Stephen Smalley  committed 27f3bcb

Move gpu_device type and rules to core policy.

Also rename mali_device to the more general gpu_device in manta sepolicy.
Also drop other rules that are duplicated in external/sepolicy.

Change-Id: I3ce0b4bd25e078698a1c50242aaed414bf5cb517
Signed-off-by: Stephen Smalley <>

  • Participants
  • Parent commits 5a6d77f

Comments (0)

Files changed (5)


 	file_contexts \
 	genfs_contexts \
 	adbd.te \
-	app.te \
 	device.te \
 	domain.te \
 	healthd.te \
 	gpsd.te \
 	file.te \
 	mediaserver.te \
-	surfaceflinger.te \

File sepolicy/app.te

-allow appdomain mali_device:chr_file rw_file_perms;
-allow appdomain ion_device:chr_file w_file_perms;

File sepolicy/file_contexts

-# label graphics device with a new type, we need
-# to allow write operation from appdomain
-/dev/mali0              u:object_r:mali_device:s0
+/dev/mali0              u:object_r:gpu_device:s0
 /dev/bcm2079x           u:object_r:nfc_device:s0
 /dev/ttySAC0            u:object_r:hci_attach_dev:s0

File sepolicy/surfaceflinger.te

-allow surfaceflinger appdomain:fd use;
-allow surfaceflinger mali_device:chr_file rw_file_perms;

File sepolicy/system_server.te

-allow system_server mali_device:chr_file rw_file_perms;
 # Label the .gps.interface.pipe.to_jni pipe with gps_data_file.
 type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni";