On devices running Android 11 or higher, the Android framework supports system cameras, which are camera devices that are visible only to processes with the android.permission.SYSTEM_CAMERA permission and regular camera permissions. The android.permission.SYSTEM_CAMERA permission, introduced in Android 11, has a protection level of system|signature. This means that only apps installed on the system partition with or signed with the same certificate as the system can be granted this permission. Third-party public apps can't access system cameras.
System cameras are useful for device manufacturers that want to implement features that require access to a camera but are also restricted to privileged or system apps.
Because systems apps that are granted the android.permission.SYSTEM_CAMERA permission must also have the android.permission.CAMERA permission, users can choose to revoke normal CAMERA permissions to prevent such an app from accessing the cameras on the device.
Implementation
To make a particular camera device a system camera, the camera HAL must advertise ANDROID_REQUEST_AVAILABLE_CAPABILITIES_SYSTEM_CAMERA in its capabilities list.
To create an app that has access to a system camera, the app must be allowlisted in the device-specific privapp-permissions.xml file, which specifies the apps that the android.permission.SYSTEM_CAMERA permission must be granted to.
Validation
To verify that no system cameras on the device can be discovered by a public app, run the android.permission.cts.Camera2PermissionTest.testSystemCameraDiscovery CTS test.
All camera CTS tests run on system camera devices.