From 49274721b371a5bf76e3ea5a4ae0113b60018fbf Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Mon, 20 Mar 2017 15:02:20 -0700
Subject: [PATCH] Move Graphics Allocator HAL IPC rules to proper location

Every client of Graphics Allocator HAL needs permission to (Hw)Binder
IPC into the HAL.

Test: Device boots, no denials to do with hal_graphics_allocator
      (also, removing the binder_call(hal_graphics_allocator_client,
      hal_graphics_allocator_server) leads to denials)
Test: GUI works, YouTube works
Bug: 34170079

Change-Id: I5c64d966862a125994dab903c2eda5815e336a94
---
 private/surfaceflinger.te        | 1 -
 public/hal_graphics_allocator.te | 3 +++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 0aff9f505..3808c838f 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -9,7 +9,6 @@ read_runtime_log_tags(surfaceflinger)
 
 # Perform HwBinder IPC.
 hwbinder_use(surfaceflinger)
-binder_call(surfaceflinger, hal_graphics_allocator)
 hal_client_domain(surfaceflinger, hal_graphics_allocator)
 binder_call(surfaceflinger, hal_graphics_composer)
 hal_client_domain(surfaceflinger, hal_graphics_composer)
diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 45999bef2..e43475149 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -1,3 +1,6 @@
+# HwBinder IPC from client to server
+binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
+
 # GPU device access
 allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
 allow hal_graphics_allocator ion_device:chr_file r_file_perms;
-- 
GitLab