Add selinux permissions for DeviceAsWebcam Service
DeviceAsWebcam is a new service that turns an android device into a
webcam. It requires access to all services that a
regular app needs access to, and it requires read/write permission to
/dev/video* nodes which is how the linux kernel mounts the UVC gadget.
Bug: 242344221
Bug: 242344229
Test: Manually tested that the service can access all the nodes it
needs, and no selinux exceptions are reported for the service
when running.
Change-Id: I45c5df105f5b0c31dd6a733f50eb764479d18e9f
diff --git a/private/app.te b/private/app.te
index 90ea7cd..db32be0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -503,4 +503,20 @@
-dalvikcache_data_file
-system_data_file # shared libs in apks
-apk_data_file
-}:file no_x_file_perms;
\ No newline at end of file
+}:file no_x_file_perms;
+
+# Don't allow apps access to any of the following character devices.
+neverallow appdomain {
+ audio_device
+ camera_device
+ dm_device
+ radio_device
+ rpmsg_device
+}:chr_file { read write };
+
+# Block video device access for all apps except the DeviceAsWebcam Service which
+# needs access to /dev/video* for interfacing with the host
+neverallow {
+ appdomain
+ -device_as_webcam
+} video_device:chr_file { read write };