Allow HWC to be binderized
Test: manual
Bug: 32021609
Change-Id: Iaf0eca4f22c53802145ef08d7e6fd2416b2ecd79
diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te
new file mode 100644
index 0000000..36abbf5
--- /dev/null
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -0,0 +1,26 @@
+userdebug_or_eng(`
+ allow hal_graphics_composer_default diag_device:chr_file rw_file_perms;
+')
+
+# misc
+allow hal_graphics_composer_default display_data_file:dir create_dir_perms;
+allow hal_graphics_composer_default display_data_file:file create_file_perms;
+
+# persist
+allow hal_graphics_composer_default persist_file:dir search;
+
+# persist/display
+allow hal_graphics_composer_default persist_display_file:dir r_dir_perms;
+allow hal_graphics_composer_default persist_display_file:file create_file_perms;
+
+# Binder access (for display.qservice)
+# TODO remove after the HAL is fixed
+binder_service(hal_graphics_composer_default)
+binder_use(hal_graphics_composer_default)
+allow hal_graphics_composer_default surfaceflinger_service:service_manager { add find };
+
+# HWC_UeventThread
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Access /sys/devices/virtual/graphics/fb0/mdp/caps and maybe others
+r_dir_file(hal_graphics_composer_default, sysfs_type)
