SELinux whitelist for GPU (/dev/kgsl-3d0) access on mako.
The GPU appears to be used by most UI-based apps as well as a couple
of UI-less entities, such as PowerManagerService and SurfaceFlinger.
Change-Id: I1060001c226f6a0cfc88a97efd236a3d626e02d1
diff --git a/BoardConfig.mk b/BoardConfig.mk
index c5d85a5..4cc6a7d 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -96,7 +96,11 @@
device/lge/mako/sepolicy
BOARD_SEPOLICY_UNION := \
- file_contexts
+ app.te \
+ device.te \
+ file_contexts \
+ surfaceflinger.te \
+ system.te
BOARD_CHARGER_ENABLE_SUSPEND := true
diff --git a/sepolicy/app.te b/sepolicy/app.te
new file mode 100644
index 0000000..eb71391
--- /dev/null
+++ b/sepolicy/app.te
@@ -0,0 +1,3 @@
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow appdomain gpu_device:chr_file rw_file_perms;
diff --git a/sepolicy/device.te b/sepolicy/device.te
new file mode 100644
index 0000000..f29322b
--- /dev/null
+++ b/sepolicy/device.te
@@ -0,0 +1,2 @@
+# GPU (used by most UI apps)
+type gpu_device, dev_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index e69de29..c27a81e 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -0,0 +1,2 @@
+# GPU device
+/dev/kgsl-3d0 u:object_r:gpu_device:s0
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
new file mode 100644
index 0000000..8430fe1
--- /dev/null
+++ b/sepolicy/surfaceflinger.te
@@ -0,0 +1,2 @@
+# Grant GPU access to SurfaceFlinger
+allow surfaceflinger gpu_device:chr_file rw_file_perms;
diff --git a/sepolicy/system.te b/sepolicy/system.te
new file mode 100644
index 0000000..676b2c0
--- /dev/null
+++ b/sepolicy/system.te
@@ -0,0 +1,2 @@
+# Grant GPU access to system apps (e.g., PowerManagerService)
+allow system gpu_device:chr_file rw_file_perms;
