1type hal_camera_default_tmpfs, file_type; 2 3allow hal_camera_default self:global_capability_class_set sys_nice; 4allow hal_camera_default kernel:process setsched; 5 6binder_use(hal_camera_default); 7vndbinder_use(hal_camera_default); 8 9allow hal_camera_default lwis_device:chr_file rw_file_perms; 10allow hal_camera_default gpu_device:chr_file rw_file_perms; 11allow hal_camera_default sysfs_chip_id:file r_file_perms; 12 13# Face authentication code that is part of the camera HAL needs to allocate 14# dma_bufs and access the Trusted Execution Environment device node 15allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; 16allow hal_camera_default tee_device:chr_file rw_file_perms; 17 18# Allow the camera hal to access the EdgeTPU service and the 19# Android shared memory allocated by the EdgeTPU service for 20# on-device compilation. 21allow hal_camera_default edgetpu_device:chr_file rw_file_perms; 22allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; 23allow hal_camera_default sysfs_edgetpu:file r_file_perms; 24allow hal_camera_default edgetpu_vendor_service:service_manager find; 25binder_call(hal_camera_default, edgetpu_vendor_server) 26# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging 27# library has a dependency on edgetpu_app_service, see b/275016466. 28allow hal_camera_default edgetpu_app_service:service_manager find; 29binder_call(hal_camera_default, edgetpu_app_server) 30 31# Allow the camera hal to access the GXP device. 32allow hal_camera_default gxp_device:chr_file rw_file_perms; 33 34# Allow access to data files used by the camera HAL 35allow hal_camera_default mnt_vendor_file:dir search; 36allow hal_camera_default persist_file:dir search; 37allow hal_camera_default persist_camera_file:dir rw_dir_perms; 38allow hal_camera_default persist_camera_file:file create_file_perms; 39allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; 40allow hal_camera_default vendor_camera_data_file:file create_file_perms; 41 42# Allow creating dump files for debugging in non-release builds 43userdebug_or_eng(` 44 allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; 45 allow hal_camera_default vendor_camera_data_file:file create_file_perms; 46') 47 48# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files 49# compiled into the shared libraries with cc_embed_data rules 50tmpfs_domain(hal_camera_default); 51 52# Allow access to camera-related system properties 53set_prop(hal_camera_default, vendor_camera_prop); 54set_prop(hal_camera_default, log_tag_prop); 55get_prop(hal_camera_default, vendor_camera_debug_prop); 56userdebug_or_eng(` 57 set_prop(hal_camera_default, vendor_camera_fatp_prop); 58 set_prop(hal_camera_default, vendor_camera_debug_prop); 59') 60 61# For camera hal to talk with rlsservice 62allow hal_camera_default rls_service:service_manager find; 63binder_call(hal_camera_default, rlsservice) 64 65hal_client_domain(hal_camera_default, hal_graphics_allocator); 66hal_client_domain(hal_camera_default, hal_graphics_composer) 67hal_client_domain(hal_camera_default, hal_power); 68hal_client_domain(hal_camera_default, hal_thermal); 69 70# Allow access to sensor service for sensor_listener 71binder_call(hal_camera_default, system_server); 72 73# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering 74allow hal_camera_default eco_service:service_manager find; 75binder_call(hal_camera_default, mediacodec); 76binder_call(hal_camera_default, mediacodec_samsung); 77 78# Allow camera HAL to query preferred camera frequencies from the radio HAL 79# extensions to avoid interference with cellular antennas. 80allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; 81binder_call(hal_camera_default, hal_radioext_default); 82 83# Allow camera HAL to connect to the stats service. 84allow hal_camera_default fwk_stats_service:service_manager find; 85 86# For observing apex file changes 87allow hal_camera_default apex_info_file:file r_file_perms; 88 89# Allow camera HAL to query current device clock frequencies. 90allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; 91 92# Allow camera HAL to read backlight of display 93allow hal_camera_default sysfs_leds:dir r_dir_perms; 94allow hal_camera_default sysfs_leds:file r_file_perms; 95 96# Allow camera HAL to send trace packets to Perfetto 97userdebug_or_eng(`perfetto_producer(hal_camera_default)') 98 99# Some file searches attempt to access system data and are denied. 100# This is benign and can be ignored. 101dontaudit hal_camera_default system_data_file:dir { search }; 102 103# google3 prebuilts attempt to connect to the wrong trace socket, ignore them. 104dontaudit hal_camera_default traced:unix_stream_socket { connectto }; 105dontaudit hal_camera_default traced_producer_socket:sock_file { write }; 106 107# Allow access to always-on compute device node 108allow hal_camera_default aoc_device:chr_file rw_file_perms; 109 110# Allow the Camera HAL to acquire wakelocks 111wakelock_use(hal_camera_default) 112