HiKey/HiKey960: Fix up new dmabuf_system_heap_device sepolicy fallout

Hridya recently got some patches merged to add new default sepolicy
for the dmabuf_system_heap_device (/dev/dma_heap/system).

However, since HiKey960 already had its own policy for
/dev/dma_heap/system, this causes conflicts which break gralloc
as well as future system use of the dmabuf heaps.

So refactor the policy to avoid relabeling the system heap, or
labeling the /dev/dma_heap/ directory. Also add permissions for
gralloc to access the new dmabuf_system_heap_device, and take
care to open the dmabuf heaps as READONLY, as RW isn't necessary
and the policy limits to RO.

Signed-off-by: John Stultz <john.stultz@linaro.org>
Change-Id: I574f9231f1d04f3b36b4f75145f2e698b9009508

2 files changed, 2 insertions, 1 deletions

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 927ec77d..350c678c 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -13,7 +13,7 @@
 /dev/hifi_misc         u:object_r:audio_device:s0
 /dev/hi_vdec	       u:object_r:video_device:s0
 /dev/hi_venc	       u:object_r:video_device:s0
-/dev/dma_heap(/.*)? u:object_r:graphics_device:s0
+/dev/dma_heap/linux,cma u:object_r:graphics_device:s0
 /dev/graphics/fb0      u:object_r:graphics_device:s0
 
 # files in /vendor
diff --git a/sepolicy/hal_graphics_allocator_default.te b/sepolicy/hal_graphics_allocator_default.te
index b17dc7d4..833e957a 100644
--- a/sepolicy/hal_graphics_allocator_default.te
+++ b/sepolicy/hal_graphics_allocator_default.te
@@ -1,2 +1,3 @@
 allow hal_graphics_allocator_default graphics_device:dir search;
 allow hal_graphics_allocator_default graphics_device:chr_file { open read write ioctl map rw_file_perms};
+allow hal_graphics_allocator_default dmabuf_system_heap_device:chr_file r_file_perms;