From 06497542780af5d8f6abb7f89288a35ffd32d228 Mon Sep 17 00:00:00 2001
From: Wesley Lee <szuweilee@google.com>
Date: Wed, 13 Nov 2024 20:04:58 -0800
Subject: [PATCH] mediacodec: add GPU access policy

avc:  denied  { read write }
for  comm="binder:757_6" name="renderD128" dev="tmpfs"
ino=1566 scontext=u:r:mediacodec_google:s0
tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1

Bug: 378609071

Flag: EXEMPT bugfix

Test: run cts -m CtsMediaV2TestCases -t
android.mediav2.cts.CodecEncoderSurfaceTest#testSimpleEncodeFromSurface[26_c2.google.av1.encoder_video/av01_c2.google.av1.decoder_video/av01_512kbps_30fps_yuv420flexible_tonemapyes_persistentsurface]

Change-Id: I2af4f53c9ff8aca0d3c7fd721738f2044d4772fd
Signed-off-by: Wesley Lee <szuweilee@google.com>
---
 mediacodec/vpu/sepolicy/mediacodec_google.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/mediacodec/vpu/sepolicy/mediacodec_google.te b/mediacodec/vpu/sepolicy/mediacodec_google.te
index 99a3c8d..cf9dfc5 100644
--- a/mediacodec/vpu/sepolicy/mediacodec_google.te
+++ b/mediacodec/vpu/sepolicy/mediacodec_google.te
@@ -13,6 +13,7 @@ binder_call(mediacodec_google, hal_camera_default)
 
 allow mediacodec_google dmabuf_system_heap_device:chr_file r_file_perms;
 allow mediacodec_google video_device:chr_file { read write open ioctl map };
+allow mediacodec_google gpu_device:chr_file rw_file_perms;
 
 # mediacodec_google should never execute any executable without a domain transition
 neverallow mediacodec_google { file_type fs_type }:file execute_no_trans;