Comment 5 for bug 1230366

Sigh, this was not clear. Option #2 is: write a shim on the Ubuntu side that apps talk to. The shim talks to the binder camera service. The binder camera service verifies the apparmor label of the connecting process and rejects all connections not from the shim.