Policy for virtual_camera native service
Change-Id: Id0c582f9259ffd056b22f111d7e81bc061c2371d
diff --git a/private/virtual_camera.te b/private/virtual_camera.te
index c39625d..765a59f 100644
--- a/private/virtual_camera.te
+++ b/private/virtual_camera.te
@@ -1,16 +1,20 @@
# virtual_camera - virtual camera daemon
type virtual_camera, domain, coredomain;
+type virtual_camera_exec, system_file_type, exec_type, file_type;
-app_domain(virtual_camera)
+init_daemon_domain(virtual_camera)
-allow virtual_camera system_app_data_file:dir create_dir_perms;
-allow virtual_camera system_app_data_file:file create_file_perms;
+# Since virtual_camera is not a real HAL we don't set the
+# hal_server_domain(virtual_camera, hal_camera) macro but only the rules that
+# we actually need from halserverdomain and hal_camera_server:
+binder_use(virtual_camera)
-allow virtual_camera activity_service:service_manager find;
+# Allow virtual_camera to use fd from apps
+allow virtual_camera { appdomain -isolated_app }:fd use;
-# hal_server_domain adds this rule to prevent any other domain from adding
-# a virtual_camera_service. We cannot mix app_domain and hal_server_domain
-# so we use app_domain and manully add the neverallow
-allow virtual_camera virtual_camera_service:service_manager add;
-neverallow { domain -virtual_camera} virtual_camera_service:service_manager add;
+# Only allow virtual_camera to add a virtual_camera_service and no one else.
+add_service(virtual_camera, virtual_camera_service);
+
+# Allow virtual_camera to map graphic buffers
+hal_client_domain(virtual_camera, hal_graphics_allocator)