diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te
index 5424bf1a..d6001c38 100644
--- a/tracking_denials/hal_camera_default.te
+++ b/tracking_denials/hal_camera_default.te
@@ -1,54 +1,7 @@
-# b/204718762
-dontaudit hal_camera_default edgetpu_vendor_service:service_manager { find };
-dontaudit hal_camera_default hal_power_service:service_manager { find };
 # b/205072921
 dontaudit hal_camera_default kernel:process { setsched };
-dontaudit hal_camera_default vendor_camera_prop:file { getattr };
-dontaudit hal_camera_default vendor_camera_prop:file { map };
-dontaudit hal_camera_default vendor_camera_prop:file { open };
-dontaudit hal_camera_default vendor_camera_prop:file { read };
-dontaudit hal_camera_default vendor_camera_prop:property_service { set };
-# b/205657133
-dontaudit hal_camera_default edgetpu_device:chr_file { ioctl };
-dontaudit hal_camera_default edgetpu_device:chr_file { map };
-dontaudit hal_camera_default edgetpu_device:chr_file { open };
-dontaudit hal_camera_default edgetpu_device:chr_file { read write };
-dontaudit hal_camera_default gpu_device:chr_file { getattr };
-dontaudit hal_camera_default gpu_device:chr_file { ioctl };
-dontaudit hal_camera_default gpu_device:chr_file { map };
-dontaudit hal_camera_default gpu_device:chr_file { open };
-dontaudit hal_camera_default gpu_device:chr_file { read write };
-dontaudit hal_camera_default lwis_device:chr_file { ioctl };
-dontaudit hal_camera_default lwis_device:chr_file { open };
-dontaudit hal_camera_default lwis_device:chr_file { read };
-dontaudit hal_camera_default lwis_device:chr_file { write };
-dontaudit hal_camera_default vndbinder_device:chr_file { ioctl };
-dontaudit hal_camera_default vndbinder_device:chr_file { map };
-dontaudit hal_camera_default vndbinder_device:chr_file { open };
-dontaudit hal_camera_default vndbinder_device:chr_file { read };
-dontaudit hal_camera_default vndbinder_device:chr_file { write };
 # b/205780065
-dontaudit hal_camera_default apex_info_file:file { getattr };
-dontaudit hal_camera_default apex_info_file:file { open };
-dontaudit hal_camera_default apex_info_file:file { read };
-dontaudit hal_camera_default apex_info_file:file { watch };
-dontaudit hal_camera_default mnt_vendor_file:dir { search };
-dontaudit hal_camera_default persist_file:dir { search };
 dontaudit hal_camera_default system_data_file:dir { search };
-dontaudit hal_camera_default vendor_camera_data_file:dir { getattr };
-dontaudit hal_camera_default vendor_camera_data_file:dir { open };
-dontaudit hal_camera_default vendor_camera_data_file:dir { read };
-dontaudit hal_camera_default vendor_camera_data_file:dir { search };
-dontaudit hal_camera_default vendor_camera_data_file:file { open };
-dontaudit hal_camera_default vendor_camera_data_file:file { read };
 # b/205904406
-dontaudit hal_camera_default hal_camera_default:capability { sys_nice };
-dontaudit hal_camera_default hal_power_default:binder { call };
-dontaudit hal_camera_default hal_radioext_default:binder { call };
 dontaudit hal_camera_default init:unix_stream_socket { connectto };
 dontaudit hal_camera_default property_socket:sock_file { write };
-dontaudit hal_camera_default system_server:binder { call };
-# b/207300298
-dontaudit hal_camera_default vendor_camera_data_file:file { getattr };
-# b/210067468
-dontaudit hal_camera_default persist_camera_file:dir { search };
diff --git a/whitechapel_pro/hal_camera_default.te b/whitechapel_pro/hal_camera_default.te
index 74b8a027..048368a8 100644
--- a/whitechapel_pro/hal_camera_default.te
+++ b/whitechapel_pro/hal_camera_default.te
@@ -1,13 +1,80 @@
-hal_client_domain(hal_camera_default, hal_power);
+type hal_camera_default_tmpfs, file_type;
+
+allow hal_camera_default self:global_capability_class_set sys_nice;
+
+binder_use(hal_camera_default);
+vndbinder_use(hal_camera_default);
+
+allow hal_camera_default lwis_device:chr_file rw_file_perms;
+allow hal_camera_default gpu_device:chr_file rw_file_perms;
+allow hal_camera_default sysfs_chip_id:file r_file_perms;
+
+# Allow the camera hal to access the EdgeTPU service and the
+# Android shared memory allocated by the EdgeTPU service for
+# on-device compilation.
+allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
+allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
+allow hal_camera_default sysfs_edgetpu:file r_file_perms;
+allow hal_camera_default edgetpu_vendor_service:service_manager find;
 binder_call(hal_camera_default, edgetpu_vendor_server)
-binder_use(hal_camera_default)
 
-allow hal_camera_default fwk_stats_service:service_manager find;
+# Allow access to data files used by the camera HAL
+allow hal_camera_default mnt_vendor_file:dir search;
+allow hal_camera_default persist_file:dir search;
+allow hal_camera_default persist_camera_file:dir rw_dir_perms;
+allow hal_camera_default persist_camera_file:file create_file_perms;
+allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
+allow hal_camera_default vendor_camera_data_file:file create_file_perms;
 
-# Allow camera HAL to query preferred camera frequencies from the radio HAL
-# extensions to avoid interference with cellular antennas.
-allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
+# Allow creating dump files for debugging in non-release builds
+userdebug_or_eng(`
+  allow hal_camera_default vendor_camera_data_file:dir create_dir_perms;
+  allow hal_camera_default vendor_camera_data_file:file create_file_perms;
+')
+
+# tmpfs is used by google3 prebuilts linked by the HAL to unpack data files
+# compiled into the shared libraries with cc_embed_data rules
+tmpfs_domain(hal_camera_default);
+
+# Allow access to camera-related system properties
+set_prop(hal_camera_default, vendor_camera_prop);
+set_prop(hal_camera_default, log_tag_prop);
+get_prop(hal_camera_default, vendor_camera_debug_prop);
+userdebug_or_eng(`
+  set_prop(hal_camera_default, vendor_camera_fatp_prop);
+  set_prop(hal_camera_default, vendor_camera_debug_prop);
+')
 
 # For camera hal to talk with rlsservice
 allow hal_camera_default rls_service:service_manager find;
 binder_call(hal_camera_default, rlsservice)
+
+hal_client_domain(hal_camera_default, hal_graphics_allocator);
+hal_client_domain(hal_camera_default, hal_graphics_composer)
+hal_client_domain(hal_camera_default, hal_power);
+hal_client_domain(hal_camera_default, hal_thermal);
+
+# Allow access to sensor service for sensor_listener
+binder_call(hal_camera_default, system_server);
+
+# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
+allow hal_camera_default eco_service:service_manager find;
+binder_call(hal_camera_default, mediacodec);
+
+# Allow camera HAL to query preferred camera frequencies from the radio HAL
+# extensions to avoid interference with cellular antennas.
+allow hal_camera_default hal_radioext_hwservice:hwservice_manager find;
+binder_call(hal_camera_default, hal_radioext_default);
+
+# Allow camera HAL to connect to the stats service.
+allow hal_camera_default fwk_stats_service:service_manager find;
+
+# For observing apex file changes
+allow hal_camera_default apex_info_file:file r_file_perms;
+
+# Allow camera HAL to query current device clock frequencies.
+allow hal_camera_default sysfs_devfreq_cur:file r_file_perms;
+
+# allow camera HAL to read backlight of display
+allow hal_camera_default sysfs_leds:dir r_dir_perms;
+allow hal_camera_default sysfs_leds:file r_file_perms;
diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te
index f3e0c86d..bdad98e9 100644
--- a/whitechapel_pro/property.te
+++ b/whitechapel_pro/property.te
@@ -12,6 +12,8 @@ vendor_internal_prop(vendor_secure_element_prop)
 vendor_internal_prop(vendor_battery_profile_prop)
 vendor_internal_prop(vendor_battery_defender_prop)
 vendor_internal_prop(vendor_camera_prop)
+vendor_internal_prop(vendor_camera_debug_prop)
+vendor_internal_prop(vendor_camera_fatp_prop)
 vendor_internal_prop(vendor_usb_config_prop)
 vendor_internal_prop(vendor_tcpdump_log_prop)
 vendor_internal_prop(vendor_device_prop)
diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts
index 3dd44ea5..d1362f28 100644
--- a/whitechapel_pro/property_contexts
+++ b/whitechapel_pro/property_contexts
@@ -71,7 +71,10 @@ vendor.wlan.firmware.version               u:object_r:vendor_wifi_version:s0
 ro.vendor.hwc.drm.device                   u:object_r:vendor_display_prop:s0
 
 # Camera
+persist.vendor.camera.                     u:object_r:vendor_camera_prop:s0
 vendor.camera.                             u:object_r:vendor_camera_prop:s0
+vendor.camera.debug.                       u:object_r:vendor_camera_debug_prop:s0
+vendor.camera.fatp.                        u:object_r:vendor_camera_fatp_prop:s0
 
 # for logger app
 persist.vendor.pixellogger.                u:object_r:vendor_logger_prop:s0