1allow hal_camera_default self:global_capability_class_set sys_nice; 2allow hal_camera_default kernel:process setsched; 3 4vndbinder_use(hal_camera_default); 5 6allow hal_camera_default lwis_device:chr_file rw_file_perms; 7 8# Face authentication code that is part of the camera HAL needs to allocate 9# dma_bufs and access the Trusted Execution Environment device node 10allow hal_camera_default dmabuf_system_heap_device:chr_file r_file_perms; 11allow hal_camera_default tee_device:chr_file rw_file_perms; 12 13# Allow the camera hal to access the EdgeTPU service and the 14# Android shared memory allocated by the EdgeTPU service for 15# on-device compilation. 16allow hal_camera_default edgetpu_device:chr_file rw_file_perms; 17allow hal_camera_default edgetpu_vendor_service:service_manager find; 18binder_call(hal_camera_default, edgetpu_vendor_server) 19# Allow edgetpu_app_service as well, due to the EdgeTpu metrics logging 20# library has a dependency on edgetpu_app_service, see b/275016466. 21allow hal_camera_default edgetpu_app_service:service_manager find; 22binder_call(hal_camera_default, edgetpu_app_server) 23 24# Allow access to data files used by the camera HAL 25allow hal_camera_default mnt_vendor_file:dir search; 26allow hal_camera_default persist_file:dir search; 27allow hal_camera_default persist_camera_file:dir rw_dir_perms; 28allow hal_camera_default persist_camera_file:file create_file_perms; 29allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms; 30allow hal_camera_default vendor_camera_data_file:file create_file_perms; 31 32# Allow the camera hal to access the GXP device. 33allow hal_camera_default gxp_device:chr_file rw_file_perms; 34get_prop(hal_camera_default, vendor_gxp_prop) 35 36# Allow creating dump files for debugging in non-release builds 37userdebug_or_eng(` 38 allow hal_camera_default vendor_camera_data_file:dir create_dir_perms; 39 allow hal_camera_default vendor_camera_data_file:file create_file_perms; 40') 41 42# Allow access to camera-related system properties 43set_prop(hal_camera_default, vendor_camera_prop); 44get_prop(hal_camera_default, vendor_camera_debug_prop); 45userdebug_or_eng(` 46 set_prop(hal_camera_default, vendor_camera_fatp_prop); 47 set_prop(hal_camera_default, vendor_camera_debug_prop); 48') 49 50# For camera hal to talk with rlsservice 51allow hal_camera_default rls_service:service_manager find; 52binder_call(hal_camera_default, rlsservice) 53 54hal_client_domain(hal_camera_default, hal_graphics_allocator); 55hal_client_domain(hal_camera_default, hal_graphics_composer) 56hal_client_domain(hal_camera_default, hal_power); 57hal_client_domain(hal_camera_default, hal_thermal); 58 59# Allow access to sensor service for sensor_listener 60binder_call(hal_camera_default, system_server); 61 62# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering 63allow hal_camera_default eco_service:service_manager find; 64binder_call(hal_camera_default, mediacodec_samsung); 65 66# Allow camera HAL to connect to the stats service. 67allow hal_camera_default fwk_stats_service:service_manager find; 68 69# For observing apex file changes 70allow hal_camera_default apex_info_file:file r_file_perms; 71 72# Allow camera HAL to query current device clock frequencies. 73allow hal_camera_default sysfs_devfreq_cur:file r_file_perms; 74 75# Allow camera HAL to read backlight of display 76allow hal_camera_default sysfs_leds:dir r_dir_perms; 77allow hal_camera_default sysfs_leds:file r_file_perms; 78 79# Allow camera HAL to query preferred camera frequencies from the radio HAL 80# extensions to avoid interference with cellular antennas. 81allow hal_camera_default hal_radioext_hwservice:hwservice_manager find; 82binder_call(hal_camera_default, hal_radioext_default); 83 84# Allows camera HAL to access the hw_jpeg /dev/video12. 85allow hal_camera_default hw_jpg_device:chr_file rw_file_perms; 86 87# For camera hal to talk with rlsservice 88allow hal_camera_default rls_service:service_manager find; 89binder_call(hal_camera_default, rlsservice) 90 91# Allow access to always-on compute device node 92allow hal_camera_default aoc_device:chr_file rw_file_perms; 93 94# Allow camera HAL to send trace packets to Perfetto 95userdebug_or_eng(`perfetto_producer(hal_camera_default)') 96 97# Some file searches attempt to access system data and are denied. 98# This is benign and can be ignored. 99dontaudit hal_camera_default system_data_file:dir { search }; 100 101# google3 prebuilts attempt to connect to the wrong trace socket, ignore them. 102dontaudit hal_camera_default traced:unix_stream_socket { connectto }; 103dontaudit hal_camera_default traced_producer_socket:sock_file { write }; 104 105# Allow the Camera HAL to acquire wakelocks for buffer pre-allocation purposes 106wakelock_use(hal_camera_default) 107