1 type google_camera_app, domain, coredomain; 2 3 app_domain(google_camera_app) 4 5 # Access standard system services 6 allow google_camera_app app_api_service:service_manager find; 7 allow google_camera_app audioserver_service:service_manager find; 8 allow google_camera_app cameraserver_service:service_manager find; 9 allow google_camera_app drmserver_service:service_manager find; 10 allow google_camera_app mediacodec_service:service_manager find; 11 allow google_camera_app mediaextractor_service:service_manager find; 12 allow google_camera_app mediaserver_service:service_manager find; 13 allow google_camera_app mediametrics_service:service_manager find; 14 allow google_camera_app nfc_service:service_manager find; 15 allow google_camera_app surfaceflinger_service:service_manager find; 16 17 allow google_camera_app hidl_token_hwservice:hwservice_manager find; 18 19 # Execute libraries from RenderScript cache 20 allow google_camera_app app_data_file:file { rx_file_perms }; 21 22 # Read memory info 23 allow google_camera_app proc_meminfo:file r_file_perms; 24 25 # gdbserver / stack traces 26 allow google_camera_app self:process ptrace; 27 28 # Access to Hexagon DSP kernel device 29 allow google_camera_app adsprpcd_device:chr_file { r_file_perms }; 30 31 # Read and write system app data files passed over Binder. 32 # Motivating case was /data/data/com.android.settings/cache/*.jpg for 33 # cropping or taking user photos. 34 allow google_camera_app system_app_data_file:file { read write getattr }; 35 36 # Read / execute vendor code from /vendor/lib[64]/dsp for HVX for Pixel Camera 37 # TODO: b/37258244, This MUST be a specific exception instead of opening up 38 # /vendor for the application. The policy build MUST also catch the violations 39 r_dir_file(google_camera_app, vendor_file) 40
