Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d64cf75c48495dbb4aabbf51ffb862a4b0890af8^! / . / private
commitd64cf75c48495dbb4aabbf51ffb862a4b0890af8[log] [tgz]
authorVadim Caen <caen@google.com>Fri Nov 04 12:51:18 2022 +0000
committerVadim Caen <caen@google.com>Tue Jul 25 19:27:48 2023 +0000
tree1d7956af762eaa34ca5d8ab0971268be05ac1856
parent49fa8f5fe6c805d7d435f6ff6d1186d82ceadf01 [diff]
Policy for virtual_camera

Adds a policy to run the virtual_camera process which:
 - registers a service implementing the camera HAL
 - registers a service to reveive communicate with virtual cameras via
   system_server

Bug: 253991421
Test: CTS test
android.virtualdevice.cts.VirtualDeviceManagerBasicTest#createDevice_createCamera

Change-Id: I772d176919b8dcd3b73946935ed439207c948f2b

diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index aae1ac1..47d6719 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil

@@ -8,4 +8,5 @@
     ota_build_prop
     snapuserd_log_data_file
     hal_threadnetwork_service
+    virtual_camera_service
   ))

diff --git a/private/seapp_contexts b/private/seapp_contexts
index abd6c7b..085492a 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -159,6 +159,7 @@
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
+user=system seinfo=platform isPrivApp=true name=com.android.virtualcamera domain=virtual_camera type=app_data_file levelFrom=all
 user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
 user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file

diff --git a/private/service_contexts b/private/service_contexts
index a731dfd..94f913d 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -33,6 +33,7 @@
 # The instance here is internal/0 following naming convention for ICameraProvider.
 # It advertises internal camera devices.
 android.hardware.camera.provider.ICameraProvider/internal/0          u:object_r:hal_camera_service:s0
+android.hardware.camera.provider.ICameraProvider/virtual/0           u:object_r:virtual_camera_service:s0
 android.hardware.cas.IMediaCasService/default                        u:object_r:hal_cas_service:s0
 android.hardware.confirmationui.IConfirmationUI/default              u:object_r:hal_confirmationui_service:s0
 android.hardware.contexthub.IContextHub/default                      u:object_r:hal_contexthub_service:s0

diff --git a/private/system_server.te b/private/system_server.te
index e78a734..a9eb31d 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -954,6 +954,7 @@
 allow system_server storaged_service:service_manager find;
 allow system_server surfaceflinger_service:service_manager find;
 allow system_server update_engine_service:service_manager find;
+allow system_server virtual_camera_service:service_manager find;
 allow system_server vold_service:service_manager find;
 allow system_server wifinl80211_service:service_manager find;
 allow system_server logd_service:service_manager find;

diff --git a/private/virtual_camera.te b/private/virtual_camera.te
new file mode 100644
index 0000000..c39625d
--- /dev/null
+++ b/private/virtual_camera.te

@@ -0,0 +1,16 @@
+# virtual_camera - virtual camera daemon
+
+type virtual_camera, domain, coredomain;
+
+app_domain(virtual_camera)
+
+allow virtual_camera system_app_data_file:dir create_dir_perms;
+allow virtual_camera system_app_data_file:file create_file_perms;
+
+allow virtual_camera activity_service:service_manager find;
+
+# hal_server_domain adds this rule to prevent any other domain from adding
+# a virtual_camera_service. We cannot mix app_domain and hal_server_domain
+# so we use app_domain and manully add the neverallow
+allow virtual_camera virtual_camera_service:service_manager add;
+neverallow { domain -virtual_camera} virtual_camera_service:service_manager add;