Update sepolicy for GPU profiling properties.

A device must indicate whether GPU profiling is supported or not through
setting these two properties properly. CTS needs to read these two
properties in order to run corresponding compliance tests. Hence need to
update sepolicy for these two properties.

Bug: b/157832445
Test: Test on Pixel 4
Change-Id: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
diff --git a/private/app.te b/private/app.te
index 4da06bc..b76f1d0 100644
--- a/private/app.te
+++ b/private/app.te
@@ -45,3 +45,6 @@
 
 # Don't allow regular apps access to storage configuration properties.
 neverallow { appdomain -mediaprovider_app } storage_config_prop:file no_rw_file_perms;
+
+# Allow to read graphics related properties.
+get_prop(appdomain, graphics_config_prop)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 4e43dea..1d4216c 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -50,6 +50,7 @@
     fusectlfs
     gmscore_app
     gnss_device
+    graphics_config_prop
     hal_can_bus_hwservice
     hal_can_controller_hwservice
     hal_identity_service
diff --git a/private/property.te b/private/property.te
index 64c8af1..1aa4ddf 100644
--- a/private/property.te
+++ b/private/property.te
@@ -399,3 +399,10 @@
   -hal_telephony_server
   not_compatible_property(`-vendor_init')
 } telephony_status_prop:property_service set;
+
+neverallow {
+  -init
+  -vendor_init
+} {
+  graphics_config_prop
+}:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index c4b5533..2489c13 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -854,3 +854,7 @@
 persist.dbg.volte_avail_ovr       u:object_r:telephony_config_prop:s0 exact int
 persist.dbg.vt_avail_ovr          u:object_r:telephony_config_prop:s0 exact int
 persist.dbg.wfc_avail_ovr         u:object_r:telephony_config_prop:s0 exact int
+
+# Graphics related properties
+graphics.gpu.profiler.support          u:object_r:graphics_config_prop:s0 exact bool
+graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
diff --git a/private/shell.te b/private/shell.te
index 63757eb..2a2af0f 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -140,3 +140,6 @@
 get_prop(shell, init_perf_lsm_hooks_prop)
 
 userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
+
+# Allow to read graphics related properties.
+get_prop(shell, graphics_config_prop)