Grant GPU access to permissioncontroller_app
... which will be needed for Cuttlefish with Minigbm
Gralloc 4.
Bug: b/146515640
Bug: b/158011535
Test: launch_cvd && open permission manager
Change-Id: Ice7f4e02de4760e0cce2c5918079afccdb89c905
diff --git a/shared/sepolicy/system_ext/private/permissioncontroller_app.te b/shared/sepolicy/system_ext/private/permissioncontroller_app.te
new file mode 100644
index 0000000..845592a
--- /dev/null
+++ b/shared/sepolicy/system_ext/private/permissioncontroller_app.te
@@ -0,0 +1 @@
+gpu_access(permissioncontroller_app)
diff --git a/shared/sepolicy/system_ext/private/te_macros b/shared/sepolicy/system_ext/private/te_macros
new file mode 100644
index 0000000..5c74dfa
--- /dev/null
+++ b/shared/sepolicy/system_ext/private/te_macros
@@ -0,0 +1,8 @@
+#####################################
+# gpu_access(client_domain)
+# Allow client_domain to communicate with the virgl GPU
+define(`gpu_access', `
+allow $1 gpu_device:dir { open read search };
+allow $1 gpu_device:chr_file { getattr ioctl map open read write };
+allow $1 graphics_device:chr_file { getattr };
+')
