| type gallery_app, domain, coredomain; |
| |
| app_domain(gallery_app) |
| net_domain(gallery_app) |
| |
| # Access standard system services |
| allow gallery_app app_api_service:service_manager find; |
| allow gallery_app audioserver_service:service_manager find; |
| allow gallery_app cameraserver_service:service_manager find; |
| allow gallery_app drmserver_service:service_manager find; |
| allow gallery_app mediaextractor_service:service_manager find; |
| allow gallery_app mediaserver_service:service_manager find; |
| allow gallery_app mediametrics_service:service_manager find; |
| allow gallery_app nfc_service:service_manager find; |
| allow gallery_app surfaceflinger_service:service_manager find; |
| |
| allow gallery_app hidl_token_hwservice:hwservice_manager find; |
| |
| # Allow to read and execute camera app modules |
| typeattribute gallery_app system_executes_vendor_violators; |
| allow gallery_app vendor_file:file { rx_file_perms }; |
| |
| # Read and write system app data files passed over Binder. |
| # Motivating case was /data/data/com.android.settings/cache/*.jpg for |
| # cropping or taking user photos. |
| allow gallery_app system_app_data_file:file { read write getattr }; |
| |
| # Binder call with gpuservice |
| binder_call(gallery_app, gpuservice) |