From a20c39e9f3e73cc66b4694a6adf2fb053db93005 Mon Sep 17 00:00:00 2001 From: Aayush Gupta Date: Thu, 31 Dec 2020 10:50:17 +0530 Subject: [PATCH] non_plat: Label and grant required permissions to VPU devices - SELinux rules have been decompiled from stock ROM's sepolicy Signed-off-by: Aayush Gupta Change-Id: Ia5b712f2c2f77aa363499788d1201b29f232311e --- non_plat/device.te | 4 ++++ non_plat/file_contexts | 4 ++++ non_plat/vpud_native.te | 44 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+) create mode 100644 non_plat/vpud_native.te diff --git a/non_plat/device.te b/non_plat/device.te index d16357e..ffd225d 100644 --- a/non_plat/device.te +++ b/non_plat/device.te @@ -283,3 +283,7 @@ typeattribute teei_client_device mlstrustedobject; # Keymaster type ut_keymaster_device, dev_type; + +# VPU +type vpud_device, dev_type; +type vcu_device, dev_type; diff --git a/non_plat/file_contexts b/non_plat/file_contexts index 5437f38..28048d0 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -723,3 +723,7 @@ /(system\/vendor|vendor)/bin/volte_imcb u:object_r:volte_imcb_exec:s0 /(system\/vendor|vendor)/bin/wfca u:object_r:wfca_exec:s0 /(system\/vendor|vendor)/bin/xcap u:object_r:xcap_exec:s0 + +# VPU +/dev/vcu u:object_r:vcu_device:s0 +/vendor/bin/vpud u:object_r:vpud_native_exec:s0 diff --git a/non_plat/vpud_native.te b/non_plat/vpud_native.te new file mode 100644 index 0000000..99bb730 --- /dev/null +++ b/non_plat/vpud_native.te @@ -0,0 +1,44 @@ +type vpud_native_exec, exec_type, file_type, vendor_file_type; +type vpud_native, domain; + +init_daemon_domain(vpud_native) + +allow vpud_native ion_device:chr_file { ioctl read write open }; +allow vpud_native vcu_device:chr_file rw_file_perms; +allow vpud_native MTK_SMI_device:chr_file { open read ioctl }; +allow vpud_native proc:file { ioctl read getattr open }; +allow vpud_native init:unix_stream_socket connectto; +allow vpud_native property_socket:sock_file write; +allow vpud_native sysfs_device_tree_model:file r_file_perms; +allow vpud_native teei_client_device:chr_file rw_file_perms; +allow vpud_native mediaserver:fd use; + +allow vpud_native mtk_hal_power_hwservice:hwservice_manager find; +allow vpud_native mtk_hal_power:fd use; +binder_call(vpud_native, mtk_hal_power) + +allow vpud_native thermal_manager_data_file:file { read write }; +allow vpud_native thermalloadalgod:unix_stream_socket connectto; +allow vpud_native proc_thermal:file open; + +allow vpud_native proc_m4u:file r_file_perms; +allowxperm vpud_native proc_m4u:file ioctl { + MTK_M4U_T_ALLOC_MVA + MTK_M4U_T_DEALLOC_MVA + MTK_M4U_T_CONFIG_PORT + MTK_M4U_T_DMA_OP + MTK_M4U_T_SEC_INIT + MTK_M4U_T_CONFIG_PORT_ARRAY + MTK_M4U_T_CACHE_SYNC +}; + +allow vpud_native vcodec_file:file create_file_perms; +allow vpud_native vcodec_file:dir create_dir_perms; + +allow vpud_native vendor_shell_exec:file rx_file_perms; +allow vpud_native vendor_toolbox_exec:file rx_file_perms; + +binder_call(vpud_native, hwservicemanager) + +set_prop(vpud_native, hwservicemanager_prop) +set_prop(vpud_native, mtk_thermal_config_prop)