Merge "Adds GPU sepolicy to support devices with DRM gralloc/rendering" am: ce19c41b8f am: f54bcca352

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1999610

Change-Id: I8e4acb5727ff75a164899cd809151d15ddd71925
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

private/adbd.te

@@ -129,6 +129,7 @@ binder_call(adbd, surfaceflinger)
 binder_call(adbd, gpuservice)
 # b/13188914
 allow adbd gpu_device:chr_file rw_file_perms;
+allow adbd gpu_device:dir r_dir_perms;
 allow adbd ion_device:chr_file rw_file_perms;
 r_dir_file(adbd, system_file)
 

private/app.te

@@ -302,6 +302,9 @@ userdebug_or_eng(`
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
 allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
+allow { appdomain -isolated_app } gpu_device:dir r_dir_perms;
+allow { appdomain -isolated_app } sysfs_gpu:file r_file_perms;
+
 
 # Use the Binder.
 binder_use(appdomain)

private/bluetooth.te

@@ -36,6 +36,9 @@ allow bluetooth efs_file:dir search;
 # allow Bluetooth to access uhid device for HID profile
 allow bluetooth uhid_device:chr_file rw_file_perms;
 
+allow bluetooth gpu_device:chr_file rw_file_perms;
+allow bluetooth gpu_device:dir r_dir_perms;
+
 # proc access.
 allow bluetooth proc_bluetooth_writable:file rw_file_perms;
 

private/cameraserver.te

@@ -4,3 +4,6 @@ typeattribute cameraserver camera_service_server;
 
 init_daemon_domain(cameraserver)
 tmpfs_domain(cameraserver)
+
+allow cameraserver gpu_device:chr_file rw_file_perms;
+allow cameraserver gpu_device:dir r_dir_perms;

private/compat/32.0/32.0.ignore.cil

@@ -65,6 +65,7 @@
     smart_idle_maint_enabled_prop
     snapuserd_proxy_socket
     sysfs_fs_fuse_bpf
+    sysfs_gpu
     sysfs_lru_gen_enabled
     system_dlkm_file
     tare_service

private/genfs_contexts

@@ -123,6 +123,7 @@ genfscon sysfs /devices/cs_etm                    u:object_r:sysfs_devices_cs_et
 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
 genfscon sysfs /class/android_usb                 u:object_r:sysfs_android_usb:s0
 genfscon sysfs /class/extcon                      u:object_r:sysfs_extcon:s0
+genfscon sysfs /class/gpu                         u:object_r:sysfs_gpu:s0
 genfscon sysfs /class/leds                        u:object_r:sysfs_leds:s0
 genfscon sysfs /class/net                         u:object_r:sysfs_net:s0
 genfscon sysfs /class/rfkill/rfkill0/state        u:object_r:sysfs_bluetooth_writable:s0

private/mediaprovider_app.te

@@ -59,7 +59,8 @@ get_prop(mediaprovider_app, storage_config_prop)
 
 get_prop(mediaprovider_app, drm_service_config_prop)
 
-allow mediaprovider_app gpu_device:dir search;
+allow mediaprovider_app gpu_device:chr_file rw_file_perms;
+allow mediaprovider_app gpu_device:dir r_dir_perms;
 
 dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
 dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;

private/mediatranscoding.te

@@ -42,7 +42,8 @@ unix_socket_send(mediatranscoding, statsdw, statsd)
 # Allow mediatranscoding to access the DMA-BUF system heap
 allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms;
 
-allow mediatranscoding gpu_device:dir search;
+allow mediatranscoding gpu_device:chr_file rw_file_perms;
+allow mediatranscoding gpu_device:dir r_dir_perms;
 
 # Allow mediatranscoding service to access media-related system properties
 get_prop(mediatranscoding, media_config_prop)

private/surfaceflinger.te

@@ -38,6 +38,8 @@ r_dir_file(surfaceflinger, appdomain)
 
 # Access the GPU.
 allow surfaceflinger gpu_device:chr_file rw_file_perms;
+allow surfaceflinger gpu_device:dir r_dir_perms;
+allow surfaceflinger sysfs_gpu:file r_file_perms;
 
 # Access /dev/graphics/fb0.
 allow surfaceflinger graphics_device:dir search;

private/system_server.te

@@ -451,6 +451,8 @@ allow system_server sysfs_usb:file w_file_perms;
 allow system_server device:dir r_dir_perms;
 allow system_server mdns_socket:sock_file rw_file_perms;
 allow system_server gpu_device:chr_file rw_file_perms;
+allow system_server gpu_device:dir r_dir_perms;
+allow system_server sysfs_gpu:file r_file_perms;
 allow system_server input_device:dir r_dir_perms;
 allow system_server input_device:chr_file rw_file_perms;
 allow system_server tty_device:chr_file rw_file_perms;

public/bootanim.te

@@ -13,6 +13,8 @@ binder_call(bootanim, audioserver)
 hwbinder_use(bootanim)
 
 allow bootanim gpu_device:chr_file rw_file_perms;
+allow bootanim gpu_device:dir r_dir_perms;
+allow bootanim sysfs_gpu:file r_file_perms;
 
 # /oem access
 allow bootanim oemfs:dir search;

public/dumpstate.te

@@ -188,6 +188,7 @@ allow dumpstate nfc_logs_data_file:file r_file_perms;
 
 # Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
 allow dumpstate gpu_device:chr_file rw_file_perms;
+allow dumpstate gpu_device:dir r_dir_perms;
 
 # logd access
 read_logd(dumpstate)

public/file.te

@@ -106,6 +106,7 @@ type sysfs_ipv4, fs_type, sysfs_type;
 type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_leds, fs_type, sysfs_type;
 type sysfs_loop, fs_type, sysfs_type;
+type sysfs_gpu, fs_type, sysfs_type;
 type sysfs_hwrandom, fs_type, sysfs_type;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;

public/hal_graphics_allocator.te

@@ -7,6 +7,7 @@ allow hal_graphics_allocator_client same_process_hal_file:file { execute read op
 
 # GPU device access
 allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
+allow hal_graphics_allocator gpu_device:dir r_dir_perms;
 allow hal_graphics_allocator ion_device:chr_file r_file_perms;
 allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
 

public/hal_graphics_composer.te

@@ -15,6 +15,7 @@ allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manag
 
 # GPU device access
 allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
+allow hal_graphics_composer gpu_device:dir r_dir_perms;
 allow hal_graphics_composer ion_device:chr_file r_file_perms;
 allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
 allow hal_graphics_composer hal_graphics_allocator:fd use;

public/mediaserver.te

@@ -33,6 +33,7 @@ allow mediaserver media_data_file:file create_file_perms;
 allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
 allow mediaserver { sdcard_type fuse }:file write;
 allow mediaserver gpu_device:chr_file rw_file_perms;
+allow mediaserver gpu_device:dir r_dir_perms;
 allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
 

public/mediaswcodec.te

@@ -25,3 +25,5 @@ neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
 
 allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
 allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
+allow mediaswcodec gpu_device:chr_file rw_file_perms;
+allow mediaswcodec gpu_device:dir r_dir_perms;

vendor/hal_camera_default.te

@@ -9,3 +9,6 @@ allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
 # For collecting bugreports.
 allow hal_camera_default dumpstate:fd use;
 allow hal_camera_default dumpstate:fifo_file write;
+
+allow hal_camera_default gpu_device:chr_file rw_file_perms;
+allow hal_camera_default gpu_device:dir r_dir_perms;

vendor/mediacodec.te

@@ -17,6 +17,7 @@ hal_client_domain(mediacodec, hal_allocator)
 hal_client_domain(mediacodec, hal_graphics_allocator)
 
 allow mediacodec gpu_device:chr_file rw_file_perms;
+allow mediacodec gpu_device:dir r_dir_perms;
 allow mediacodec ion_device:chr_file rw_file_perms;
 allow mediacodec dmabuf_system_heap_device:chr_file r_file_perms;
 allow mediacodec video_device:chr_file rw_file_perms;