Report graphics_device accesses by system_server or mediaserver.

See if we can remove these allow rules by auditing any granting of these permissions. These rules may be a legacy of older Android or some board where the gpu device lived under /dev/graphics too. Change-Id: I5c5d99ca97402de5196d9b6dfd249294f4d95baa Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Report graphics_device accesses by system_server or mediaserver.
See if we can remove these allow rules by auditing any granting of these permissions. These rules may be a legacy of older Android or some board where the gpu device lived under /dev/graphics too. Change-Id: I5c5d99ca97402de5196d9b6dfd249294f4d95baa Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
53cde700 · Stephen Smalley · 91a4f8d4 · 53cde700 · 53cde700
Commit 53cde700 authored 10 years ago by Stephen Smalley
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -24,6 +24,7 @@ allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file rw_file_perms;
 allow mediaserver sdcard_type:file write;
 allow mediaserver { gpu_device graphics_device }:chr_file rw_file_perms;
+auditallow mediaserver graphics_device:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
 allow mediaserver audio_device:dir r_dir_perms;

--- a/system_server.te
+++ b/system_server.te
@@ -152,6 +152,7 @@ allow system_server alarm_device:chr_file rw_file_perms;
 allow system_server gpu_device:chr_file rw_file_perms;
 allow system_server graphics_device:dir search;
 allow system_server graphics_device:chr_file rw_file_perms;
+auditallow system_server graphics_device:chr_file rw_file_perms;
 allow system_server iio_device:chr_file rw_file_perms;
 allow system_server input_device:dir r_dir_perms;
 allow system_server input_device:chr_file rw_file_perms;