Move gpu_device type and rules to core policy.

Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-12 09:09:53 -05:00 · 2013-12-12 09:09:53 -05:00 · 3ba9012535
commit 3ba9012535
parent cf6b350a32
4 changed files with 10 additions and 0 deletions
--- a/app.te
+++ b/app.te
@ -74,6 +74,10 @@ allow appdomain qtaguid_proc:file rw_file_perms;
 # So allow all apps to read from /dev/xt_qtaguid.
 allow appdomain qtaguid_device:chr_file r_file_perms;

+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow appdomain gpu_device:chr_file { rw_file_perms execute };
+
 # Use the Binder.
 binder_use(appdomain)
 # Perform binder IPC to binder services.
--- a/device.te
+++ b/device.te
@ -17,6 +17,8 @@ type console_device, dev_type;
 type cpuctl_device, dev_type;
 type fscklogs, dev_type;
 type full_device, dev_type;
+# GPU (used by most UI apps)
+type gpu_device, dev_type, mlstrustedobject;
 type graphics_device, dev_type;
 type hw_random_device, dev_type;
 type input_device, dev_type;
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@ -15,6 +15,9 @@ binder_call(surfaceflinger, system_server)
 binder_service(surfaceflinger)
 allow surfaceflinger init:binder transfer;

+# Access the GPU.
+allow surfaceflinger gpu_device:chr_file rw_file_perms;
+
 # Access /dev/graphics/fb0.
 allow surfaceflinger graphics_device:dir search;
 allow surfaceflinger graphics_device:chr_file rw_file_perms;
--- a/system_server.te
+++ b/system_server.te
@ -110,6 +110,7 @@ allow system_server sysfs_nfc_power_writable:file rw_file_perms;
 allow system_server device:dir r_dir_perms;
 allow system_server mdns_socket:sock_file rw_file_perms;
 allow system_server alarm_device:chr_file rw_file_perms;
+allow system_server gpu_device:chr_file rw_file_perms;
 allow system_server graphics_device:dir search;
 allow system_server graphics_device:chr_file rw_file_perms;
 allow system_server iio_device:chr_file rw_file_perms;