From 1082e886c0aa8c0b1dfdd212c24a7488d2095ff1 Mon Sep 17 00:00:00 2001
From: Erik Staats <estaats@google.com>
Date: Fri, 9 Apr 2021 12:58:12 -0700
Subject: [PATCH] Add policy for USF low latency transport gralloc usage.

Bug: 183233052
Test: Verified regular and direct report sampling on Raven with shared
 memory transport enabled.
Test: See details in testing done comment in
 https://googleplex-android-review.git.corp.google.com/14144079 .
Change-Id: Ia852a4a9ca6e8eacb0fb465884d17f95445a6822
---
 usf/sensor_hal.te                       |  3 +++
 usf/te_macros                           | 14 ++++++++++++++
 whitechapel/vendor/google/chre.te       |  4 ++++
 whitechapel/vendor/google/rlsservice.te |  4 ++++
 4 files changed, 25 insertions(+)
 create mode 100644 usf/te_macros

diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
index 84d1caff..f1105928 100644
--- a/usf/sensor_hal.te
+++ b/usf/sensor_hal.te
@@ -41,6 +41,9 @@ allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find;
 # Allow access to the sysfs_aoc.
 allow hal_sensors_default sysfs_aoc:dir search;
 
+# Allow use of the USF low latency transport.
+usf_low_latency_transport(hal_sensors_default)
+
 #
 # Suez type enforcements.
 #
diff --git a/usf/te_macros b/usf/te_macros
new file mode 100644
index 00000000..01ac13c1
--- /dev/null
+++ b/usf/te_macros
@@ -0,0 +1,14 @@
+#
+# USF SELinux type enforcement macros.
+#
+
+#
+# usf_low_latency_transport(domain)
+#
+# Allows domain use of the USF low latency transport.
+#
+define(`usf_low_latency_transport', `
+  allow $1 hal_graphics_mapper_hwservice:hwservice_manager find;
+  hal_client_domain($1, hal_graphics_allocator)
+')
+
diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te
index f8d395fc..7eca5e43 100644
--- a/whitechapel/vendor/google/chre.te
+++ b/whitechapel/vendor/google/chre.te
@@ -11,3 +11,7 @@ allow chre sysfs_aoc_boottime:file r_file_perms;
 
 # Allow CHRE to create thread to watch AOC's device
 allow chre device:dir r_dir_perms;
+
+# Allow CHRE to use the USF low latency transport
+usf_low_latency_transport(chre)
+
diff --git a/whitechapel/vendor/google/rlsservice.te b/whitechapel/vendor/google/rlsservice.te
index 10f76dcc..113ef312 100644
--- a/whitechapel/vendor/google/rlsservice.te
+++ b/whitechapel/vendor/google/rlsservice.te
@@ -22,3 +22,7 @@ binder_call(rlsservice, hal_camera_default)
 # Allow access to always-on compute device node
 allow rlsservice device:dir { read watch };
 allow rlsservice aoc_device:chr_file rw_file_perms;
+
+# Allow use of the USF low latency transport
+usf_low_latency_transport(rlsservice)
+