Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_device_qcom_sepolicy_vndr / 2ebc2729e4a79e4cbfb4395fcfbaae6f1480eb9f^1..2ebc2729e4a79e4cbfb4395fcfbaae6f1480eb9f / .
commit2ebc2729e4a79e4cbfb4395fcfbaae6f1480eb9f[log] [tgz]
authorLinux Build Service Account <lnxbuild@localhost>Mon Apr 27 23:33:12 2020 -0700
committerGerrit - the friendly Code Review server <code-review@localhost>Mon Apr 27 23:33:12 2020 -0700
treeb88ce2cfb36aefcac631bdc2891bf536a1807267
parent6b33867b12b26f131892b023fb0ea91f7c414399 [diff]
parent0b5c54a00fc2b59684e51471334216f8a9f82c60 [diff]
Merge "Allowing system process to read gpu model" into sepolicy.lnx.6.0
diff --git a/generic/vendor/common/bootanim.te b/generic/vendor/common/bootanim.te
index 5c0ff82..21172a6 100644
--- a/generic/vendor/common/bootanim.te
+++ b/generic/vendor/common/bootanim.te

@@ -32,6 +32,4 @@
 # this denial on phones since this functionality is not used.
 dontaudit bootanim system_data_file:dir read;
 
-dontaudit bootanim vendor_hal_qspmhal_hwservice:hwservice_manager find;
-
-allow bootanim vendor_sysfs_kgsl_gpu_model:file r_file_perms;
\ No newline at end of file
+dontaudit bootanim vendor_hal_qspmhal_hwservice:hwservice_manager find;
\ No newline at end of file

diff --git a/generic/vendor/common/domain.te b/generic/vendor/common/domain.te
index fee30ce..91ac493 100644
--- a/generic/vendor/common/domain.te
+++ b/generic/vendor/common/domain.te

@@ -56,3 +56,6 @@
      -ueventd
      -vold
      } vendor_persist_type: { dir file } *;
+
+# Allow all context to read gpu model
+allow { domain - isolated_app } vendor_sysfs_kgsl_gpu_model:file r_file_perms;
\ No newline at end of file

diff --git a/generic/vendor/common/gmscore_app.te b/generic/vendor/common/gmscore_app.te
index 12df1ba..41573ff 100644
--- a/generic/vendor/common/gmscore_app.te
+++ b/generic/vendor/common/gmscore_app.te

@@ -25,8 +25,6 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-allow gmscore_app vendor_sysfs_kgsl_gpu_model:file r_file_perms;
-
 dontaudit gmscore_app vendor_hal_qspmhal_default:binder {call};
 
 unix_socket_connect(gmscore_app, vendor_dpmtcm, vendor_dpmd);

diff --git a/generic/vendor/common/priv_app.te b/generic/vendor/common/priv_app.te
index 5a32387..50e3afe 100644
--- a/generic/vendor/common/priv_app.te
+++ b/generic/vendor/common/priv_app.te

@@ -30,6 +30,3 @@
 # TODO(b/123050471): this grants renderscript exec permissions to the
 # priv_app domain
 allow priv_app rs_exec:file rx_file_perms;
-
-allow priv_app vendor_sysfs_kgsl_gpu_model:file r_file_perms;
-

diff --git a/generic/vendor/common/system_server.te b/generic/vendor/common/system_server.te
index 6aea52a..abfd9bd 100644
--- a/generic/vendor/common/system_server.te
+++ b/generic/vendor/common/system_server.te

@@ -51,6 +51,4 @@
 # allow system_server to read/acess peripheral manager.
 get_prop(system_server, vendor_per_mgr_state_prop);
 
-hal_client_domain(system_server, vendor_hal_dataconnection_qti)
-
-allow system_server vendor_sysfs_kgsl_gpu_model:file r_file_perms;
\ No newline at end of file
+hal_client_domain(system_server, vendor_hal_dataconnection_qti)
\ No newline at end of file

diff --git a/legacy/vendor/common/domain.te b/legacy/vendor/common/domain.te
index c2f4709..83bb377 100644
--- a/legacy/vendor/common/domain.te
+++ b/legacy/vendor/common/domain.te

@@ -64,4 +64,7 @@
 get_prop(domain, vendor_security_patch_level_prop)
 get_prop(domain, public_vendor_default_prop)
 
-allow domain qti_debugfs:dir search;
\ No newline at end of file
+allow domain qti_debugfs:dir search;
+
+# allow all context to read gpu model
+allow { domain - isolated_app } sysfs_kgsl_gpu_model:file r_file_perms;
\ No newline at end of file

diff --git a/legacy/vendor/common/location_app.te b/legacy/vendor/common/location_app.te
index 82df910..104c78f 100644
--- a/legacy/vendor/common/location_app.te
+++ b/legacy/vendor/common/location_app.te

@@ -54,5 +54,4 @@
 allowxperm vendor_location_app self:socket ioctl msm_sock_ipc_ioctls;
 allow vendor_location_app self:qipcrtr_socket create_socket_perms_no_ioctl;
 allow vendor_location_app sysfs_data:file r_file_perms;
-unix_socket_connect(vendor_location_app, vendor_dpmtcm, vendor_dpmd)
-#allow location_app sysfs_kgsl_gpu_model:file r_file_perms;
+unix_socket_connect(vendor_location_app, vendor_dpmtcm, vendor_dpmd)
\ No newline at end of file

diff --git a/legacy/vendor/common/priv_app.te b/legacy/vendor/common/priv_app.te
index 723f1c2..0717cd6 100644
--- a/legacy/vendor/common/priv_app.te
+++ b/legacy/vendor/common/priv_app.te

@@ -28,6 +28,4 @@
 hal_client_domain(priv_app, hal_perf)
 # TODO(b/123050471): this grants renderscript exec permissions to the
 # priv_app domain
-allow priv_app rs_exec:file rx_file_perms;
-
-allow priv_app sysfs_kgsl_gpu_model:file r_file_perms;
\ No newline at end of file
+allow priv_app rs_exec:file rx_file_perms;
\ No newline at end of file