Update sepolicy
am: 769f24f32a
Change-Id: Ie7af9d6f91cfa219cd4f97a0e6e45474ced02a32
diff --git a/shared/sepolicy/vendor/bootanim.te b/shared/sepolicy/vendor/bootanim.te
index 1d18244..9ac7954 100644
--- a/shared/sepolicy/vendor/bootanim.te
+++ b/shared/sepolicy/vendor/bootanim.te
@@ -3,4 +3,4 @@
allow bootanim kernel:fd use;
allow bootanim self:process execmem;
-virgl_access(bootanim)
+gpu_access(bootanim)
diff --git a/shared/sepolicy/vendor/file_contexts b/shared/sepolicy/vendor/file_contexts
index 88c8124..d8888e8 100644
--- a/shared/sepolicy/vendor/file_contexts
+++ b/shared/sepolicy/vendor/file_contexts
@@ -16,8 +16,9 @@
/dev/block/vda6 u:object_r:system_block_device:s0
/dev/block/vda7 u:object_r:system_block_device:s0
/dev/block/zram0 u:object_r:swap_block_device:s0
+/dev/dri u:object_r:gpu_device:s0
/dev/dri/card0 u:object_r:graphics_device:s0
-/dev/dri/renderD128 u:object_r:graphics_device:s0
+/dev/dri/renderD128 u:object_r:gpu_device:s0
/dev/e2e_managed u:object_r:region_e2e_test_device:s0
/dev/e2e_manager u:object_r:region_e2e_test_device:s0
/dev/e2e_primary u:object_r:region_e2e_test_device:s0
diff --git a/shared/sepolicy/vendor/genfs_contexts b/shared/sepolicy/vendor/genfs_contexts
index c8974cd..4658545 100644
--- a/shared/sepolicy/vendor/genfs_contexts
+++ b/shared/sepolicy/vendor/genfs_contexts
@@ -7,8 +7,8 @@
genfscon sysfs /devices/pci0000:00/0000:00:0a.0/virtio8/net u:object_r:sysfs_net:s0 # (old) qemu rmnet0
genfscon sysfs /devices/pci0000:00/0000:00:0b.0/virtio10/net u:object_r:sysfs_net:s0 # (old) crosvm buried_eth0 & wlan0
genfscon sysfs /devices/pci0000:00/0000:00:0c.0/virtio11/net u:object_r:sysfs_net:s0 # (old) crosvm rmnet0
-genfscon sysfs /devices/pci0000:00/0000:00:0d.0/device u:object_r:sysfs_gpu:s0
-genfscon sysfs /devices/pci0000:00/0000:00:0d.0/subsystem_device u:object_r:sysfs_gpu:s0
-genfscon sysfs /devices/pci0000:00/0000:00:0d.0/subsystem_vendor u:object_r:sysfs_gpu:s0
-genfscon sysfs /devices/pci0000:00/0000:00:0d.0/uevent u:object_r:sysfs_gpu:s0
-genfscon sysfs /devices/pci0000:00/0000:00:0d.0/vendor u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/pci0000:00/0000:00:0b.0/device u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/pci0000:00/0000:00:0b.0/subsystem_device u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/pci0000:00/0000:00:0b.0/subsystem_vendor u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/pci0000:00/0000:00:0b.0/uevent u:object_r:sysfs_gpu:s0
+genfscon sysfs /devices/pci0000:00/0000:00:0b.0/vendor u:object_r:sysfs_gpu:s0
diff --git a/shared/sepolicy/vendor/hal_graphics_allocator_default.te b/shared/sepolicy/vendor/hal_graphics_allocator_default.te
index dc6540d..00f38cc 100644
--- a/shared/sepolicy/vendor/hal_graphics_allocator_default.te
+++ b/shared/sepolicy/vendor/hal_graphics_allocator_default.te
@@ -1 +1 @@
-virgl_access(hal_graphics_allocator_default)
+gpu_access(hal_graphics_allocator_default)
diff --git a/shared/sepolicy/vendor/hal_graphics_composer.te b/shared/sepolicy/vendor/hal_graphics_composer.te
index 23294c5..5b4f974 100644
--- a/shared/sepolicy/vendor/hal_graphics_composer.te
+++ b/shared/sepolicy/vendor/hal_graphics_composer.te
@@ -3,7 +3,7 @@
allow hal_graphics_composer_server hal_graphics_allocator_default_tmpfs:file read;
allow hal_graphics_composer_server region_screen_device:chr_file rw_file_perms;
allow hal_graphics_composer_server self:{ socket vsock_socket } create_socket_perms_no_ioctl;
-virgl_access(hal_graphics_composer_server)
+gpu_access(hal_graphics_composer_server)
get_prop(hal_graphics_composer_server, vsock_frames_port_prop)
get_prop(hal_graphics_composer_server, cuttlefish_config_server_port_prop)
diff --git a/shared/sepolicy/vendor/hal_graphics_composer_default.te b/shared/sepolicy/vendor/hal_graphics_composer_default.te
index 9c310f6..6b89710 100644
--- a/shared/sepolicy/vendor/hal_graphics_composer_default.te
+++ b/shared/sepolicy/vendor/hal_graphics_composer_default.te
@@ -1,3 +1,4 @@
vndbinder_use(hal_graphics_composer_default)
allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { bind create read };
+get_prop(hal_graphics_composer_default, cf_graphics_config_prop)
diff --git a/shared/sepolicy/vendor/platform_app.te b/shared/sepolicy/vendor/platform_app.te
index a45cc41..775e964 100644
--- a/shared/sepolicy/vendor/platform_app.te
+++ b/shared/sepolicy/vendor/platform_app.te
@@ -1 +1 @@
-virgl_access(platform_app)
+gpu_access(platform_app)
diff --git a/shared/sepolicy/vendor/priv_app.te b/shared/sepolicy/vendor/priv_app.te
index e7615ba..05c9e47 100644
--- a/shared/sepolicy/vendor/priv_app.te
+++ b/shared/sepolicy/vendor/priv_app.te
@@ -1 +1 @@
-virgl_access(priv_app)
+gpu_access(priv_app)
diff --git a/shared/sepolicy/vendor/property_contexts b/shared/sepolicy/vendor/property_contexts
index 25d65b0..5127c67 100644
--- a/shared/sepolicy/vendor/property_contexts
+++ b/shared/sepolicy/vendor/property_contexts
@@ -14,3 +14,6 @@
sys.cf.ser. u:object_r:sys_cf_ser_prop:s0
vendor.ser. u:object_r:vendor_ser_prop:s0
vendor.vsock_logcat_status u:object_r:vsock_logcat_status_prop:s0
+hwc.drm.device u:object_r:cf_graphics_config_prop:s0 exact string
+hwc.drm.exclude_non_hwfb_imports u:object_r:cf_graphics_config_prop:s0 exact int
+hwc.drm.use_overlay_planes u:object_r:cf_graphics_config_prop:s0 exact int
diff --git a/shared/sepolicy/vendor/surfaceflinger.te b/shared/sepolicy/vendor/surfaceflinger.te
index 82268fb..05774e7 100644
--- a/shared/sepolicy/vendor/surfaceflinger.te
+++ b/shared/sepolicy/vendor/surfaceflinger.te
@@ -2,4 +2,4 @@
# Read GCE initial metadata file
allow surfaceflinger initial_metadata_file:file r_file_perms;
-virgl_access(surfaceflinger)
+gpu_access(surfaceflinger)
diff --git a/shared/sepolicy/vendor/system_app.te b/shared/sepolicy/vendor/system_app.te
index 24ab4fb..4a85066 100644
--- a/shared/sepolicy/vendor/system_app.te
+++ b/shared/sepolicy/vendor/system_app.te
@@ -1 +1 @@
-virgl_access(system_app)
+gpu_access(system_app)
diff --git a/shared/sepolicy/vendor/system_server.te b/shared/sepolicy/vendor/system_server.te
index e74e714..23497fc 100644
--- a/shared/sepolicy/vendor/system_server.te
+++ b/shared/sepolicy/vendor/system_server.te
@@ -5,4 +5,4 @@
# (system/sepolicy) contains a corresponding neverallow which would cause build-time errors if the
# allow execmem rule were added here.
permissive system_server;
-virgl_access(system_server)
+gpu_access(system_server)
diff --git a/shared/sepolicy/vendor/te_macros b/shared/sepolicy/vendor/te_macros
index cad8d3f..d49e378 100644
--- a/shared/sepolicy/vendor/te_macros
+++ b/shared/sepolicy/vendor/te_macros
@@ -1,7 +1,9 @@
#####################################
-# virgl_access(client_domain)
+# gpu_access(client_domain)
# Allow client_domain to communicate with the virgl GPU
-define(`virgl_access', `
+define(`gpu_access', `
allow $1 gpu_device:dir { open read search };
+allow $1 gpu_device:chr_file { getattr read write };
+allow $1 graphics_device:chr_file { getattr };
allow $1 sysfs_gpu:file { getattr open read };
')
diff --git a/shared/sepolicy/vendor/untrusted_app_all.te b/shared/sepolicy/vendor/untrusted_app_all.te
index 8d4fda2..c429fc2 100644
--- a/shared/sepolicy/vendor/untrusted_app_all.te
+++ b/shared/sepolicy/vendor/untrusted_app_all.te
@@ -1 +1 @@
-virgl_access(untrusted_app_all)
+gpu_access(untrusted_app_all)