Commit 27.0 sepolicy prebuilts to master.
Bug: 65551293
Bug: 69390067
Test: None. Prebuilt only change.
Change-Id: I62304b342a8b52fd505892cc2d4ebc882148224b
diff --git a/prebuilts/api/27.0/public/bufferhubd.te b/prebuilts/api/27.0/public/bufferhubd.te
new file mode 100644
index 0000000..274c271
--- /dev/null
+++ b/prebuilts/api/27.0/public/bufferhubd.te
@@ -0,0 +1,20 @@
+# bufferhubd
+type bufferhubd, domain, mlstrustedsubject;
+type bufferhubd_exec, exec_type, file_type;
+
+hal_client_domain(bufferhubd, hal_graphics_allocator)
+
+pdx_server(bufferhubd, bufferhub_client)
+pdx_client(bufferhubd, performance_client)
+
+# Access the GPU.
+allow bufferhubd gpu_device:chr_file rw_file_perms;
+
+# Access /dev/ion
+allow bufferhubd ion_device:chr_file r_file_perms;
+
+# Receive sync fence FDs from mediacodec. Note that mediacodec never directly
+# connects to bufferhubd via PDX. Instead, a VR app acts as a bridge between
+# those two: it talks to mediacodec via Binder and talks to bufferhubd via PDX.
+# Thus, there is no need to use pdx_client macro.
+allow bufferhubd mediacodec:fd use;