1 type google_camera_app, domain, coredomain; 2 3 app_domain(google_camera_app) 4 net_domain(google_camera_app) 5 6 # Access standard system services 7 allow google_camera_app app_api_service:service_manager find; 8 allow google_camera_app audioserver_service:service_manager find; 9 allow google_camera_app cameraserver_service:service_manager find; 10 allow google_camera_app drmserver_service:service_manager find; 11 allow google_camera_app mediacodec_service:service_manager find; 12 allow google_camera_app mediaextractor_service:service_manager find; 13 allow google_camera_app mediaserver_service:service_manager find; 14 allow google_camera_app mediametrics_service:service_manager find; 15 allow google_camera_app nfc_service:service_manager find; 16 allow google_camera_app surfaceflinger_service:service_manager find; 17 18 allow google_camera_app hidl_token_hwservice:hwservice_manager find; 19 20 # Execute libraries from RenderScript cache 21 allow google_camera_app app_data_file:file { rx_file_perms }; 22 23 # Read memory info 24 allow google_camera_app proc_meminfo:file r_file_perms; 25 26 # gdbserver / stack traces 27 allow google_camera_app self:process ptrace; 28 29 # Access to Hexagon DSP kernel device 30 allow google_camera_app adsprpcd_device:chr_file { r_file_perms }; 31 32 # Read and write system app data files passed over Binder. 33 # Motivating case was /data/data/com.android.settings/cache/*.jpg for 34 # cropping or taking user photos. 35 allow google_camera_app system_app_data_file:file { read write getattr }; 36 37 # Read / execute vendor code from /vendor/lib[64]/dsp for HVX for Pixel Camera 38 # TODO: b/37258244, This MUST be a specific exception instead of opening up 39 # /vendor for the application. The policy build MUST also catch the violations 40 r_dir_file(google_camera_app, vendor_file) 41
