From 22a75c85a43612d037f64991a9e9c89f6fbd6313 Mon Sep 17 00:00:00 2001
From: Konsta <konsta09@gmail.com>
Date: Fri, 28 Mar 2025 13:54:23 +0200
Subject: [PATCH] sepolicy: various fixes for graphics

---
 sepolicy/file_contexts    | 10 +++-------
 sepolicy/genfs_contexts   |  9 ++++++---
 sepolicy/hal_camera.te    |  6 ++----
 sepolicy/mediaprovider.te |  1 -
 sepolicy/mediaswcodec.te  |  1 -
 sepolicy/te_macros        |  7 ++++---
 6 files changed, 15 insertions(+), 19 deletions(-)
 delete mode 100644 sepolicy/mediaprovider.te

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 8ec2492..bb52328 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -14,12 +14,7 @@
 /vendor/bin/hw/android\.hardware\.media\.c2@1\.2-service-ffmpeg              u:object_r:mediacodec_exec:s0
 
 # Graphics
-/dev/dri                                                                                u:object_r:gpu_device:s0
-/dev/dri/card0                                                                          u:object_r:gpu_device:s0
-/dev/dri/card1                                                                          u:object_r:gpu_device:s0
-/dev/dri/card2                                                                          u:object_r:gpu_device:s0
-/dev/dri/card3                                                                          u:object_r:gpu_device:s0
-/dev/dri/renderD128                                                                     u:object_r:gpu_device:s0
+/dev/dri(/.*)?                                                                          u:object_r:gpu_device:s0
 /vendor/bin/hw/android\.hardware\.graphics\.allocator-service\.minigbm_gbm_mesa         u:object_r:hal_graphics_allocator_default_exec:s0
 /vendor/lib(64)?/hw/mapper\.minigbm_gbm_mesa\.so                                        u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/hw/vulkan\.broadcom\.so                                                u:object_r:same_process_hal_file:s0
@@ -27,9 +22,10 @@
 /vendor/lib(64)?/libdrm\.so                                                             u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libgallium_dri\.so                                                     u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libgbm_mesa\.so                                                        u:object_r:same_process_hal_file:s0
-/vendor/lib{64}?/libgbm_mesa_wrapper\.so                                                u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgbm_mesa_wrapper\.so                                                u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libminigbm_gralloc_gbm_mesa\.so                                        u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libminigbm_gralloc4_utils_gbm_mesa\.so                                 u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libui\.so                                                              u:object_r:same_process_hal_file:s0
 
 # Lights
 /sys/class/backlight/11-0045/brightness                                      u:object_r:sysfs_leds:s0
diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts
index 6a3a935..a789cbd 100644
--- a/sepolicy/genfs_contexts
+++ b/sepolicy/genfs_contexts
@@ -1,3 +1,6 @@
-genfscon sysfs /devices/platform/v3dbus/fec00000.v3d/uevent u:object_r:sysfs_gpu:s0
-genfscon sysfs /devices/platform/gpu/uevent u:object_r:sysfs_gpu:s0
-genfscon sysfs /firmware/devicetree/base/serial-number u:object_r:sysfs_dt_firmware_android:s0
+# Graphics
+genfscon sysfs /devices/platform/axi/1002000000.v3d  u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/axi/axi:gpu         u:object_r:sysfs_gpu:s0
+
+# Serial number
+genfscon sysfs /firmware/devicetree/base/serial-number  u:object_r:sysfs_dt_firmware_android:s0
diff --git a/sepolicy/hal_camera.te b/sepolicy/hal_camera.te
index aefd2fe..3a9e61f 100644
--- a/sepolicy/hal_camera.te
+++ b/sepolicy/hal_camera.te
@@ -8,7 +8,5 @@ allow cameraserver device:dir r_dir_perms;
 allow cameraserver video_device:dir r_dir_perms;
 allow cameraserver video_device:chr_file rw_file_perms;
 
-allow hal_camera_default gpu_device:dir { open read search };
-allow hal_camera_default gpu_device:chr_file { open read write ioctl map getattr };
-allow cameraserver gpu_device:dir { open read write search getattr };
-allow cameraserver gpu_device:chr_file { open read write ioctl map getattr };
+gpu_access(hal_camera_default)
+gpu_access(cameraserver)
diff --git a/sepolicy/mediaprovider.te b/sepolicy/mediaprovider.te
deleted file mode 100644
index 17b66a8..0000000
--- a/sepolicy/mediaprovider.te
+++ /dev/null
@@ -1 +0,0 @@
-gpu_access(surfaceflinger)
diff --git a/sepolicy/mediaswcodec.te b/sepolicy/mediaswcodec.te
index 57fb75c..ff9c5b5 100644
--- a/sepolicy/mediaswcodec.te
+++ b/sepolicy/mediaswcodec.te
@@ -1,2 +1 @@
 gpu_access(mediaswcodec)
-allow mediaswcodec gpu_device:chr_file { getattr ioctl map open read write };
diff --git a/sepolicy/te_macros b/sepolicy/te_macros
index 15f04d3..f94fe2b 100644
--- a/sepolicy/te_macros
+++ b/sepolicy/te_macros
@@ -2,7 +2,8 @@
 # gpu_access(client_domain)
 # Allow client_domain to communicate with the GPU
 define(`gpu_access', `
-allow $1 gpu_device:dir { open read search getattr };
-allow $1 gpu_device:chr_file { open read getattr ioctl map write };
-allow $1 sysfs_gpu:file { getattr open read };
+allow $1 gpu_device:dir r_dir_perms;
+allow $1 gpu_device:chr_file rw_file_perms;
+allow $1 sysfs_gpu:dir r_dir_perms;
+allow $1 sysfs_gpu:file r_file_perms;
 ')