From 67433cbc2b4baa22dc8c199a9b38cda9868948e3 Mon Sep 17 00:00:00 2001 From: Konsta Date: Mon, 10 Nov 2025 16:23:54 +0200 Subject: [PATCH] sepolicy: graphics: address some denials * Labeling vendor allocator libraries became necessary for some reason after moving minigbm gralloc to APEX. * Address remaining drm_hwcomposer denials. --- sepolicy/file_contexts | 9 +++++---- sepolicy/hal_graphics_composer_default.te | 2 ++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index f59b76e..96d7965 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -6,10 +6,11 @@ /data/vendor/mediadrm(/.*)? u:object_r:mediadrm_vendor_data_file:s0 # Graphics -/dev/dri(/.*)? u:object_r:gpu_device:s0 -/vendor/lib64/libdrm\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/libgallium_dri\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/libui\.so u:object_r:same_process_hal_file:s0 +/dev/dri(/.*)? u:object_r:gpu_device:s0 +/vendor/lib64/android\.hardware\.graphics\.allocator@[2-4]\.0\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libdrm\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libgallium_dri\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libui\.so u:object_r:same_process_hal_file:s0 # Partitions /dev/block/mmcblk0p1 u:object_r:boot_block_device:s0 diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te index 3857e53..9c0c169 100644 --- a/sepolicy/hal_graphics_composer_default.te +++ b/sepolicy/hal_graphics_composer_default.te @@ -1,3 +1,5 @@ vndbinder_use(hal_graphics_composer_default) gpu_access(hal_graphics_composer_default) get_prop(hal_graphics_composer_default, vendor_hwc_config_prop) + +allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { bind create read };