| Eino-Ville Talvala | 9c43a3f | 2016-12-22 12:55:02 -0800 | [diff] [blame^] | 1 | hwbinder_use(hal_camera) |
| 2 | binder_call(hal_camera, cameraserver) |
| 3 | |
| 4 | allow hal_camera system_file:dir { open read }; |
| 5 | |
| 6 | # access /data/misc/camera |
| 7 | allow hal_camera camera_data_file:dir create_dir_perms; |
| 8 | allow hal_camera camera_data_file:file create_file_perms; |
| 9 | |
| 10 | allow hal_camera video_device:dir r_dir_perms; |
| 11 | allow hal_camera video_device:chr_file rw_file_perms; |
| 12 | allow hal_camera camera_device:chr_file rw_file_perms; |
| 13 | allow hal_camera ion_device:chr_file rw_file_perms; |
| 14 | allow hal_camera hal_graphics_allocator:fd use; |
| 15 | |
| 16 | |
| 17 | ### |
| 18 | ### neverallow rules |
| 19 | ### |
| 20 | |
| 21 | # hal_camera should never execute any executable without a |
| 22 | # domain transition |
| 23 | neverallow hal_camera { file_type fs_type }:file execute_no_trans; |
| 24 | |
| 25 | # hal_camera should never need network access. Disallow network sockets. |
| 26 | neverallow hal_camera domain:{ tcp_socket udp_socket rawip_socket } *; |