WIP: sepolicy: mostly fixup graphics denials
Still not done, need androidboot.selinux=permissive to get to UI.
~#============= platform_app ==============
~#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.
~#Constraint rule:
~# mlsconstrain file { write setattr append unlink link rename } ((t2 == app_data_file_type -Fail-) or (t2 == appdomain_tmpfs -Fail-) or (l1 eq l2 -Fail-) or (t1 == mlstrustedsubject -Fail-) or (t2 == mlstrustedobject -Fail-) ); Constraint DENIED
~# Possible cause is the source level (s0:c512,c768) and target level (s0) are different.
allow platform_app hal_graphics_allocator_default_tmpfs:file write;
allow platform_app tmpfs:file { read write };
diff --git a/sepolicy/bootanim.te b/sepolicy/bootanim.te
index e8e7494..96fd94b 100644
--- a/sepolicy/bootanim.te
+++ b/sepolicy/bootanim.te
@@ -1 +1,2 @@
gpu_access(bootanim)
+allow bootanim hal_graphics_allocator_default_tmpfs:file { read write };
diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/hal_graphics_composer_default.te
index 56e03aa..aca7085 100644
--- a/sepolicy/hal_graphics_composer_default.te
+++ b/sepolicy/hal_graphics_composer_default.te
@@ -2,6 +2,7 @@
vndbinder_use(hal_graphics_composer_default)
allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { bind create read };
+allow hal_graphics_composer_default hal_graphics_allocator_default_tmpfs:file write;
# Suppress warnings for drm_hwcomposer trying to read some vendor.hwc.*
# properties as dragonboard never configures these properties.
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index 775e964..125db4c 100644
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -1 +1,3 @@
+allow platform_app hal_graphics_allocator_default_tmpfs:file { read write };
+
gpu_access(platform_app)
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
index 05c9e47..be01a5a 100644
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -1 +1,3 @@
+allow priv_app hal_graphics_allocator_default_tmpfs:file { read write };
+
gpu_access(priv_app)
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
index 17b66a8..7b5d737 100644
--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@@ -1 +1,2 @@
gpu_access(surfaceflinger)
+allow surfaceflinger hal_graphics_allocator_default_tmpfs:file { read write };
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 4a85066..6a2112d 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -1 +1,3 @@
+allow system_app hal_graphics_allocator_default_tmpfs:file { read write };
+
gpu_access(system_app)
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 80957cc..d9a25f9 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -1 +1,3 @@
+allow system_server hal_graphics_allocator_default_tmpfs:file { read write };
+
gpu_access(system_server)
diff --git a/sepolicy/te_macros b/sepolicy/te_macros
index c7d2715..a50bec1 100644
--- a/sepolicy/te_macros
+++ b/sepolicy/te_macros
@@ -7,5 +7,4 @@
allow $1 gpu_device:chr_file { getattr ioctl map open read write };
allow $1 graphics_device:chr_file { getattr };
allow $1 sysfs_gpu:file { getattr open read };
-allow $1 hal_graphics_allocator_default_tmpfs:file { read write };
')