1type google_camera_app, domain, coredomain; 2 3app_domain(google_camera_app) 4 5# Access standard system services 6allow google_camera_app app_api_service:service_manager find; 7allow google_camera_app audioserver_service:service_manager find; 8allow google_camera_app cameraserver_service:service_manager find; 9allow google_camera_app drmserver_service:service_manager find; 10allow google_camera_app mediacodec_service:service_manager find; 11allow google_camera_app mediaextractor_service:service_manager find; 12allow google_camera_app mediaserver_service:service_manager find; 13allow google_camera_app mediametrics_service:service_manager find; 14allow google_camera_app nfc_service:service_manager find; 15allow google_camera_app surfaceflinger_service:service_manager find; 16 17allow google_camera_app hidl_token_hwservice:hwservice_manager find; 18 19# Execute libraries from RenderScript cache 20allow google_camera_app app_data_file:file { rx_file_perms }; 21 22# Read memory info 23allow google_camera_app proc_meminfo:file r_file_perms; 24 25# gdbserver / stack traces 26allow google_camera_app self:process ptrace; 27 28# Access to Hexagon DSP kernel device 29allow google_camera_app adsprpcd_device:chr_file { r_file_perms }; 30 31# Read and write system app data files passed over Binder. 32# Motivating case was /data/data/com.android.settings/cache/*.jpg for 33# cropping or taking user photos. 34allow google_camera_app system_app_data_file:file { read write getattr }; 35 36# Read / execute vendor code from /vendor/lib[64]/dsp for HVX for Pixel Camera 37# TODO: b/37258244, This MUST be a specific exception instead of opening up 38# /vendor for the application. The policy build MUST also catch the violations 39r_dir_file(google_camera_app, vendor_file) 40