Create 2 new device types for sepolicy.
nvhost_writable_device : used to label nvhost dev
nodes that are world readable/writable.
nvhost_device : used to label other nvhost dev
nodes that are not world readable/writable.
Also added policy to address the following denials which
were consistent across scontext= appdomain, system_server,
surfaceflinger and mediaserver.
<5>[ 151.537760] type=1400 audit(1379552992.957:156): avc: denied { read write } for pid=1086 comm="d.gameday.atbat" name="nvhost-ctrl"dev=tmpfs ino=5351 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:nvhost_writable_device:s0 tclass=chr_file
<5>[ 151.538026] type=1400 audit(1379552992.957:157): avc: denied { open } for pid=1086 comm="d.gameday.atbat" name="nvhost-ctrl" dev=tmpfs ino=5351 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:nvhost_writable_device:s0 tclass=chr_file
<5>[ 151.538276] type=1400 audit(1379552992.957:158): avc: denied { ioctl } for pid=1086 comm="d.gameday.atbat" path="/dev/nvhost-ctrl"dev=tmpfs ino=5351 scontext=u:r:untrusted_app:s0 tcontext=u:object_r:nvhost_writable_device:s0 tclass=chr_file
There are no new allow rules for the nvhost_device domain.
It was only used to distinguish among the nv* labels.
Change-Id: Ia07c5525ddc4d8a61c3437965da9e3862e6955d6
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
diff --git a/sepolicy/device.te b/sepolicy/device.te
index b997573..5887d3d 100644
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -1,4 +1,6 @@
type knv_device, dev_type;
+type nvhost_writable_device, dev_type, mlstrustedobject;
+type nvhost_device, dev_type;
type elan_ip_device, dev_type;
type sensors_block_device, dev_type;
type sysfs_devices_tegradc, dev_type;