commit f6e88ec70a88edaff8cb2f983861b6c33c38e60a
author Vadim Caen <caen@google.com> Fri Sep 29 16:15:23 2023 +0200
committer Vadim Caen <caen@google.com> Fri Oct 13 16:42:11 2023 +0200
tree 814cde85a04560ab6a156b78e1ab1da1fd567f74
parent 9ba6bba67ef08280e68b4c018bed2487a05ca321

Policy for virtual_camera native service

Change-Id: Id0c582f9259ffd056b22f111d7e81bc061c2371d

private/cameraserver.te

diff --git a/private/cameraserver.te b/private/cameraserver.te
index 96d7dbd..76ffba6 100644
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@@ -7,3 +7,4 @@
 
 allow cameraserver gpu_device:chr_file rw_file_perms;
 allow cameraserver gpu_device:dir r_dir_perms;
+allow cameraserver virtual_camera:binder call;

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 1049273..259526d 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -332,6 +332,7 @@
 /system/bin/profcollectctl       u:object_r:profcollectd_exec:s0
 /system/bin/storaged             u:object_r:storaged_exec:s0
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
+/system/bin/virtual_camera       u:object_r:virtual_camera_exec:s0
 /system/bin/hw/android\.frameworks\.bufferhub@1\.0-service    u:object_r:fwk_bufferhub_exec:s0
 /system/bin/hw/android\.system\.suspend-service               u:object_r:system_suspend_exec:s0
 /system/etc/cgroups\.json               u:object_r:cgroup_desc_file:s0

private/virtual_camera.te

diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index c39625d..765a59f 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -1,16 +1,20 @@
 # virtual_camera - virtual camera daemon
 
 type virtual_camera, domain, coredomain;
+type virtual_camera_exec, system_file_type, exec_type, file_type;
 
-app_domain(virtual_camera)
+init_daemon_domain(virtual_camera)
 
-allow virtual_camera system_app_data_file:dir create_dir_perms;
-allow virtual_camera system_app_data_file:file create_file_perms;
+# Since virtual_camera is not a real HAL we don't set the
+# hal_server_domain(virtual_camera, hal_camera) macro but only the rules that
+# we actually need from halserverdomain and hal_camera_server:
+binder_use(virtual_camera)
 
-allow virtual_camera activity_service:service_manager find;
+# Allow virtual_camera to use fd from apps
+allow virtual_camera { appdomain -isolated_app }:fd use;
 
-# hal_server_domain adds this rule to prevent any other domain from adding
-# a virtual_camera_service. We cannot mix app_domain and hal_server_domain
-# so we use app_domain and manully add the neverallow
-allow virtual_camera virtual_camera_service:service_manager add;
-neverallow { domain -virtual_camera} virtual_camera_service:service_manager add;
+# Only allow virtual_camera to add a virtual_camera_service and no one else.
+add_service(virtual_camera, virtual_camera_service);
+
+# Allow virtual_camera to map graphic buffers
+hal_client_domain(virtual_camera, hal_graphics_allocator)