sepolicy: Add simple sepolicy for drmfb-composer

diff --git a/README.md b/README.md
index 59e41ef..d82a96a 100644 (file)
--- a/README.md
+++ b/README.md
@@ -83,6 +83,10 @@ Add [drmfb-composer] to your Android build tree and build `android.hardware.grap
   - `/vendor/bin/hw/android.hardware.graphics.composer@2.1-service.drmfb`
   - `/vendor/etc/init/android.hardware.graphics.composer@2.1-service.drmfb.rc`
 
+## SELinux Policy
+`sepolicy` contains a simple SELinux Policy definition for drmfb-composer.
+You can include it in the build by adding the directory to `BOARD_SEPOLICY_DIRS`.
+
 ## License
 [drmfb-composer] is licensed under the [Apache License, Version 2.0]. Contributions welcome!
 

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644 (file)
index 0000000..3980e9f
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1 @@
+/(vendor|system/vendor)/bin/hw/android\.hardware\.graphics\.composer@2\.1-service\.drmfb  u:object_r:hal_graphics_composer_drmfb_exec:s0

diff --git a/sepolicy/hal_graphics_composer_drmfb.te b/sepolicy/hal_graphics_composer_drmfb.te
new file mode 100644 (file)
index 0000000..a18b2a4
--- /dev/null
+++ b/sepolicy/hal_graphics_composer_drmfb.te
@@ -0,0 +1,10 @@
+type hal_graphics_composer_drmfb, domain;
+hal_server_domain(hal_graphics_composer_drmfb, hal_graphics_composer)
+
+type hal_graphics_composer_drmfb_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_graphics_composer_drmfb)
+
+vndbinder_use(hal_graphics_composer_drmfb)
+
+# Listen for DRM hotplug events
+allow hal_graphics_composer_drmfb self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;