Merge "Enforce sepolicy for Google Camera App." into udc-d1-dev am: 9f7dec1023 am: bc2fb0e761 am: de77c8b0ac

Original change: https://googleplex-android-review.googlesource.com/c/device/google/zuma-sepolicy/+/22908419

Change-Id: I8bea0257ca6fbec1341283346e81c67748571fc3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

tracking_denials/google_camera_app.te

@@ -1,7 +0,0 @@
-# b/264490031
-userdebug_or_eng(`
-  permissive google_camera_app;
-')
-# b/277300017
-dontaudit google_camera_app cameraserver_service:service_manager { find };
-dontaudit google_camera_app mediaserver_service:service_manager { find };

vendor/google_camera_app.te

@@ -2,13 +2,6 @@ type google_camera_app, domain, coredomain;
 app_domain(google_camera_app)
 net_domain(google_camera_app)
 
-# Allows camera app to access the GXP device.
-allow google_camera_app gxp_device:chr_file rw_file_perms;
-
-# Allows camera app to access the PowerHAL.
-hal_client_domain(google_camera_app, hal_power)
-
-# Allow camera app to access the a subset of app services.
 allow google_camera_app app_api_service:service_manager find;
 allow google_camera_app audioserver_service:service_manager find;
 allow google_camera_app cameraserver_service:service_manager find;
@@ -16,7 +9,14 @@ allow google_camera_app mediaextractor_service:service_manager find;
 allow google_camera_app mediametrics_service:service_manager find;
 allow google_camera_app mediaserver_service:service_manager find;
 
-# Allows GCA to access the EdgeTPU device.
+# Allows GCA to acccess the GXP device and search for the firmware file.
+allow google_camera_app gxp_device:chr_file rw_file_perms;
+allow google_camera_app vendor_fw_file:dir search;
+
+# Allows GCA to access the PowerHAL.
+hal_client_domain(google_camera_app, hal_power)
+
+# Allows GCA to find and access the EdgeTPU.
 allow google_camera_app edgetpu_app_service:service_manager find;
 allow google_camera_app edgetpu_device:chr_file { getattr read write ioctl map };