tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Grant surfaceflinger and graphics allocator access to the secure heap

Browse source 
Transfers access permissions into the system policy which
would otherwise be setup on a per-device basis in exactly
the same recurring way.

For surfacefliner it avoids errors when it
(via its dependent graphics libraries) tries to allocate
memory from the protected heap, e.g. when operating on a
Vulkan device with protected memory support.

Bug: 235618476
Change-Id: I7f9a176c067ead2f3bd38b8c34fc55fa39d87655
This commit is contained in:
Jörg Wagner 2023-01-18 16:00:52 +00:00
parent b8194ca7fb
commit 213e1d8ea0
2 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
private/surfaceflinger.te
View file

@ -49,6 +49,9 @@ allow surfaceflinger graphics_device:chr_file rw_file_perms;
allow surfaceflinger video_device:dir r_dir_perms;
allow surfaceflinger video_device:chr_file rw_file_perms;
# Access the secure heap.
allow surfaceflinger dmabuf_system_secure_heap_device:chr_file r_file_perms;
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;

3
public/hal_graphics_allocator.te
View file

@ -11,6 +11,9 @@ allow hal_graphics_allocator gpu_device:dir r_dir_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
# Access the secure heap
allow hal_graphics_allocator dmabuf_system_secure_heap_device:chr_file r_file_perms;
# allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice;