get_prop(domain, camera_prop)

dontaudit domain self:capability sys_module;

# limit the socket ioctl commands granted to all domain processes.
# Only allow unprivilaged commands unless explicitly granted.
allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
  ioctl { unpriv_sock_ioctls unpriv_tty_ioctls };

# unix/stream sockets are already locked down in core policy.
# Ioctl commands on the socket class are used in a few domains. e.g. location.
# Whitelisting command 0 (a no-op command) forces all domains to specify a
# whitelist when using the following socket classes.
# TODO remove the ioctl command for socket classes that do not use it.
allowxperm domain domain:{
  socket
  netlink_generic_socket
  netlink_kobject_uevent_socket
  tun_socket
  netlink_socket
  netlink_tcpdiag_socket
  netlink_nflog_socket
  packet_socket
  netlink_xfrm_socket
  netlink_audit_socket
  netlink_netfilter_socket
  key_socket
} ioctl { 0 };

# line in the (se)sand: DO NOT grant net_admin capability!
neverallow {
  domain
  -bluetooth
  -clatd
  -dhcp
  -dnsmasq
  -dumpstate
  -healthd
  -hostapd
  -init
  -netd
  -ppp
  -racoon
  -rild
  -system_server
  -ueventd
  -vold
  -wpa
  # device specific
  -netmgrd
  -cnss-daemon # STOPSHIP b/28340421
  -cnss_diag   # STOPSHIP b/28340421
  -location    # STOPSHIP b/28340421
} self:capability net_admin;

neverallow domain *:{
  appletalk_socket
  netlink_firewall_socket
  netlink_ip6fw_socket
  netlink_dnrt_socket
  netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
  netlink_scsitransport_socket
  netlink_rdma_socket netlink_crypto_socket
} *;