Label kgsl (graphics) nodes.
Created a new label and addressed the following denials.
* For system server
denied { read write } for pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { open } for pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { ioctl } for pid=800 comm="ndroid.systemui" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
* For surfaceflinger
denied { ioctl } for pid=286 comm="SurfaceFlinger" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { read write } for pid=286 comm="SurfaceFlinger" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:device:s0 tclass=chr_file
* For app domains
denied { read write } for pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { open } for pid=800 comm="ndroid.systemui" name="kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
denied { ioctl } for pid=800 comm="ndroid.systemui" path="/dev/kgsl-3d0" dev="tmpfs" ino=8426 scontext=u:r:platform_app:s0 tcontext=u:object_r:device:s0 tclass=chr_file
Change-Id: I417bbd12fbdc17cd3d1110dcf3bff73dd5e385a4
diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index 1c19545..f4bd99c 100755
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -102,6 +102,10 @@
# The list below is order dependent
BOARD_SEPOLICY_UNION += \
+ app.te \
+ device.te \
rmt.te \
ueventd.te \
+ surfaceflinger.te \
+ system_server.te \
file_contexts
diff --git a/sepolicy/app.te b/sepolicy/app.te
new file mode 100644
index 0000000..eb71391
--- /dev/null
+++ b/sepolicy/app.te
@@ -0,0 +1,3 @@
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow appdomain gpu_device:chr_file rw_file_perms;
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..f29322b
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1,2 @@
+# GPU (used by most UI apps)
+type gpu_device, dev_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 4de259d..fad561b 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,6 +1,10 @@
# Used by keystore to access trustzone
/dev/qseecom u:object_r:tee_device:s0
+###### GPU device (world r/w)
+/dev/kgsl-3d0 u:object_r:gpu_device:s0
+/dev/kgsl u:object_r:gpu_device:s0
+
# rmt_storage is a qualcomm specific daemon responsible
# for servicing modem filesystem requests.
/system/bin/rmt_storage u:object_r:rmt_exec:s0
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..8430fe1
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1,2 @@
+# Grant GPU access to SurfaceFlinger
+allow surfaceflinger gpu_device:chr_file rw_file_perms;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
new file mode 100644
index 0000000..c100803
--- /dev/null
+++ b/sepolicy/system_server.te
@@ -0,0 +1,2 @@
+# Grant GPU access to system services (e.g., PowerManagerService)
+allow system_server gpu_device:chr_file rw_file_perms;