Factor out camera sepolicy

Change-Id: I1401442d253fe5e389c781be8d681a0ed2e523fb

7 files changed, 48 insertions, 0 deletions

diff --git a/shared/camera/BoardConfig.mk b/shared/camera/BoardConfig.mk
new file mode 100644
index 000000000..5a80f77c4
--- /dev/null
+++ b/shared/camera/BoardConfig.mk
@@ -0,0 +1,17 @@
+#
+# Copyright 2022 The Android Open-Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/cuttlefish/shared/camera/sepolicy
diff --git a/shared/camera/sepolicy/OWNERS b/shared/camera/sepolicy/OWNERS
new file mode 100644
index 000000000..9b37b0ee9
--- /dev/null
+++ b/shared/camera/sepolicy/OWNERS
@@ -0,0 +1,4 @@
+include platform/system/sepolicy:/OWNERS
+
+adelva@google.com
+rurumihong@google.com
diff --git a/shared/camera/sepolicy/bug_map b/shared/camera/sepolicy/bug_map
new file mode 100644
index 000000000..8e2906886
--- /dev/null
+++ b/shared/camera/sepolicy/bug_map
@@ -0,0 +1 @@
+gmscore_app hal_camera_prop file b/156287758
diff --git a/shared/camera/sepolicy/file_contexts b/shared/camera/sepolicy/file_contexts
new file mode 100644
index 000000000..6e7490ac8
--- /dev/null
+++ b/shared/camera/sepolicy/file_contexts
@@ -0,0 +1,4 @@
+/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-external-vsock-service u:object_r:hal_camera_default_exec:s0
+/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google u:object_r:hal_camera_default_exec:s0
+/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google-lazy u:object_r:hal_camera_default_exec:s0
+
diff --git a/shared/camera/sepolicy/hal_camera_default.te b/shared/camera/sepolicy/hal_camera_default.te
new file mode 100644
index 000000000..de1e370f2
--- /dev/null
+++ b/shared/camera/sepolicy/hal_camera_default.te
@@ -0,0 +1,19 @@
+vndbinder_use(hal_camera_default)
+
+hal_client_domain(hal_camera_default, hal_graphics_allocator)
+
+# For camera hal to talk with sensor service
+binder_call(hal_camera_default, sensor_service_server)
+binder_call(sensor_service_server, hal_camera_default)
+
+# Allow the Camera HAL to communicate with the thermal HAL.
+hal_client_domain(hal_camera_default, hal_thermal)
+
+# Vsocket camera
+allow hal_camera_default self:vsock_socket { accept bind create getopt listen read write };
+
+set_prop(hal_camera_default, vendor_camera_prop)
+
+# The camera HAL can respond to APEX updates (see ApexUpdateListener), but this
+# is not used by the emulated camera HAL APEX. Ignore these denials.
+dontaudit hal_camera_default apex_info_file:file { read };
diff --git a/shared/camera/sepolicy/property.te b/shared/camera/sepolicy/property.te
new file mode 100644
index 000000000..bb7a5b110
--- /dev/null
+++ b/shared/camera/sepolicy/property.te
@@ -0,0 +1 @@
+vendor_internal_prop(vendor_camera_prop)
diff --git a/shared/camera/sepolicy/property_contexts b/shared/camera/sepolicy/property_contexts
new file mode 100644
index 000000000..3d6ebfb27
--- /dev/null
+++ b/shared/camera/sepolicy/property_contexts
@@ -0,0 +1,2 @@
+persist.vendor.camera.  u:object_r:vendor_camera_prop:s0
+vendor.camera.          u:object_r:vendor_camera_prop:s0