Re-introduce camera_device type

camera_device was previously removed in AOSP commit: b7aace2d "camera_device: remove type and add typealias" because the same domains required access to both without exception, meaning there was no benefit to distinguishing between the two. However, with the split up of mediaserver this is no longer the case and distinguishing between the camera and video provides a legitimate security benefit. For example, the mediacodec domain requires access to the video_device for access to hardware accelerated codecs but does not require access to the camera. Bug: 28359909 Change-Id: I8a4592722d8e6391c0e91b440914284b7245e232

Re-introduce camera_device type
cc8a09f5 · Jeff Vander Stoep · 0959aa67 · cc8a09f5 · cc8a09f5
Commit cc8a09f5 authored 8 years ago by Jeff Vander Stoep
--- a/app.te
+++ b/app.te
@@ -279,11 +279,12 @@ neverallow appdomain dev_type:blk_file { read write };
 # Access to any of the following character devices.
 neverallow appdomain {
    audio_device
-    video_device
+    camera_device
    dm_device
-    radio_device
    gps_device
+    radio_device
    rpmsg_device
+    video_device
 }:chr_file { read write };
 # Note: Try expanding list of app domains in the future.

--- a/device.te
+++ b/device.te
@@ -6,6 +6,7 @@ type ashmem_device, dev_type, mlstrustedobject;
 type audio_device, dev_type;
 type binder_device, dev_type, mlstrustedobject;
 type block_device, dev_type;
+type camera_device, dev_type;
 type dm_device, dev_type;
 type loop_device, dev_type;
 type pmsg_device, dev_type, mlstrustedobject;