From 3ba9012535d8412d94db4ae9a5ce928b806e26d8 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 12 Dec 2013 09:09:53 -0500
Subject: [PATCH] Move gpu_device type and rules to core policy.

Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 app.te            | 4 ++++
 device.te         | 2 ++
 surfaceflinger.te | 3 +++
 system_server.te  | 1 +
 4 files changed, 10 insertions(+)

diff --git a/app.te b/app.te
index fe0b25072..34f99e63f 100644
--- a/app.te
+++ b/app.te
@@ -74,6 +74,10 @@ allow appdomain qtaguid_proc:file rw_file_perms;
 # So allow all apps to read from /dev/xt_qtaguid.
 allow appdomain qtaguid_device:chr_file r_file_perms;
 
+# Grant GPU access to all processes started by Zygote.
+# They need that to render the standard UI.
+allow appdomain gpu_device:chr_file { rw_file_perms execute };
+
 # Use the Binder.
 binder_use(appdomain)
 # Perform binder IPC to binder services.
diff --git a/device.te b/device.te
index d13ca292d..5d3ba9c00 100644
--- a/device.te
+++ b/device.te
@@ -17,6 +17,8 @@ type console_device, dev_type;
 type cpuctl_device, dev_type;
 type fscklogs, dev_type;
 type full_device, dev_type;
+# GPU (used by most UI apps)
+type gpu_device, dev_type, mlstrustedobject;
 type graphics_device, dev_type;
 type hw_random_device, dev_type;
 type input_device, dev_type;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index f0c5d8efd..4f2838220 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -15,6 +15,9 @@ binder_call(surfaceflinger, system_server)
 binder_service(surfaceflinger)
 allow surfaceflinger init:binder transfer;
 
+# Access the GPU.
+allow surfaceflinger gpu_device:chr_file rw_file_perms;
+
 # Access /dev/graphics/fb0.
 allow surfaceflinger graphics_device:dir search;
 allow surfaceflinger graphics_device:chr_file rw_file_perms;
diff --git a/system_server.te b/system_server.te
index f603ea310..2afafa6e1 100644
--- a/system_server.te
+++ b/system_server.te
@@ -110,6 +110,7 @@ allow system_server sysfs_nfc_power_writable:file rw_file_perms;
 allow system_server device:dir r_dir_perms;
 allow system_server mdns_socket:sock_file rw_file_perms;
 allow system_server alarm_device:chr_file rw_file_perms;
+allow system_server gpu_device:chr_file rw_file_perms;
 allow system_server graphics_device:dir search;
 allow system_server graphics_device:chr_file rw_file_perms;
 allow system_server iio_device:chr_file rw_file_perms;
-- 
GitLab