sepolicy: various fixes for graphics

sepolicy/file_contexts

@@ -17,12 +17,7 @@
 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.software          u:object_r:hal_gatekeeper_default_exec:s0
 
 # Graphics
-/dev/dri                                                                                u:object_r:gpu_device:s0
-/dev/dri/card0                                                                          u:object_r:gpu_device:s0
-/dev/dri/card1                                                                          u:object_r:gpu_device:s0
-/dev/dri/card2                                                                          u:object_r:gpu_device:s0
-/dev/dri/card3                                                                          u:object_r:gpu_device:s0
-/dev/dri/renderD128                                                                     u:object_r:gpu_device:s0
+/dev/dri(/.*)?                                                                          u:object_r:gpu_device:s0
 /vendor/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service\.minigbm_gbm_mesa    u:object_r:hal_graphics_allocator_default_exec:s0
 /vendor/lib(64)?/hw/android\.hardware\.graphics.mapper@4\.0-impl\.minigbm_gbm_mesa\.so  u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/hw/vulkan\.broadcom\.so                                                u:object_r:same_process_hal_file:s0
@@ -30,7 +25,7 @@
 /vendor/lib(64)?/libdrm\.so                                                             u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libgallium_dri\.so                                                     u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libgbm_mesa\.so                                                        u:object_r:same_process_hal_file:s0
-/vendor/lib{64}?/libgbm_mesa_wrapper\.so                                                u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libgbm_mesa_wrapper\.so                                                u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libminigbm_gralloc_gbm_mesa\.so                                        u:object_r:same_process_hal_file:s0
 
 # Health

sepolicy/genfs_contexts

@@ -1,3 +1,6 @@
-genfscon sysfs /devices/platform/v3dbus/fec00000.v3d/uevent u:object_r:sysfs_gpu:s0
-genfscon sysfs /devices/platform/gpu/uevent u:object_r:sysfs_gpu:s0
-genfscon sysfs /firmware/devicetree/base/serial-number u:object_r:sysfs_dt_firmware_android:s0
+# Graphics
+genfscon sysfs /devices/platform/axi/1002000000.v3d  u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/platform/axi/axi:gpu         u:object_r:sysfs_gpu:s0
+
+# Serial number
+genfscon sysfs /firmware/devicetree/base/serial-number  u:object_r:sysfs_dt_firmware_android:s0

sepolicy/hal_camera.te

@@ -8,7 +8,5 @@ allow cameraserver device:dir r_dir_perms;
 allow cameraserver video_device:dir r_dir_perms;
 allow cameraserver video_device:chr_file rw_file_perms;
 
-allow hal_camera_default gpu_device:dir { open read search };
-allow hal_camera_default gpu_device:chr_file { open read write ioctl map getattr };
-allow cameraserver gpu_device:dir { open read write search getattr };
-allow cameraserver gpu_device:chr_file { open read write ioctl map getattr };
+gpu_access(hal_camera_default)
+gpu_access(cameraserver)

sepolicy/mediaprovider.te

@@ -1 +0,0 @@
-gpu_access(surfaceflinger)

sepolicy/mediaswcodec.te

@@ -1,2 +1 @@
 gpu_access(mediaswcodec)
-allow mediaswcodec gpu_device:chr_file { getattr ioctl map open read write };

sepolicy/te_macros

@@ -2,7 +2,8 @@
 # gpu_access(client_domain)
 # Allow client_domain to communicate with the GPU
 define(`gpu_access', `
-allow $1 gpu_device:dir { open read search getattr };
-allow $1 gpu_device:chr_file { open read getattr ioctl map write };
-allow $1 sysfs_gpu:file { getattr open read };
+allow $1 gpu_device:dir r_dir_perms;
+allow $1 gpu_device:chr_file rw_file_perms;
+allow $1 sysfs_gpu:dir r_dir_perms;
+allow $1 sysfs_gpu:file r_file_perms;
 ')