Re-introduce camera_device type

camera_device was previously removed in AOSP commit: b7aace2 "camera_device: remove type and add typealias" because the same domains required access to both without exception, meaning there was no benefit to distinguishing between the two. However, with the split up of mediaserver this is no longer the case and distinguishing between the camera and video provides a legitimate security benefit. For example, the mediacodec domain requires access to the video_device for access to hardware accelerated codecs but does not require access to the camera. Bug: 28359909 Change-Id: I8a4592722d8e6391c0e91b440914284b7245e232
ResurrectionRemix · Apr 24, 2016 · cc8a09f · cc8a09f
1 parent 0959aa6
commit cc8a09f
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/app.te b/app.te
@@ -279,11 +279,12 @@ neverallow appdomain dev_type:blk_file { read write };
 # Access to any of the following character devices.
 neverallow appdomain {
     audio_device
-    video_device
+    camera_device
     dm_device
-    radio_device
     gps_device
+    radio_device
     rpmsg_device
+    video_device
 }:chr_file { read write };
 
 # Note: Try expanding list of app domains in the future.

diff --git a/device.te b/device.te
@@ -6,6 +6,7 @@ type ashmem_device, dev_type, mlstrustedobject;
 type audio_device, dev_type;
 type binder_device, dev_type, mlstrustedobject;
 type block_device, dev_type;
+type camera_device, dev_type;
 type dm_device, dev_type;
 type loop_device, dev_type;
 type pmsg_device, dev_type, mlstrustedobject;