commit 54396cc0743b90c395bef40a2174f47cbb99ad70
author Chien-Yu Chen <cychen@google.com> Thu Dec 03 16:07:43 2015 -0800
committer Chien-Yu Chen <cychen@google.com> Tue Jan 05 15:03:49 2016 -0800
tree 253e60318b13b708211e238a097434085660cac1
parent 6c9ec605f55cdeb34d1345eb2feac1076b3de187

selinux: Add policy for cameraserver

Bug: 24511454

Change-Id: I4d5d67778558bcef37ac35ebaa73d53b7e783d4e

sepolicy/camera.te

diff --git a/sepolicy/camera.te b/sepolicy/camera.te
index ed72bc7..be80374 100644
--- a/sepolicy/camera.te
+++ b/sepolicy/camera.te
@@ -27,4 +27,4 @@
 allow camera persist_data_file:dir search;
 allow camera persist_data_file:file r_file_perms;
 
-allow camera { audioserver mediaserver surfaceflinger }:fd use;
+allow camera { audioserver cameraserver mediaserver surfaceflinger }:fd use;

sepolicy/cameraserver.te

diff --git a/sepolicy/cameraserver.te b/sepolicy/cameraserver.te
new file mode 100644
index 0000000..888863e
--- /dev/null
+++ b/sepolicy/cameraserver.te
@@ -0,0 +1,23 @@
+binder_call(cameraserver, rild)
+# send data to camera socket
+allow cameraserver camera_data_file:sock_file write;
+allow cameraserver camera:unix_stream_socket connectto;
+allow cameraserver camera:unix_dgram_socket sendto;
+#read/write /dev/media[0-N]
+allow cameraserver media_device:chr_file rw_file_perms;
+#read/write /dev/msm_audio_cal
+userdebug_or_eng(`
+  allow cameraserver diag_device:chr_file rw_file_perms;
+')
+#read/write /dev/v4l-subdev[0-N]
+allow cameraserver v41_subdev_device:chr_file rw_file_perms;
+
+allow cameraserver persist_file:dir search;
+allow cameraserver persist_audio_file:dir search;
+allow cameraserver persist_audio_file:file r_file_perms;
+
+# allow communication w/perfd
+allow cameraserver perfd_data_file:dir search;
+allow cameraserver perfd_data_file:sock_file write;
+allow cameraserver perfd:unix_dgram_socket sendto;
+allow cameraserver perfd:unix_stream_socket connectto;