Gitiles
Code Review Sign In
gerrit-public.fairphone.software / device / google / cuttlefish / a01128fecd6add0bf4ce4bee69b7afe28aba55ef^1..a01128fecd6add0bf4ce4bee69b7afe28aba55ef / .
commita01128fecd6add0bf4ce4bee69b7afe28aba55ef[log] [tgz]
authorJason Macnak <natsu@google.com>Tue May 12 20:46:51 2020 +0000
committerAutomerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>Tue May 12 20:46:51 2020 +0000
tree271cf8fad8711177aecde29080c0e304ec730130
parent8492403624149543ec8730c7118269e1d8b9a3eb [diff]
parent38a2c4d1de037122071d481e153f5d80e8b5e7e3 [diff]
Merge changes I3f66d4ac,Id9867590,I38026ed8,I27ae1b24,I6497aeb2, ... into rvc-dev am: 38a2c4d1de

Change-Id: Id3e8155215dc7adfce8a685fecfa1b4d5dea32fc

diff --git a/shared/sepolicy/vendor/cameraserver.te b/shared/sepolicy/vendor/cameraserver.te
index 240026b..94146e1 100644
--- a/shared/sepolicy/vendor/cameraserver.te
+++ b/shared/sepolicy/vendor/cameraserver.te

@@ -1,2 +1,4 @@
 # Read GCE initial metadata file
 allow cameraserver initial_metadata_file:file r_file_perms;
+
+gpu_access(cameraserver)

diff --git a/shared/sepolicy/vendor/ephemeral_app.te b/shared/sepolicy/vendor/ephemeral_app.te
new file mode 100644
index 0000000..92fcef6
--- /dev/null
+++ b/shared/sepolicy/vendor/ephemeral_app.te

@@ -0,0 +1 @@
+gpu_access(ephemeral_app)

diff --git a/shared/sepolicy/vendor/hal_camera_default.te b/shared/sepolicy/vendor/hal_camera_default.te
index 67c0ddc..2442d83 100644
--- a/shared/sepolicy/vendor/hal_camera_default.te
+++ b/shared/sepolicy/vendor/hal_camera_default.te

@@ -9,3 +9,5 @@
 # For camera hal to talk with sensor service
 binder_call(hal_camera_default, sensor_service_server)
 binder_call(sensor_service_server, hal_camera_default)
+
+gpu_access(hal_camera_default)

diff --git a/shared/sepolicy/vendor/mediacodec.te b/shared/sepolicy/vendor/mediacodec.te
index e26f128..dcb0a03 100644
--- a/shared/sepolicy/vendor/mediacodec.te
+++ b/shared/sepolicy/vendor/mediacodec.te

@@ -1 +1,3 @@
 allow mediacodec system_file:dir r_dir_perms;
+
+gpu_access(mediacodec)

diff --git a/shared/sepolicy/vendor/mediaserver.te b/shared/sepolicy/vendor/mediaserver.te
new file mode 100644
index 0000000..922af2c
--- /dev/null
+++ b/shared/sepolicy/vendor/mediaserver.te

@@ -0,0 +1 @@
+gpu_access(mediaserver)

diff --git a/shared/sepolicy/vendor/mediaswcodec.te b/shared/sepolicy/vendor/mediaswcodec.te
new file mode 100644
index 0000000..ff9c5b5
--- /dev/null
+++ b/shared/sepolicy/vendor/mediaswcodec.te

@@ -0,0 +1 @@
+gpu_access(mediaswcodec)

diff --git a/shared/sepolicy/vendor/te_macros b/shared/sepolicy/vendor/te_macros
index d49e378..c4f26eb 100644
--- a/shared/sepolicy/vendor/te_macros
+++ b/shared/sepolicy/vendor/te_macros

@@ -3,7 +3,7 @@
 # Allow client_domain to communicate with the virgl GPU
 define(`gpu_access', `
 allow $1 gpu_device:dir { open read search };
-allow $1 gpu_device:chr_file { getattr read write };
+allow $1 gpu_device:chr_file { getattr ioctl map open read write };
 allow $1 graphics_device:chr_file { getattr };
 allow $1 sysfs_gpu:file { getattr open read };
 ')