Policy for virtual_camera
Adds a policy to run the virtual_camera process which:
- registers a service implementing the camera HAL
- registers a service to reveive communicate with virtual cameras via
system_server
Bug: 253991421
Test: CTS test
android.virtualdevice.cts.VirtualDeviceManagerBasicTest#createDevice_createCamera
Change-Id: I772d176919b8dcd3b73946935ed439207c948f2b
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index b73db7e..f7e67d8 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -51,6 +51,7 @@
"android.hardware.broadcastradio.IBroadcastRadio/dab": EXCEPTION_NO_FUZZER,
"android.hardware.bluetooth.IBluetoothHci/default": EXCEPTION_NO_FUZZER,
"android.hardware.camera.provider.ICameraProvider/internal/0": EXCEPTION_NO_FUZZER,
+ "android.hardware.camera.provider.ICameraProvider/virtual/0": EXCEPTION_NO_FUZZER,
"android.hardware.cas.IMediaCasService/default": EXCEPTION_NO_FUZZER,
"android.hardware.confirmationui.IConfirmationUI/default": []string{"android.hardware.confirmationui-service.trusty_fuzzer"},
"android.hardware.contexthub.IContextHub/default": EXCEPTION_NO_FUZZER,
@@ -449,6 +450,7 @@
"vibrator": EXCEPTION_NO_FUZZER,
"vibrator_manager": EXCEPTION_NO_FUZZER,
"virtualdevice": EXCEPTION_NO_FUZZER,
+ "virtual_camera_service": EXCEPTION_NO_FUZZER,
"virtual_touchpad": EXCEPTION_NO_FUZZER,
"voiceinteraction": EXCEPTION_NO_FUZZER,
"vold": []string{"vold_native_service_fuzzer"},
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index aae1ac1..47d6719 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -8,4 +8,5 @@
ota_build_prop
snapuserd_log_data_file
hal_threadnetwork_service
+ virtual_camera_service
))
diff --git a/private/seapp_contexts b/private/seapp_contexts
index abd6c7b..085492a 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -159,6 +159,7 @@
user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
user=system seinfo=platform domain=system_app type=system_app_data_file
user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
+user=system seinfo=platform isPrivApp=true name=com.android.virtualcamera domain=virtual_camera type=app_data_file levelFrom=all
user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
user=nfc seinfo=platform domain=nfc type=nfc_data_file
diff --git a/private/service_contexts b/private/service_contexts
index a731dfd..94f913d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -33,6 +33,7 @@
# The instance here is internal/0 following naming convention for ICameraProvider.
# It advertises internal camera devices.
android.hardware.camera.provider.ICameraProvider/internal/0 u:object_r:hal_camera_service:s0
+android.hardware.camera.provider.ICameraProvider/virtual/0 u:object_r:virtual_camera_service:s0
android.hardware.cas.IMediaCasService/default u:object_r:hal_cas_service:s0
android.hardware.confirmationui.IConfirmationUI/default u:object_r:hal_confirmationui_service:s0
android.hardware.contexthub.IContextHub/default u:object_r:hal_contexthub_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index e78a734..a9eb31d 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -954,6 +954,7 @@
allow system_server storaged_service:service_manager find;
allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
+allow system_server virtual_camera_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
allow system_server logd_service:service_manager find;
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
new file mode 100644
index 0000000..c39625d
--- /dev/null
+++ b/private/virtual_camera.te
@@ -0,0 +1,16 @@
+# virtual_camera - virtual camera daemon
+
+type virtual_camera, domain, coredomain;
+
+app_domain(virtual_camera)
+
+allow virtual_camera system_app_data_file:dir create_dir_perms;
+allow virtual_camera system_app_data_file:file create_file_perms;
+
+allow virtual_camera activity_service:service_manager find;
+
+# hal_server_domain adds this rule to prevent any other domain from adding
+# a virtual_camera_service. We cannot mix app_domain and hal_server_domain
+# so we use app_domain and manully add the neverallow
+allow virtual_camera virtual_camera_service:service_manager add;
+neverallow { domain -virtual_camera} virtual_camera_service:service_manager add;
diff --git a/public/cameraserver.te b/public/cameraserver.te
index c88e3f0..8a4016c 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -37,6 +37,7 @@
allow cameraserver hidl_token_hwservice:hwservice_manager find;
allow cameraserver hal_camera_service:service_manager find;
+allow cameraserver virtual_camera_service:service_manager find;
# Allow to talk with surfaceflinger through unix stream socket
allow cameraserver surfaceflinger:unix_stream_socket { read write };
diff --git a/public/service.te b/public/service.te
index fc966b1..fa19abc 100644
--- a/public/service.te
+++ b/public/service.te
@@ -49,6 +49,7 @@
type update_engine_service, service_manager_type;
type update_engine_stable_service, service_manager_type;
type virtualization_service, service_manager_type;
+type virtual_camera_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;