It's up to you, but I think a switch in every window is actually enforcable. You would just need to trap the relatively few OS calls which result in camera communication. This would be a lightweight form of virtualization, much much simpler than paravirtualization of the kernel.
If you go the global route, there's no way to partition which app gets access. So a "phone home" piece of malware just needs to sit around waiting for the global enable to get set. (This applies to all hazardous devices, not just the camera.)
It's up to you, but I think a switch in every window is actually enforcable. You would just need to trap the relatively few OS calls which result in camera communication. This would be a lightweight form of virtualization, much much simpler than paravirtualization of the kernel.
If you go the global route, there's no way to partition which app gets access. So a "phone home" piece of malware just needs to sit around waiting for the global enable to get set. (This applies to all hazardous devices, not just the camera.)