commit c090c647c5ef24377f415340cd01be168b5bc64c
author John Stultz <john.stultz@linaro.org> Tue Sep 22 20:09:48 2020 +0000
committer John Stultz <john.stultz@linaro.org> Tue Sep 22 20:14:09 2020 +0000
tree a728937ab2b6faff2b3965d38bacd2318264d11e
parent ef1cddcc85e8470f5422714172f2bc167ce7afbc

HiKey/HiKey960: Fix up new dmabuf_system_heap_device sepolicy fallout

Hridya recently got some patches merged to add new default sepolicy
for the dmabuf_system_heap_device (/dev/dma_heap/system).

However, since HiKey960 already had its own policy for
/dev/dma_heap/system, this causes conflicts which break gralloc
as well as future system use of the dmabuf heaps.

So refactor the policy to avoid relabeling the system heap, or
labeling the /dev/dma_heap/ directory. Also add permissions for
gralloc to access the new dmabuf_system_heap_device, and take
care to open the dmabuf heaps as READONLY, as RW isn't necessary
and the policy limits to RO.

Signed-off-by: John Stultz <john.stultz@linaro.org>
Change-Id: I574f9231f1d04f3b36b4f75145f2e698b9009508

sepolicy/file_contexts

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 927ec77..350c678 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -13,7 +13,7 @@
 /dev/hifi_misc         u:object_r:audio_device:s0
 /dev/hi_vdec	       u:object_r:video_device:s0
 /dev/hi_venc	       u:object_r:video_device:s0
-/dev/dma_heap(/.*)? u:object_r:graphics_device:s0
+/dev/dma_heap/linux,cma u:object_r:graphics_device:s0
 /dev/graphics/fb0      u:object_r:graphics_device:s0
 
 # files in /vendor