From 5797d151b52e9839b76af4db971b29faadf34c06 Mon Sep 17 00:00:00 2001
From: Anand S <anandzzz360@gmail.com>
Date: Sat, 10 Aug 2024 20:16:00 +0530
Subject: [PATCH] sm6375-common: sepolicy: Allow fp hal to access graphics
 device

* I HwBinder:1502_1: type=1400 audit(0.0:862): avc:  denied  { read write } for  name="card0" dev="tmpfs" ino=26702 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file permissive=1
* I HwBinder:1502_1: type=1400 audit(0.0:863): avc:  denied  { open } for  path="/dev/dri/card0" dev="tmpfs" ino=26702 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file permissive=1
* I HwBinder:1502_1: type=1400 audit(0.0:864): avc:  denied  { ioctl } for  path="/dev/dri/card0" dev="tmpfs" ino=26702 ioctlcmd=0x649f scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file permissive=1

Change-Id: Iccfda81d6ab92f43c988ab2ff85577dffbcd5699
---
 sepolicy/vendor/file_contexts              | 3 +++
 sepolicy/vendor/hal_fingerprint_default.te | 1 +
 2 files changed, 4 insertions(+)

diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 8a3fe65..63b2d58 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -43,6 +43,9 @@
 /(mnt/vendor/persist|persist)/chargeonly(/.*)?          u:object_r:persist_chargeonly_file:s0
 /(vendor|system/vendor)/bin/charge_only_mode            u:object_r:charge_only_exec:s0
 
+# DRI
+/dev/dri/card[0-4]              u:object_r:graphics_device:s0
+
 # Fingerprint
 /(mnt/vendor/persist|persist)/egis(/.*)?                u:object_r:vendor_persist_egis_file:s0
 /(mnt/vendor/persist|persist)/fps(/.*)?                 u:object_r:vendor_persist_fps_file:s0
diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te
index 07cb76d..b024d59 100644
--- a/sepolicy/vendor/hal_fingerprint_default.te
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -3,6 +3,7 @@ allow hal_fingerprint_default {
   egis_device
   goodix_device
   tee_device
+  graphics_device
 }: chr_file rw_file_perms;
 
 allow hal_fingerprint_default self:binder { call transfer };