From 53cde700cda6caad25ba06092fa850ff51dd2431 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 7 May 2014 14:57:27 -0400
Subject: [PATCH] Report graphics_device accesses by system_server or
 mediaserver.

See if we can remove these allow rules by auditing any granting
of these permissions.  These rules may be a legacy of older Android
or some board where the gpu device lived under /dev/graphics too.

Change-Id: I5c5d99ca97402de5196d9b6dfd249294f4d95baa
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 mediaserver.te   | 1 +
 system_server.te | 1 +
 2 files changed, 2 insertions(+)

diff --git a/mediaserver.te b/mediaserver.te
index cdd9772b9..1e3c41ae7 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -24,6 +24,7 @@ allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file rw_file_perms;
 allow mediaserver sdcard_type:file write;
 allow mediaserver { gpu_device graphics_device }:chr_file rw_file_perms;
+auditallow mediaserver graphics_device:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
 allow mediaserver audio_device:dir r_dir_perms;
diff --git a/system_server.te b/system_server.te
index 7a8979a90..bd6c88ed0 100644
--- a/system_server.te
+++ b/system_server.te
@@ -152,6 +152,7 @@ allow system_server alarm_device:chr_file rw_file_perms;
 allow system_server gpu_device:chr_file rw_file_perms;
 allow system_server graphics_device:dir search;
 allow system_server graphics_device:chr_file rw_file_perms;
+auditallow system_server graphics_device:chr_file rw_file_perms;
 allow system_server iio_device:chr_file rw_file_perms;
 allow system_server input_device:dir r_dir_perms;
 allow system_server input_device:chr_file rw_file_perms;
-- 
GitLab