver package_native_service:service_manager find;
31allow cameraserver processinfo_service:service_manager find;
32allow cameraserver scheduling_policy_service:service_manager find;
33allow cameraserver sensor_privacy_service:service_manager find;
34allow cameraserver surfaceflinger_service:service_manager find;
35
36allow cameraserver hidl_token_hwservice:hwservice_manager find;
37
38###
39### neverallow rules
40###
41
42# cameraserver should never execute any executable without a
43# domain transition
44neverallow cameraserver { file_type fs_type }:file execute_no_trans;
45
46# The goal of the mediaserver split is to place media processing code into
47# restrictive sandboxes with limited responsibilities and thus limited
48# permissions. Example: Audioserver is only responsible for controlling audio
49# hardware and processing audio content. Cameraserver does the same for camera
50# hardware/content. Etc.
51#
52# Media processing code is inherently risky and thus should have limited
53# permissions and be isolated from the rest of the system and network.
54# Lengthier explanation here:
55# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
56neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
57
58# Allow shell commands from ADB for CTS testing/dumping
59allow cameraserver adbd:fd use;
60allow cameraserver adbd:unix_stream_socket { read write };
61allow cameraserver shell:fd use;
62allow cameraserver shell:unix_stream_socket { read write };
63allow cameraserver shell:fifo_file { read write };
64
65# Allow to talk with media codec
66allow cameraserver mediametrics_service:service_manager find;
67hal_client_domain(cameraserver, hal_codec2)
68hal_client_domain(cameraserver, hal_omx)
69hal_client_domain(cameraserver, hal_allocator)
70
71# Allow shell commands from ADB for CTS testing/dumping
72userdebug_or_eng(`
73  allow cameraserver su:fd use;
74  allow cameraserver su:fifo_file { read write };
75  allow cameraserver su:unix_stream_socket { read write };
76')
77