diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te
new file mode 100644
index 00000000..036cccd7
--- /dev/null
+++ b/sepolicy/vendor/app.te
@@ -0,0 +1,2 @@
+# For the camera app
+get_prop(appdomain, camera_prop)
diff --git a/sepolicy/vendor/certs/app.x509.pem b/sepolicy/vendor/certs/app.x509.pem
new file mode 100644
index 00000000..8e3e6273
--- /dev/null
+++ b/sepolicy/vendor/certs/app.x509.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEqDCCA5CgAwIBAgIJANWFuGx90071MA0GCSqGSIb3DQEBBAUAMIGUMQswCQYD
+VQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4g
+VmlldzEQMA4GA1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UE
+AxMHQW5kcm9pZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTAe
+Fw0wODA0MTUyMzM2NTZaFw0zNTA5MDEyMzM2NTZaMIGUMQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4G
+A1UEChMHQW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9p
+ZDEiMCAGCSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbTCCASAwDQYJKoZI
+hvcNAQEBBQADggENADCCAQgCggEBANbOLggKv+IxTdGNs8/TGFy0PTP6DHThvbbR
+24kT9ixcOd9W+EaBPWW+wPPKQmsHxajtWjmQwWfna8mZuSeJS48LIgAZlKkpFeVy
+xW0qMBujb8X8ETrWy550NaFtI6t9+u7hZeTfHwqNvacKhp1RbE6dBRGWynwMVX8X
+W8N1+UjFaq6GCJukT4qmpN2afb8sCjUigq0GuMwYXrFVee74bQgLHWGJwPmvmLHC
+69EH6kWr22ijx4OKXlSIx2xT1AsSHee70w5iDBiK4aph27yH3TxkXy9V89TDdexA
+cKk/cVHYNnDBapcavl7y0RiQ4biu8ymM8Ga/nmzhRKya6G0cGw8CAQOjgfwwgfkw
+HQYDVR0OBBYEFI0cxb6VTEM8YYY6FbBMvAPyT+CyMIHJBgNVHSMEgcEwgb6AFI0c
+xb6VTEM8YYY6FbBMvAPyT+CyoYGapIGXMIGUMQswCQYDVQQGEwJVUzETMBEGA1UE
+CBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEQMA4GA1UEChMH
+QW5kcm9pZDEQMA4GA1UECxMHQW5kcm9pZDEQMA4GA1UEAxMHQW5kcm9pZDEiMCAG
+CSqGSIb3DQEJARYTYW5kcm9pZEBhbmRyb2lkLmNvbYIJANWFuGx90071MAwGA1Ud
+EwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADggEBABnTDPEF+3iSP0wNfdIjIz1AlnrP
+zgAIHVvXxunW7SBrDhEglQZBbKJEk5kT0mtKoOD1JMrSu1xuTKEBahWRbqHsXcla
+XjoBADb0kkjVEJu/Lh5hgYZnOjvlba8Ld7HCKePCVePoTJBdI4fvugnL8TsgK05a
+IskyY0hKI9L8KfqfGTl1lzOv2KoWD0KWwtAWPoGChZxmQ+nBli+gwYMzM1vAkP+a
+ayLe0a1EQimlOalO762r0GXO0ks+UeXde2Z4e+8S/pf7pITEI/tP+MxJTALw9QUW
+Ev9lKTk+jkbqxbsh8nfBUapfKqYn0eidpwq2AzVp3juYl7//fKnaPhJD9gs=
+-----END CERTIFICATE-----
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index 79d37718..2d6e5d31 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -69,3 +69,5 @@ type sysfs_data, fs_type, sysfs_type;
 
 #diag sysfs files
 type sysfs_diag, fs_type, sysfs_type;
+
+type hexagon_halide_file, vendor_file_type, file_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 3fb52435..aa851ccb 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -283,9 +283,9 @@
 # libGLESv2_adreno depends on this
 /vendor/lib(64)?/libllvm-glnext\.so         u:object_r:same_process_hal_file:s0
 
-# Loaded by native loader (zygote) for all processes
-/vendor/lib(64)?/libhalide_hexagon_host\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libadsprpc\.so             u:object_r:same_process_hal_file:s0
+# Hexagon DSP host runtime and DSP-side executable needed for Halide operation
+/vendor/lib(64)?/libadsprpc\.so             u:object_r:hexagon_halide_file:s0
+/vendor/lib/dsp/fastrpc_shell_0             u:object_r:hexagon_halide_file:s0
 
 # data files
 /data/misc/radio(/.*)?                 u:object_r:radio_data_file:s0
diff --git a/sepolicy/vendor/google_camera_app.te b/sepolicy/vendor/google_camera_app.te
new file mode 100644
index 00000000..17c93973
--- /dev/null
+++ b/sepolicy/vendor/google_camera_app.te
@@ -0,0 +1,41 @@
+type google_camera_app, domain, coredomain;
+
+app_domain(google_camera_app)
+
+# Access standard system services
+allow google_camera_app app_api_service:service_manager find;
+allow google_camera_app audioserver_service:service_manager find;
+allow google_camera_app cameraserver_service:service_manager find;
+allow google_camera_app drmserver_service:service_manager find;
+allow google_camera_app mediacodec_service:service_manager find;
+allow google_camera_app mediaextractor_service:service_manager find;
+allow google_camera_app mediaserver_service:service_manager find;
+allow google_camera_app mediametrics_service:service_manager find;
+allow google_camera_app nfc_service:service_manager find;
+allow google_camera_app surfaceflinger_service:service_manager find;
+
+allow google_camera_app hidl_token_hwservice:hwservice_manager find;
+
+# Execute libraries from RenderScript cache
+allow google_camera_app app_data_file:file { rx_file_perms };
+
+# Read memory info
+allow google_camera_app proc_meminfo:file r_file_perms;
+
+# gdbserver / stack traces
+allow google_camera_app self:process ptrace;
+
+# Access to Hexagon DSP kernel device
+allow google_camera_app qdsp_device:chr_file { r_file_perms };
+
+# Read and write system app data files passed over Binder.
+# Motivating case was /data/data/com.android.settings/cache/*.jpg for
+# cropping or taking user photos.
+allow google_camera_app system_app_data_file:file { read write getattr };
+
+# Allow GoogleCamera access to necessary vendor libraries to execute
+# Halide code
+allow google_camera_app hexagon_halide_file:file { execute read open getattr };
+
+# Access to persist.camera.* system properties
+get_prop(google_camera_app, camera_prop)
diff --git a/sepolicy/vendor/keys.conf b/sepolicy/vendor/keys.conf
index f9839020..9ee9c3b3 100644
--- a/sepolicy/vendor/keys.conf
+++ b/sepolicy/vendor/keys.conf
@@ -8,3 +8,6 @@ ALL : device/google/wahoo/sepolicy/vendor/certs/tango_release.x509.pem
 ENG         : device/google/wahoo/sepolicy/vendor/certs/tango.x509.pem
 USERDEBUG   : device/google/wahoo/sepolicy/vendor/certs/tango.x509.pem
 USER        : device/google/wahoo/sepolicy/vendor/certs/tango_userdev.x509.pem
+
+[@GOOGLE]
+ALL : device/google/wahoo/sepolicy/vendor/certs/app.x509.pem
diff --git a/sepolicy/vendor/mac_permissions.xml b/sepolicy/vendor/mac_permissions.xml
index d9e8125d..6cecc1f6 100644
--- a/sepolicy/vendor/mac_permissions.xml
+++ b/sepolicy/vendor/mac_permissions.xml
@@ -21,6 +21,9 @@
       - The default tag is consulted last if needed.
 -->
     <!-- google apps key -->
+    <signer signature="@GOOGLE" >
+      <seinfo value="google" />
+    </signer>
     <signer signature="@TANGO" >
       <seinfo value="tango" />
     </signer>
diff --git a/sepolicy/vendor/seapp_contexts b/sepolicy/vendor/seapp_contexts
index 9c658208..e58c118e 100644
--- a/sepolicy/vendor/seapp_contexts
+++ b/sepolicy/vendor/seapp_contexts
@@ -14,3 +14,6 @@ user=_app seinfo=tango name=com.google.tango.* domain=tango_core type=app_data_f
 user=_app seinfo=tango name=com.google.tango:app domain=untrusted_app type=app_data_file levelFrom=user
 
 user=_app seinfo=platform name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user
+
+# Use a custom domain for GoogleCamera, to allow for Hexagon DSP access
+user=_app seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=user
diff --git a/sepolicy/vendor/tango_core.te b/sepolicy/vendor/tango_core.te
index 4a736eb4..5db7191d 100644
--- a/sepolicy/vendor/tango_core.te
+++ b/sepolicy/vendor/tango_core.te
@@ -11,3 +11,6 @@ allow tango_core vendor_file:file { getattr open read };
 allow tango_core app_api_service:service_manager find;
 allow tango_core surfaceflinger_service:service_manager find;
 allow tango_core cameraserver_service:service_manager find;
+
+# Allow access to necessary vendor libraries to execute Hexagon code
+allow tango_core hexagon_halide_file:file { execute read open getattr };
diff --git a/sepolicy/vendor/untrusted_app.te b/sepolicy/vendor/untrusted_app.te
deleted file mode 100644
index 504b93ff..00000000
--- a/sepolicy/vendor/untrusted_app.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# For the camera app
-get_prop(untrusted_app, camera_prop)