diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index 0649da8..b180304 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -17,12 +17,7 @@ /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.software u:object_r:hal_gatekeeper_default_exec:s0 # Graphics -/dev/dri u:object_r:gpu_device:s0 -/dev/dri/card0 u:object_r:gpu_device:s0 -/dev/dri/card1 u:object_r:gpu_device:s0 -/dev/dri/card2 u:object_r:gpu_device:s0 -/dev/dri/card3 u:object_r:gpu_device:s0 -/dev/dri/renderD128 u:object_r:gpu_device:s0 +/dev/dri(/.*)? u:object_r:gpu_device:s0 /vendor/bin/hw/android\.hardware\.graphics\.allocator@4\.0-service\.minigbm_gbm_mesa u:object_r:hal_graphics_allocator_default_exec:s0 /vendor/lib(64)?/hw/android\.hardware\.graphics.mapper@4\.0-impl\.minigbm_gbm_mesa\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/hw/vulkan\.broadcom\.so u:object_r:same_process_hal_file:s0 @@ -30,7 +25,7 @@ /vendor/lib(64)?/libdrm\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgallium_dri\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libgbm_mesa\.so u:object_r:same_process_hal_file:s0 -/vendor/lib{64}?/libgbm_mesa_wrapper\.so u:object_r:same_process_hal_file:s0 +/vendor/lib(64)?/libgbm_mesa_wrapper\.so u:object_r:same_process_hal_file:s0 /vendor/lib(64)?/libminigbm_gralloc_gbm_mesa\.so u:object_r:same_process_hal_file:s0 # Health diff --git a/sepolicy/genfs_contexts b/sepolicy/genfs_contexts index 6a3a935..a789cbd 100644 --- a/sepolicy/genfs_contexts +++ b/sepolicy/genfs_contexts @@ -1,3 +1,6 @@ -genfscon sysfs /devices/platform/v3dbus/fec00000.v3d/uevent u:object_r:sysfs_gpu:s0 -genfscon sysfs /devices/platform/gpu/uevent u:object_r:sysfs_gpu:s0 -genfscon sysfs /firmware/devicetree/base/serial-number u:object_r:sysfs_dt_firmware_android:s0 +# Graphics +genfscon sysfs /devices/platform/axi/1002000000.v3d u:object_r:sysfs_gpu:s0 +genfscon sysfs /devices/platform/axi/axi:gpu u:object_r:sysfs_gpu:s0 + +# Serial number +genfscon sysfs /firmware/devicetree/base/serial-number u:object_r:sysfs_dt_firmware_android:s0 diff --git a/sepolicy/hal_camera.te b/sepolicy/hal_camera.te index aefd2fe..3a9e61f 100644 --- a/sepolicy/hal_camera.te +++ b/sepolicy/hal_camera.te @@ -8,7 +8,5 @@ allow cameraserver device:dir r_dir_perms; allow cameraserver video_device:dir r_dir_perms; allow cameraserver video_device:chr_file rw_file_perms; -allow hal_camera_default gpu_device:dir { open read search }; -allow hal_camera_default gpu_device:chr_file { open read write ioctl map getattr }; -allow cameraserver gpu_device:dir { open read write search getattr }; -allow cameraserver gpu_device:chr_file { open read write ioctl map getattr }; +gpu_access(hal_camera_default) +gpu_access(cameraserver) diff --git a/sepolicy/mediaprovider.te b/sepolicy/mediaprovider.te deleted file mode 100644 index 17b66a8..0000000 --- a/sepolicy/mediaprovider.te +++ /dev/null @@ -1 +0,0 @@ -gpu_access(surfaceflinger) diff --git a/sepolicy/mediaswcodec.te b/sepolicy/mediaswcodec.te index 57fb75c..ff9c5b5 100644 --- a/sepolicy/mediaswcodec.te +++ b/sepolicy/mediaswcodec.te @@ -1,2 +1 @@ gpu_access(mediaswcodec) -allow mediaswcodec gpu_device:chr_file { getattr ioctl map open read write }; diff --git a/sepolicy/te_macros b/sepolicy/te_macros index 15f04d3..f94fe2b 100644 --- a/sepolicy/te_macros +++ b/sepolicy/te_macros @@ -2,7 +2,8 @@ # gpu_access(client_domain) # Allow client_domain to communicate with the GPU define(`gpu_access', ` -allow $1 gpu_device:dir { open read search getattr }; -allow $1 gpu_device:chr_file { open read getattr ioctl map write }; -allow $1 sysfs_gpu:file { getattr open read }; +allow $1 gpu_device:dir r_dir_perms; +allow $1 gpu_device:chr_file rw_file_perms; +allow $1 sysfs_gpu:dir r_dir_perms; +allow $1 sysfs_gpu:file r_file_perms; ')