Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 37dea070ce355a890b40763799659f6362419c99^! / . / private
commit37dea070ce355a890b40763799659f6362419c99[log] [tgz]
authorPeiyong Lin <lpy@google.com>Wed Jun 03 12:20:41 2020 -0700
committerPeiyong Lin <lpy@google.com>Fri Jun 05 12:03:29 2020 -0700
treef6cd834b2a730590756b475259746ee7d33a9b94
parent641cffeb0e7cd7c5c893ac67f1160ede379eeb57 [diff]
Update sepolicy for GPU profiling properties.

A device must indicate whether GPU profiling is supported or not through
setting these two properties properly. CTS needs to read these two
properties in order to run corresponding compliance tests. Hence need to
update sepolicy for these two properties.

Bug: b/157832445
Test: Test on Pixel 4
Change-Id: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
Merged-In: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3

diff --git a/private/app.te b/private/app.te
index 3dff8fe..27ef097 100644
--- a/private/app.te
+++ b/private/app.te

@@ -46,3 +46,6 @@
 
 # Don't allow regular apps access to storage configuration properties.
 neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+
+# Allow to read graphics related properties.
+get_prop(appdomain, graphics_config_prop)

diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index ed41f76..473062a 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil

@@ -48,6 +48,7 @@
     fwk_automotive_display_hwservice
     gmscore_app
     gnss_device
+    graphics_config_prop
     hal_can_bus_hwservice
     hal_can_controller_hwservice
     hal_identity_service

diff --git a/private/property.te b/private/property.te
index 64c8af1..1aa4ddf 100644
--- a/private/property.te
+++ b/private/property.te

@@ -399,3 +399,10 @@
   -hal_telephony_server
   not_compatible_property(`-vendor_init')
 } telephony_status_prop:property_service set;
+
+neverallow {
+  -init
+  -vendor_init
+} {
+  graphics_config_prop
+}:property_service set;

diff --git a/private/property_contexts b/private/property_contexts
index 4793437..41eb3c8 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -851,3 +851,7 @@
 persist.dbg.volte_avail_ovr       u:object_r:telephony_config_prop:s0 exact int
 persist.dbg.vt_avail_ovr          u:object_r:telephony_config_prop:s0 exact int
 persist.dbg.wfc_avail_ovr         u:object_r:telephony_config_prop:s0 exact int
+
+# Graphics related properties
+graphics.gpu.profiler.support          u:object_r:graphics_config_prop:s0 exact bool
+graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string

diff --git a/private/shell.te b/private/shell.te
index 63757eb..2a2af0f 100644
--- a/private/shell.te
+++ b/private/shell.te

@@ -140,3 +140,6 @@
 get_prop(shell, init_perf_lsm_hooks_prop)
 
 userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
+
+# Allow to read graphics related properties.
+get_prop(shell, graphics_config_prop)