Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 7563acec14faa62dd343b69180168df4f8d59dad / . / private / virtual_camera.te
blob: 0faf0c585164b30bcbf66d21815a811ac0d0398a [file] [log] [blame]
Vadim Caend64cf752022-11-04 12:51:18 +0000[diff] [blame]1# virtual_camera - virtual camera daemon
2
Priyanka Advani (xWF)639c4412024-08-05 17:09:50 +0000[diff] [blame]3type virtual_camera, domain, coredomain;
4type virtual_camera_exec, system_file_type, exec_type, file_type;
Vadim Caend64cf752022-11-04 12:51:18 +0000[diff] [blame]5
Vadim Caenf6e88ec2023-09-29 16:15:23 +0200[diff] [blame]6init_daemon_domain(virtual_camera)
Vadim Caend64cf752022-11-04 12:51:18 +0000[diff] [blame]7
Vadim Caenf6e88ec2023-09-29 16:15:23 +0200[diff] [blame]8# Since virtual_camera is not a real HAL we don't set the
9# hal_server_domain(virtual_camera, hal_camera) macro but only the rules that
10# we actually need from halserverdomain and hal_camera_server:
11binder_use(virtual_camera)
Ján Sebechlebský5d6b66c2023-11-20 09:39:22 +0000[diff] [blame]12binder_call(virtual_camera, cameraserver)
13binder_call(virtual_camera, system_server)
Vadim Caend64cf752022-11-04 12:51:18 +0000[diff] [blame]14
Jan Sebechlebsky0fd6d1b2023-12-27 17:26:52 +0100[diff] [blame]15# Allow virtual_camera to communicate with
16# mediaserver (required for using Surface originating
17# from virtual camera in mediaserver).
18binder_call(virtual_camera, mediaserver)
19
20# Required for the codecs to be able to decode
21# video into surface provided by virtual camera.
22hal_client_domain(virtual_camera, hal_codec2)
23hal_client_domain(virtual_camera, hal_omx)
Jan Sebechlebsky6e1795c2023-12-06 09:31:17 +0100[diff] [blame]24
25# Allow virtualCamera to call apps via binder.
26binder_call(virtual_camera, appdomain)
27
Vadim Caenf6e88ec2023-09-29 16:15:23 +0200[diff] [blame]28# Allow virtual_camera to use fd from apps
29allow virtual_camera { appdomain -isolated_app }:fd use;
Vadim Caend64cf752022-11-04 12:51:18 +0000[diff] [blame]30
Vadim Caen68dc59d2024-03-15 17:12:37 +0100[diff] [blame]31# Allow virtual_camera to use fd from surface flinger
32allow virtual_camera surfaceflinger:fd use;
Vadim Caen4eb4ac12024-07-23 16:39:54 +0200[diff] [blame]33allow virtual_camera surfaceflinger:binder call;
Vadim Caen68dc59d2024-03-15 17:12:37 +0100[diff] [blame]34
Vadim Caenf6e88ec2023-09-29 16:15:23 +0200[diff] [blame]35# Only allow virtual_camera to add a virtual_camera_service and no one else.
36add_service(virtual_camera, virtual_camera_service);
37
38# Allow virtual_camera to map graphic buffers
39hal_client_domain(virtual_camera, hal_graphics_allocator)
Jan Sebechlebsky267b6a92023-11-17 10:08:16 +0100[diff] [blame]40
41# Allow virtual_camera to use GPU
42allow virtual_camera gpu_device:chr_file rw_file_perms;
43allow virtual_camera gpu_device:dir r_dir_perms;
Jan Sebechlebsky9999b0a2024-06-13 14:23:22 +0000[diff] [blame]44allow virtual_camera sysfs_gpu:file r_file_perms;
Jan Sebechlebskyde644172023-11-30 10:57:16 +0100[diff] [blame]45
Jan Sebechlebskyfd7e2852024-02-26 11:55:16 +0100[diff] [blame]46# Allow virtual camera to use graphics composer fd-s (fences).
47allow virtual_camera hal_graphics_composer:fd use;
48
Jan Sebechlebskyde644172023-11-30 10:57:16 +0100[diff] [blame]49# For collecting bugreports.
50allow virtual_camera dumpstate:fd use;
51allow virtual_camera dumpstate:fifo_file write;
Jan Sebechlebsky0959bef2023-12-05 14:17:07 +0100[diff] [blame]52
53# Needed for permission checks.
54allow virtual_camera permission_service:service_manager find;
Jan Sebechlebsky7f271ce2024-04-15 08:25:19 +0000[diff] [blame]55
56# Allow 'adb shell cmd' to configure test instances of camera.
57allow virtual_camera adbd:fd use;
58allow virtual_camera adbd:unix_stream_socket { getattr read write };
59allow virtual_camera shell:fifo_file { getattr read write };