sepolicy: basic: non_plat: Add rules for MediaTek GPU HAL
* Dropped in S sepolicy but we need it since we have
blobs from R.
Signed-off-by: bengris32 <bengris32@protonmail.ch>
Change-Id: Ifb8fa7d8e28b1d74c1bf3ea6b817afd3c84a90c6
diff --git a/basic/non_plat/file_contexts b/basic/non_plat/file_contexts
index 4a8d032..9614e2f 100644
--- a/basic/non_plat/file_contexts
+++ b/basic/non_plat/file_contexts
@@ -716,6 +716,10 @@
# Google Trusty system files
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service\.trusty u:object_r:hal_keymaster_default_exec:s0
+# gpu hal
+/(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.gpu@1\.0-service u:object_r:mtk_hal_gpu_exec:s0
+/vendor/lib(64)?/vendor\.mediatek\.hardware\.gpu@1\.0.so u:object_r:same_process_hal_file:s0
+
# MTEE keymaster4.0/4.1 system files
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service\.mtee u:object_r:hal_keymaster_default_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.1-service\.mtee u:object_r:hal_keymaster_default_exec:s0
diff --git a/basic/non_plat/hal_gpu.te b/basic/non_plat/hal_gpu.te
new file mode 100644
index 0000000..6020588
--- /dev/null
+++ b/basic/non_plat/hal_gpu.te
@@ -0,0 +1,6 @@
+# HwBinder IPC from clients into server, and callbacks
+binder_call(hal_gpu_client, hal_gpu_server)
+binder_call(hal_gpu_server, hal_gpu_client)
+
+# give permission for hal client
+allow hal_gpu_client mtk_hal_gpu_hwservice :hwservice_manager find;
diff --git a/basic/non_plat/hwservice.te b/basic/non_plat/hwservice.te
index 4d59524..16bfdf4 100644
--- a/basic/non_plat/hwservice.te
+++ b/basic/non_plat/hwservice.te
@@ -74,3 +74,6 @@
# Date: 2021/06/30
# composer extension HIDL
type mtk_hal_composer_ext_hwservice, hwservice_manager_type, protected_hwservice;
+
+# GPU HIDL
+type mtk_hal_gpu_hwservice, hwservice_manager_type;
diff --git a/basic/non_plat/hwservice_contexts b/basic/non_plat/hwservice_contexts
index 5e5a37e..cffdba4 100644
--- a/basic/non_plat/hwservice_contexts
+++ b/basic/non_plat/hwservice_contexts
@@ -10,6 +10,9 @@
vendor.mediatek.hardware.interfaces_tc1.mtkradioex_tc1::IMtkRadioEx u:object_r:mtk_hal_rild_hwservice:s0
vendor.mediatek.hardware.radio_op::IRadioOp u:object_r:mtk_hal_rild_hwservice:s0
+# GPU HIDL
+vendor.mediatek.hardware.gpu::IGraphicExt u:object_r:mtk_hal_gpu_hwservice:s0
+
# Date: 2017/06/07
# power hidl
vendor.mediatek.hardware.mtkpower::IMtkPerf u:object_r:hal_power_hwservice:s0
diff --git a/basic/non_plat/mtk_hal_gpu.te b/basic/non_plat/mtk_hal_gpu.te
new file mode 100644
index 0000000..77c9a7b
--- /dev/null
+++ b/basic/non_plat/mtk_hal_gpu.te
@@ -0,0 +1,30 @@
+type mtk_hal_gpu, domain;
+type mtk_hal_gpu_exec, exec_type, file_type, vendor_file_type;
+
+# Setup for domain transition
+init_daemon_domain(mtk_hal_gpu)
+
+# Allow to use HWBinder IPC
+hwbinder_use(mtk_hal_gpu);
+
+# Allow a set of permissions required for a domain to be a server which provides a HAL implementation over HWBinder.
+hal_server_domain(mtk_hal_gpu, hal_gpu)
+
+# add/find permission rule to hwservicemanager
+add_hwservice(hal_gpu, mtk_hal_gpu_hwservice)
+allow hal_gpu_client mtk_hal_gpu_hwservice:hwservice_manager find;
+
+# Allow to allocate hidl memory
+hal_client_domain(mtk_hal_gpu, hal_allocator)
+
+# Purpose : Allow to use kernel driver
+allow mtk_hal_gpu graphics_device:chr_file rw_file_perms;
+
+allow mtk_hal_gpu proc_ged:file rw_file_perms;
+allowxperm mtk_hal_gpu proc_ged:file ioctl { proc_ged_ioctls };
+
+allow mtk_hal_gpu hal_graphics_allocator_default:fd use;
+allow mtk_hal_gpu ion_device:chr_file r_file_perms;
+allow mtk_hal_gpu debugfs_ion:dir search;
+
+allow mtk_hal_gpu merged_hal_service:fd use;
diff --git a/basic/plat_public/attributes b/basic/plat_public/attributes
index 4c48837..07ef535 100644
--- a/basic/plat_public/attributes
+++ b/basic/plat_public/attributes
@@ -33,6 +33,11 @@
attribute hal_mtk_lbs_client;
attribute hal_mtk_lbs_server;
+# GPU HIDL
+attribute hal_gpu;
+attribute hal_gpu_client;
+attribute hal_gpu_server;
+
# Date: 2017/06/27
# IMSA HIDL
attribute hal_mtk_imsa;
diff --git a/bsp/non_plat/camerapostalgo.te b/bsp/non_plat/camerapostalgo.te
index 9023a6d..c5f6a5b 100644
--- a/bsp/non_plat/camerapostalgo.te
+++ b/bsp/non_plat/camerapostalgo.te
@@ -23,4 +23,5 @@
hal_client_domain(camerapostalgo, hal_graphics_allocator)
allow camerapostalgo hal_graphics_mapper_hwservice:hwservice_manager find;
allow camerapostalgo hal_configstore_default:binder call;
+allow camerapostalgo mtk_hal_gpu_hwservice:hwservice_manager find;