vendor/qcom/common/easel.te - device/google/crosshatch-sepolicy - Git at Google

 # easel service
 type easel, domain;
 type easel_exec, exec_type, vendor_file_type, file_type;

 init_daemon_domain(easel)

 hwbinder_use(easel)
 add_hwservice(easel, hal_paintbox_hwservice)
 get_prop(easel, hwservicemanager_prop)

 # access easel dev nodes
 allow easel easel_device:chr_file rw_file_perms;
 allow easel sysfs_easel:file rw_file_perms;
 allow easel sysfs_easel:dir r_dir_perms;

 # access easel thermal sysfs
 allow easel sysfs_thermal:dir r_dir_perms;
 allow easel sysfs_thermal:file r_file_perms;
 allow easel sysfs_thermal:lnk_file r_file_perms;

 # access "/proc/stat"
 allow easel proc_stat:file r_file_perms;

 allow easel google_camera_app:binder call;
 allow easel hal_camera_default:binder call;
 allow easel hal_neuralnetworks_paintbox:binder call;

 allow easel hal_graphics_allocator_default:fd use;
 allow easel ion_device:chr_file r_file_perms;

 # access to keychain for kernel based authentication
 allow easel kernel:key search;
	# easel service
	type easel, domain;
	type easel_exec, exec_type, vendor_file_type, file_type;

	init_daemon_domain(easel)

	hwbinder_use(easel)
	add_hwservice(easel, hal_paintbox_hwservice)
	get_prop(easel, hwservicemanager_prop)

	# access easel dev nodes
	allow easel easel_device:chr_file rw_file_perms;
	allow easel sysfs_easel:file rw_file_perms;
	allow easel sysfs_easel:dir r_dir_perms;

	# access easel thermal sysfs
	allow easel sysfs_thermal:dir r_dir_perms;
	allow easel sysfs_thermal:file r_file_perms;
	allow easel sysfs_thermal:lnk_file r_file_perms;

	# access "/proc/stat"
	allow easel proc_stat:file r_file_perms;

	allow easel google_camera_app:binder call;
	allow easel hal_camera_default:binder call;
	allow easel hal_neuralnetworks_paintbox:binder call;

	allow easel hal_graphics_allocator_default:fd use;
	allow easel ion_device:chr_file r_file_perms;

	# access to keychain for kernel based authentication
	allow easel kernel:key search;