Robert Craig committed b84ca6a

Create new label for graphics device.

/dev/mali0 needs write access from
appdomain type. Create a new label
separate from normal graphics_device
label to allow such write access.

Signed-off-by: rpcraig <>
Change-Id: I0da43eeba22c454ba86d801424c2533c8e79cfb5

  • Participants
  • Parent commits f77ab59
  • Branches seandroid-4.2

Comments (0)

Files changed (6)


 	gpsd.te \
 	file.te \
 	mediaserver.te \
-	surfaceflinger.te
+	surfaceflinger.te \
+	system.te

File sepolicy/app.te

-allow appdomain graphics_device:chr_file rw_file_perms;
+allow appdomain mali0_device:chr_file rw_file_perms;
 allow appdomain ion_device:chr_file w_file_perms;

File sepolicy/device.te

+type mali0_device, dev_type, mlstrustedobject;
 type secmem_device, dev_type;

File sepolicy/file_contexts

-/dev/mali0              u:object_r:graphics_device:s0
+# label graphics device with a new type, we need
+# to allow write operation from appdomain
+/dev/mali0              u:object_r:mali0_device:s0
 /dev/bcm2079x           u:object_r:nfc_device:s0
 /dev/ttySAC0            u:object_r:hci_attach_dev:s0
 /dev/ttySAC1            u:object_r:gps_device:s0
 /dev/watchdog           u:object_r:watchdog_device:s0
 /dev/s5p-smem           u:object_r:secmem_device:s0
+/dev/ump                u:object_r:ump_device:s0
 /dev/mobicore           u:object_r:tee_device:s0
 /dev/mobicore-user      u:object_r:tee_device:s0
-/dev/ump                u:object_r:ump_device:s0
 /dev/v4l-subdev[0-9]*   u:object_r:video_device:s0
 /dev/media0             u:object_r:video_device:s0
 /dev/media1             u:object_r:video_device:s0

File sepolicy/surfaceflinger.te

 allow surfaceflinger appdomain:fd use;
+allow surfaceflinger mali0_device:chr_file rw_file_perms;

File sepolicy/system.te

+allow system mali0_device:chr_file rw_file_perms;