vendor/google/hal_camera_default.te - device/google/redbull-sepolicy - Git at Google

 vndbinder_use(hal_camera_default);
 allow hal_camera_default sysfs_soc:dir search;
 allow hal_camera_default sysfs_soc:file r_file_perms;
 allow hal_camera_default sysfs_ssr:file r_file_perms;
 allow hal_camera_default gpu_device:chr_file rw_file_perms;

 # For camera hal to use factory calibration data
 allow hal_camera_default mnt_vendor_file:dir search;
 allow hal_camera_default persist_file:lnk_file read;
 allow hal_camera_default persist_file:dir search;
 allow hal_camera_default persist_camera_file:dir search;
 allow hal_camera_default persist_camera_file:file r_file_perms;

 # For camera hal to use system property
 get_prop(hal_camera_default, vendor_display_prop)
 set_prop(hal_camera_default, vendor_camera_prop)
 get_prop(hal_camera_default, vendor_camera_ro_prop)

 # For camera hal to talk with rlsservice
 allow hal_camera_default rls_service:service_manager find;
 binder_call(hal_camera_default, rlsservice)

 # For camera hal to talk with gralloc
 hal_client_domain(hal_camera_default, hal_graphics_allocator)
 hal_client_domain(hal_camera_default, hal_graphics_composer)
 allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;

 # QSPM hal service for accessing camera info
 hal_client_domain(hal_camera_default, hal_qspmhal)

 #For camera hal to talk with ECOService.
 allow hal_camera_default eco_service:service_manager find;
 binder_call(hal_camera_default, mediacodec)

 # For camera hal to communicate with with power HAL
 hal_client_domain(hal_camera_default, hal_power)

 # For camera hal to communicate with the thermal HAL.
 hal_client_domain(hal_camera_default, hal_thermal)

 # For camera hal to control priority of current process
 hal_client_domain(hal_camera_default, hal_configstore)
 allow hal_camera_default self:capability sys_nice;
 allow hal_camera_default self:qipcrtr_socket create_socket_perms_no_ioctl;

 # For camera hal to talk with system server (for sensor access)
 binder_call(hal_camera_default, sensor_service_server)

 # For camera hal to talk with GPU and dontaudit unnecessary files in /sys
 dontaudit hal_camera_default sysfs_msm_subsys:dir search;

 # For camera hal to talk with NNAPI service
 hal_client_domain(hal_camera_default, hal_neuralnetworks)

 # For camera hal to set kernel driver scheduler policy
 allow hal_camera_default kernel:process setsched;

 # For camera debugging
 userdebug_or_eng(`
   allow hal_camera_default camera_vendor_data_file:dir create_dir_perms;
   allow hal_camera_default camera_vendor_data_file:file create_file_perms;
 ')
	vndbinder_use(hal_camera_default);
	allow hal_camera_default sysfs_soc:dir search;
	allow hal_camera_default sysfs_soc:file r_file_perms;
	allow hal_camera_default sysfs_ssr:file r_file_perms;
	allow hal_camera_default gpu_device:chr_file rw_file_perms;

	# For camera hal to use factory calibration data
	allow hal_camera_default mnt_vendor_file:dir search;
	allow hal_camera_default persist_file:lnk_file read;
	allow hal_camera_default persist_file:dir search;
	allow hal_camera_default persist_camera_file:dir search;
	allow hal_camera_default persist_camera_file:file r_file_perms;

	# For camera hal to use system property
	get_prop(hal_camera_default, vendor_display_prop)
	set_prop(hal_camera_default, vendor_camera_prop)
	get_prop(hal_camera_default, vendor_camera_ro_prop)

	# For camera hal to talk with rlsservice
	allow hal_camera_default rls_service:service_manager find;
	binder_call(hal_camera_default, rlsservice)

	# For camera hal to talk with gralloc
	hal_client_domain(hal_camera_default, hal_graphics_allocator)
	hal_client_domain(hal_camera_default, hal_graphics_composer)
	allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;

	# QSPM hal service for accessing camera info
	hal_client_domain(hal_camera_default, hal_qspmhal)

	#For camera hal to talk with ECOService.
	allow hal_camera_default eco_service:service_manager find;
	binder_call(hal_camera_default, mediacodec)

	# For camera hal to communicate with with power HAL
	hal_client_domain(hal_camera_default, hal_power)

	# For camera hal to communicate with the thermal HAL.
	hal_client_domain(hal_camera_default, hal_thermal)

	# For camera hal to control priority of current process
	hal_client_domain(hal_camera_default, hal_configstore)
	allow hal_camera_default self:capability sys_nice;
	allow hal_camera_default self:qipcrtr_socket create_socket_perms_no_ioctl;

	# For camera hal to talk with system server (for sensor access)
	binder_call(hal_camera_default, sensor_service_server)

	# For camera hal to talk with GPU and dontaudit unnecessary files in /sys
	dontaudit hal_camera_default sysfs_msm_subsys:dir search;

	# For camera hal to talk with NNAPI service
	hal_client_domain(hal_camera_default, hal_neuralnetworks)

	# For camera hal to set kernel driver scheduler policy
	allow hal_camera_default kernel:process setsched;

	# For camera debugging
	userdebug_or_eng(`
	allow hal_camera_default camera_vendor_data_file:dir create_dir_perms;
	allow hal_camera_default camera_vendor_data_file:file create_file_perms;
	')