Allow virtual camera to do binder calls to apps and vice versa.
Virtual camera passes Surface to the app which internally uses binder
to communicate with the other side of buffer queue.
Bug: 301023410
Test: atest VirtualCameraTest
Change-Id: I3ea23532a5077c0b57a6f74c7814b9fdf69829ea
diff --git a/private/app.te b/private/app.te
index 19cb2e0..09f222b 100644
--- a/private/app.te
+++ b/private/app.te
@@ -149,6 +149,9 @@
# Perform binder IPC to sdk sandbox.
binder_call(appdomain, sdk_sandbox_all)
+# Allow apps to communicate via binder with virtual camera service.
+binder_call(appdomain, virtual_camera)
+
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all } storage_file:dir r_dir_perms;
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index 940453e..4c4ac7a 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -12,6 +12,10 @@
binder_call(virtual_camera, cameraserver)
binder_call(virtual_camera, system_server)
+
+# Allow virtualCamera to call apps via binder.
+binder_call(virtual_camera, appdomain)
+
# Allow virtual_camera to use fd from apps
allow virtual_camera { appdomain -isolated_app }:fd use;