Move gpu_device type and rules to core policy.

Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

app.te

@@ -74,6 +74,10 @@ allow appdomain qtaguid_proc:file rw_file_perms;
 # So allow all apps to read from /dev/xt_qtaguid.
 allow appdomain qtaguid_device:chr_file r_file_perms;
 
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow appdomain gpu_device:chr_file { rw_file_perms execute };
+
 # Use the Binder.
 binder_use(appdomain)
 # Perform binder IPC to binder services.

device.te

@@ -17,6 +17,8 @@ type console_device, dev_type;
 type cpuctl_device, dev_type;
 type fscklogs, dev_type;
 type full_device, dev_type;
+# GPU (used by most UI apps)
+type gpu_device, dev_type, mlstrustedobject;
 type graphics_device, dev_type;
 type hw_random_device, dev_type;
 type input_device, dev_type;

surfaceflinger.te

@@ -15,6 +15,9 @@ binder_call(surfaceflinger, system_server)
 binder_service(surfaceflinger)
 allow surfaceflinger init:binder transfer;
 
+# Access the GPU.
+allow surfaceflinger gpu_device:chr_file rw_file_perms;
+
 # Access /dev/graphics/fb0.
 allow surfaceflinger graphics_device:dir search;
 allow surfaceflinger graphics_device:chr_file rw_file_perms;

system_server.te

@@ -110,6 +110,7 @@ allow system_server sysfs_nfc_power_writable:file rw_file_perms;
 allow system_server device:dir r_dir_perms;
 allow system_server mdns_socket:sock_file rw_file_perms;
 allow system_server alarm_device:chr_file rw_file_perms;
+allow system_server gpu_device:chr_file rw_file_perms;
 allow system_server graphics_device:dir search;
 allow system_server graphics_device:chr_file rw_file_perms;
 allow system_server iio_device:chr_file rw_file_perms;