diff --git a/private/adbd.te b/private/adbd.te index c5c5cc211..48fa849cd 100644 --- a/private/adbd.te +++ b/private/adbd.te @@ -129,6 +129,7 @@ binder_call(adbd, surfaceflinger) binder_call(adbd, gpuservice) # b/13188914 allow adbd gpu_device:chr_file rw_file_perms; +allow adbd gpu_device:dir r_dir_perms; allow adbd ion_device:chr_file rw_file_perms; r_dir_file(adbd, system_file) diff --git a/private/app.te b/private/app.te index 436af5a73..557054459 100644 --- a/private/app.te +++ b/private/app.te @@ -302,6 +302,9 @@ userdebug_or_eng(` # Grant GPU access to all processes started by Zygote. # They need that to render the standard UI. allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms; +allow { appdomain -isolated_app } gpu_device:dir r_dir_perms; +allow { appdomain -isolated_app } sysfs_gpu:file r_file_perms; + # Use the Binder. binder_use(appdomain) diff --git a/private/bluetooth.te b/private/bluetooth.te index 0c02de376..d548e8018 100644 --- a/private/bluetooth.te +++ b/private/bluetooth.te @@ -36,6 +36,9 @@ allow bluetooth efs_file:dir search; # allow Bluetooth to access uhid device for HID profile allow bluetooth uhid_device:chr_file rw_file_perms; +allow bluetooth gpu_device:chr_file rw_file_perms; +allow bluetooth gpu_device:dir r_dir_perms; + # proc access. allow bluetooth proc_bluetooth_writable:file rw_file_perms; diff --git a/private/cameraserver.te b/private/cameraserver.te index 2be3c9ea3..96d7dbde4 100644 --- a/private/cameraserver.te +++ b/private/cameraserver.te @@ -4,3 +4,6 @@ typeattribute cameraserver camera_service_server; init_daemon_domain(cameraserver) tmpfs_domain(cameraserver) + +allow cameraserver gpu_device:chr_file rw_file_perms; +allow cameraserver gpu_device:dir r_dir_perms; diff --git a/private/compat/32.0/32.0.ignore.cil b/private/compat/32.0/32.0.ignore.cil index 58dba5934..41d3e56cd 100644 --- a/private/compat/32.0/32.0.ignore.cil +++ b/private/compat/32.0/32.0.ignore.cil @@ -65,6 +65,7 @@ smart_idle_maint_enabled_prop snapuserd_proxy_socket sysfs_fs_fuse_bpf + sysfs_gpu sysfs_lru_gen_enabled system_dlkm_file tare_service diff --git a/private/genfs_contexts b/private/genfs_contexts index 2f1f84d8d..1c604fc34 100644 --- a/private/genfs_contexts +++ b/private/genfs_contexts @@ -123,6 +123,7 @@ genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_et genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0 genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0 genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0 +genfscon sysfs /class/gpu u:object_r:sysfs_gpu:s0 genfscon sysfs /class/leds u:object_r:sysfs_leds:s0 genfscon sysfs /class/net u:object_r:sysfs_net:s0 genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0 diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te index 630183e73..a9a52bbe8 100644 --- a/private/mediaprovider_app.te +++ b/private/mediaprovider_app.te @@ -59,7 +59,8 @@ get_prop(mediaprovider_app, storage_config_prop) get_prop(mediaprovider_app, drm_service_config_prop) -allow mediaprovider_app gpu_device:dir search; +allow mediaprovider_app gpu_device:chr_file rw_file_perms; +allow mediaprovider_app gpu_device:dir r_dir_perms; dontaudit mediaprovider_app sysfs_vendor_sched:dir search; dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms; diff --git a/private/mediatranscoding.te b/private/mediatranscoding.te index 817416d16..829d9483c 100644 --- a/private/mediatranscoding.te +++ b/private/mediatranscoding.te @@ -42,7 +42,8 @@ unix_socket_send(mediatranscoding, statsdw, statsd) # Allow mediatranscoding to access the DMA-BUF system heap allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms; -allow mediatranscoding gpu_device:dir search; +allow mediatranscoding gpu_device:chr_file rw_file_perms; +allow mediatranscoding gpu_device:dir r_dir_perms; # Allow mediatranscoding service to access media-related system properties get_prop(mediatranscoding, media_config_prop) diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te index 5223b50d5..123fc6952 100644 --- a/private/surfaceflinger.te +++ b/private/surfaceflinger.te @@ -38,6 +38,8 @@ r_dir_file(surfaceflinger, appdomain) # Access the GPU. allow surfaceflinger gpu_device:chr_file rw_file_perms; +allow surfaceflinger gpu_device:dir r_dir_perms; +allow surfaceflinger sysfs_gpu:file r_file_perms; # Access /dev/graphics/fb0. allow surfaceflinger graphics_device:dir search; diff --git a/private/system_server.te b/private/system_server.te index 8fc032fe7..927ef10af 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -451,6 +451,8 @@ allow system_server sysfs_usb:file w_file_perms; allow system_server device:dir r_dir_perms; allow system_server mdns_socket:sock_file rw_file_perms; allow system_server gpu_device:chr_file rw_file_perms; +allow system_server gpu_device:dir r_dir_perms; +allow system_server sysfs_gpu:file r_file_perms; allow system_server input_device:dir r_dir_perms; allow system_server input_device:chr_file rw_file_perms; allow system_server tty_device:chr_file rw_file_perms; diff --git a/public/bootanim.te b/public/bootanim.te index 88fe17365..9c7a0eea6 100644 --- a/public/bootanim.te +++ b/public/bootanim.te @@ -13,6 +13,8 @@ binder_call(bootanim, audioserver) hwbinder_use(bootanim) allow bootanim gpu_device:chr_file rw_file_perms; +allow bootanim gpu_device:dir r_dir_perms; +allow bootanim sysfs_gpu:file r_file_perms; # /oem access allow bootanim oemfs:dir search; diff --git a/public/dumpstate.te b/public/dumpstate.te index 871403ada..2c75f3048 100644 --- a/public/dumpstate.te +++ b/public/dumpstate.te @@ -188,6 +188,7 @@ allow dumpstate nfc_logs_data_file:file r_file_perms; # Dumpstate calls screencap, which grabs a screenshot. Needs gpu access allow dumpstate gpu_device:chr_file rw_file_perms; +allow dumpstate gpu_device:dir r_dir_perms; # logd access read_logd(dumpstate) diff --git a/public/file.te b/public/file.te index 8867ebb43..9d333f5de 100644 --- a/public/file.te +++ b/public/file.te @@ -106,6 +106,7 @@ type sysfs_ipv4, fs_type, sysfs_type; type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject; type sysfs_leds, fs_type, sysfs_type; type sysfs_loop, fs_type, sysfs_type; +type sysfs_gpu, fs_type, sysfs_type; type sysfs_hwrandom, fs_type, sysfs_type; type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject; type sysfs_wake_lock, fs_type, sysfs_type; diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te index b6d5d9213..7ef27113a 100644 --- a/public/hal_graphics_allocator.te +++ b/public/hal_graphics_allocator.te @@ -7,6 +7,7 @@ allow hal_graphics_allocator_client same_process_hal_file:file { execute read op # GPU device access allow hal_graphics_allocator gpu_device:chr_file rw_file_perms; +allow hal_graphics_allocator gpu_device:dir r_dir_perms; allow hal_graphics_allocator ion_device:chr_file r_file_perms; allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms; diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te index 3dbc1d8e6..e99d45f74 100644 --- a/public/hal_graphics_composer.te +++ b/public/hal_graphics_composer.te @@ -15,6 +15,7 @@ allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manag # GPU device access allow hal_graphics_composer gpu_device:chr_file rw_file_perms; +allow hal_graphics_composer gpu_device:dir r_dir_perms; allow hal_graphics_composer ion_device:chr_file r_file_perms; allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms; allow hal_graphics_composer hal_graphics_allocator:fd use; diff --git a/public/mediaserver.te b/public/mediaserver.te index 0275532fd..621b6d786 100644 --- a/public/mediaserver.te +++ b/public/mediaserver.te @@ -33,6 +33,7 @@ allow mediaserver media_data_file:file create_file_perms; allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write }; allow mediaserver { sdcard_type fuse }:file write; allow mediaserver gpu_device:chr_file rw_file_perms; +allow mediaserver gpu_device:dir r_dir_perms; allow mediaserver video_device:dir r_dir_perms; allow mediaserver video_device:chr_file rw_file_perms; diff --git a/public/mediaswcodec.te b/public/mediaswcodec.te index 5726842a7..edbab03ee 100644 --- a/public/mediaswcodec.te +++ b/public/mediaswcodec.te @@ -25,3 +25,5 @@ neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *; allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms; allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms; +allow mediaswcodec gpu_device:chr_file rw_file_perms; +allow mediaswcodec gpu_device:dir r_dir_perms; diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te index 5bc4a6191..b0912d48d 100644 --- a/vendor/hal_camera_default.te +++ b/vendor/hal_camera_default.te @@ -9,3 +9,6 @@ allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find; # For collecting bugreports. allow hal_camera_default dumpstate:fd use; allow hal_camera_default dumpstate:fifo_file write; + +allow hal_camera_default gpu_device:chr_file rw_file_perms; +allow hal_camera_default gpu_device:dir r_dir_perms; diff --git a/vendor/mediacodec.te b/vendor/mediacodec.te index 8587e129d..84f24219a 100644 --- a/vendor/mediacodec.te +++ b/vendor/mediacodec.te @@ -17,6 +17,7 @@ hal_client_domain(mediacodec, hal_allocator) hal_client_domain(mediacodec, hal_graphics_allocator) allow mediacodec gpu_device:chr_file rw_file_perms; +allow mediacodec gpu_device:dir r_dir_perms; allow mediacodec ion_device:chr_file rw_file_perms; allow mediacodec dmabuf_system_heap_device:chr_file r_file_perms; allow mediacodec video_device:chr_file rw_file_perms;