diff options
| author | Praneeth Bajjuri | 2018-11-02 01:48:03 -0500 |
|---|---|---|
| committer | Praneeth Bajjuri | 2018-11-02 16:22:14 -0500 |
| commit | 8e1eb31f420a4aa97a9fdbc12a7862d101383728 (patch) | |
| tree | da965de9a25911a01c355625cdee368f87c7ce6e | |
| parent | 410af69d8661d13790b31ec6f20bbac4e566ae6b (diff) | |
| download | device-ti-am65xevm-8e1eb31f420a4aa97a9fdbc12a7862d101383728.tar.gz device-ti-am65xevm-8e1eb31f420a4aa97a9fdbc12a7862d101383728.tar.xz device-ti-am65xevm-8e1eb31f420a4aa97a9fdbc12a7862d101383728.zip | |
sepolicy: Add policy for ion_device
pvr and graphics services uses ion_device now,
update sepolicy to fix denials
Signed-off-by: Praneeth Bajjuri <praneeth@ti.com>
| -rw-r--r-- | sepolicy/hal_graphics_allocator_default.te | 1 | ||||
| -rw-r--r-- | sepolicy/hal_graphics_composer_default.te | 1 | ||||
| -rw-r--r-- | sepolicy/pvr.te | 3 | ||||
| -rw-r--r-- | sepolicy/surfaceflinger.te | 2 |
4 files changed, 7 insertions, 0 deletions
diff --git a/sepolicy/hal_graphics_allocator_default.te b/sepolicy/hal_graphics_allocator_default.te new file mode 100644 index 0000000..02c6d78 --- /dev/null +++ b/sepolicy/hal_graphics_allocator_default.te | |||
| @@ -0,0 +1 @@ | |||
| allow hal_graphics_allocator_default ion_device:chr_file write; | |||
diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te index 457f945..2a0a6dd 100644 --- a/sepolicy/hal_graphics_composer_default.te +++ b/sepolicy/hal_graphics_composer_default.te | |||
| @@ -1,2 +1,3 @@ | |||
| 1 | vndbinder_use(hal_graphics_composer_default); | 1 | vndbinder_use(hal_graphics_composer_default); |
| 2 | allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; | 2 | allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; |
| 3 | allow hal_graphics_composer_default ion_device:chr_file write; | ||
diff --git a/sepolicy/pvr.te b/sepolicy/pvr.te index 83b3406..53ac238 100644 --- a/sepolicy/pvr.te +++ b/sepolicy/pvr.te | |||
| @@ -8,6 +8,9 @@ init_daemon_domain(pvr) | |||
| 8 | # allow access to /dev/dri/ | 8 | # allow access to /dev/dri/ |
| 9 | allow pvr gpu_device:chr_file rw_file_perms; | 9 | allow pvr gpu_device:chr_file rw_file_perms; |
| 10 | 10 | ||
| 11 | # Access /dev/ion | ||
| 12 | allow pvr ion_device:chr_file rw_file_perms; | ||
| 13 | |||
| 11 | # allow graphics driver initialization | 14 | # allow graphics driver initialization |
| 12 | allow pvr self:capability sys_module; | 15 | allow pvr self:capability sys_module; |
| 13 | allow pvr vendor_file:system module_load; | 16 | allow pvr vendor_file:system module_load; |
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te new file mode 100644 index 0000000..fd7dc3f --- /dev/null +++ b/sepolicy/surfaceflinger.te | |||
| @@ -0,0 +1,2 @@ | |||
| 1 | hal_server_domain(surfaceflinger, hal_graphics_allocator); | ||
| 2 | allow surfaceflinger ion_device:chr_file write; | ||