1# cameraserver - camera daemon
2type cameraserver, domain;
3type cameraserver_exec, exec_type, file_type;
4
5binder_use(cameraserver)
6binder_call(cameraserver, binderservicedomain)
7binder_call(cameraserver, appdomain)
8binder_service(cameraserver)
9
10hal_client_domain(cameraserver, hal_camera)
11
12hal_client_domain(cameraserver, hal_graphics_allocator)
13
14allow cameraserver ion_device:chr_file rw_file_perms;
15
16# Talk with graphics composer fences
17allow cameraserver hal_graphics_composer:fd use;
18
19add_service(cameraserver, cameraserver_service)
20allow cameraserver appops_service:service_manager find;
21allow cameraserver audioserver_service:service_manager find;
22allow cameraserver batterystats_service:service_manager find;
23allow cameraserver cameraproxy_service:service_manager find;
24allow cameraserver mediaserver_service:service_manager find;
25allow cameraserver processinfo_service:service_manager find;
26allow cameraserver scheduling_policy_service:service_manager find;
27allow cameraserver surfaceflinger_service:service_manager find;
28
29allow cameraserver hidl_token_hwservice:hwservice_manager find;
30
31###
32### neverallow rules
33###
34
35# cameraserver should never execute any executable without a
36# domain transition
37neverallow cameraserver { file_type fs_type }:file execute_no_trans;
38
39# The goal of the mediaserver split is to place media processing code into
40# restrictive sandboxes with limited responsibilities and thus limited
41# permissions. Example: Audioserver is only responsible for controlling audio
42# hardware and processing audio content. Cameraserver does the same for camera
43# hardware/content. Etc.
44#
45# Media processing code is inherently risky and thus should have limited
46# permissions and be isolated from the rest of the system and network.
47# Lengthier explanation here:
48# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html
49neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;
50