blame | history | raw
liyujie
2025-08-28 786ff4f4ca2374bdd9177f2e24b503d43e7a3b93 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

# cameraserver - camera daemon


type cameraserver, domain;


type cameraserver_exec, system_file_type, exec_type, file_type;


type cameraserver_tmpfs, file_type;


 


binder_use(cameraserver)


binder_call(cameraserver, binderservicedomain)


binder_call(cameraserver, appdomain)


binder_service(cameraserver)


 


hal_client_domain(cameraserver, hal_camera)


 


hal_client_domain(cameraserver, hal_graphics_allocator)


 


allow cameraserver ion_device:chr_file rw_file_perms;


 


# Talk with graphics composer fences


allow cameraserver hal_graphics_composer:fd use;


 


add_service(cameraserver, cameraserver_service)


add_hwservice(cameraserver, fwk_camera_hwservice)


 


allow cameraserver activity_service:service_manager find;


allow cameraserver appops_service:service_manager find;


allow cameraserver audioserver_service:service_manager find;


allow cameraserver batterystats_service:service_manager find;


allow cameraserver cameraproxy_service:service_manager find;


allow cameraserver mediaserver_service:service_manager find;


allow cameraserver processinfo_service:service_manager find;


allow cameraserver scheduling_policy_service:service_manager find;


allow cameraserver sensor_privacy_service:service_manager find;


allow cameraserver surfaceflinger_service:service_manager find;


 


allow cameraserver hidl_token_hwservice:hwservice_manager find;


 


###


### neverallow rules


###


 


# cameraserver should never execute any executable without a


# domain transition


neverallow cameraserver { file_type fs_type }:file execute_no_trans;


 


# The goal of the mediaserver split is to place media processing code into


# restrictive sandboxes with limited responsibilities and thus limited


# permissions. Example: Audioserver is only responsible for controlling audio


# hardware and processing audio content. Cameraserver does the same for camera


# hardware/content. Etc.


#


# Media processing code is inherently risky and thus should have limited


# permissions and be isolated from the rest of the system and network.


# Lengthier explanation here:


# https://android-developers.googleblog.com/2016/05/hardening-media-stack.html


neverallow cameraserver domain:{ tcp_socket udp_socket rawip_socket } *;


 


# Allow shell commands from ADB for CTS testing/dumping


allow cameraserver adbd:fd use;


allow cameraserver adbd:unix_stream_socket { read write };


allow cameraserver shell:fd use;


allow cameraserver shell:unix_stream_socket { read write };


allow cameraserver shell:fifo_file { read write };


 


# Allow to talk with media codec


allow cameraserver mediametrics_service:service_manager find;


hal_client_domain(cameraserver, hal_codec2)


hal_client_domain(cameraserver, hal_omx)


hal_client_domain(cameraserver, hal_allocator)


 


# Allow shell commands from ADB for CTS testing/dumping


userdebug_or_eng(`


  allow cameraserver su:fd use;


  allow cameraserver su:fifo_file { read write };


  allow cameraserver su:unix_stream_socket { read write };


')