| ## Custom security policy for Google Camera App, the default camera application on Pixel devices. |
| ## |
| ## Google Camera App is a standard app for the most part, but on Pixel devices |
| ## it has access to hardware accelerators such as Hexagon and Airbrush. |
| ## |
| ## This policy defines the extra rules necessary for that access, |
| ## that reference private core sepolicy |
| |
| # Duplicate all access that normal untrusted_app has, except for untrusted_app_domain |
| app_domain(google_camera_app) |
| net_domain(google_camera_app) |
| bluetooth_domain(google_camera_app) |
| |
| # Write app-specific trace data to the Perfetto traced damon. This requires |
| # connecting to its producer socket and obtaining a (per-process) tmpfs fd. |
| allow google_camera_app traced:fd use; |
| allow google_camera_app traced_tmpfs:file { read write getattr map }; |
| unix_socket_connect(google_camera_app, traced_producer, traced) |
| |
| # Allow heap profiling if the app opts in by being marked |
| # profileable/debuggable. |
| can_profile_heap(google_camera_app) |
| |