type google_camera_app, domain, coredomain;

app_domain(google_camera_app)

# Access standard system services
allow google_camera_app app_api_service:service_manager find;
allow google_camera_app audioserver_service:service_manager find;
allow google_camera_app cameraserver_service:service_manager find;
allow google_camera_app drmserver_service:service_manager find;
allow google_camera_app mediacodec_service:service_manager find;
allow google_camera_app mediaextractor_service:service_manager find;
allow google_camera_app mediaserver_service:service_manager find;
allow google_camera_app mediametrics_service:service_manager find;
allow google_camera_app nfc_service:service_manager find;
allow google_camera_app surfaceflinger_service:service_manager find;

allow google_camera_app hidl_token_hwservice:hwservice_manager find;

# Execute libraries from RenderScript cache
allow google_camera_app app_data_file:file { rx_file_perms };

# Read memory info
allow google_camera_app proc_meminfo:file r_file_perms;

# gdbserver / stack traces
allow google_camera_app self:process ptrace;

# Access to Hexagon DSP kernel device
allow google_camera_app adsprpcd_device:chr_file { r_file_perms };

# Read and write system app data files passed over Binder.
# Motivating case was /data/data/com.android.settings/cache/*.jpg for
# cropping or taking user photos.
allow google_camera_app system_app_data_file:file { read write getattr };

# Read / execute vendor code from /vendor/lib[64]/dsp for HVX for Pixel Camera
# TODO: b/37258244, This MUST be a specific exception instead of opening up
# /vendor for the application. The policy build MUST also catch the violations
r_dir_file(google_camera_app, vendor_file)