sepolicy: allow mm-pp-daemon to use binders in user variant

Binder calls from mm-pp-daemon were only allowed in userdebug
variants and were not allowed in user variant builds. Now
allowing these binder calls from mm-pp-daemon to system server
and surfaceflinger. Also allowing diag to access tempfs.

Change-Id: Ia90489ff63d62e0514666be5734fde0a3662a8a2

1 files changed, 7 insertions, 9 deletions

diff --git a/common/mm-pp-daemon.te b/common/mm-pp-daemon.te
index f8edeb54..468d3bad 100755
--- a/common/mm-pp-daemon.te
+++ b/common/mm-pp-daemon.te
@@ -24,17 +24,15 @@ allow mm-pp-daemon sensors:unix_stream_socket connectto;
 
 allow mm-pp-daemon system_prop:property_service set;
 
-userdebug_or_eng(`
-    # Display calibration service opens /dev/diag in order to communicate with the
-    # target device
-    allow mm-pp-daemon diag_device:chr_file rw_file_perms;
+# Allow diag to access tempfs
+allow mm-pp-daemon diag_device:chr_file rw_file_perms;
 
-    # QDCM needs to trigger screen refreshes in some cases to reach the
-    # convergent state
-    binder_use(mm-pp-daemon)
-    binder_call(mm-pp-daemon, system_server)
-    binder_call(mm-pp-daemon, surfaceflinger)
+# Allow mm-pp-daemon to call binder for screen refresh
+binder_use(mm-pp-daemon)
+binder_call(mm-pp-daemon, system_server)
+binder_call(mm-pp-daemon, surfaceflinger)
 
+userdebug_or_eng(`
     # This allows pp-daemon to use shell commands to blank
     # the display - it uses input keyevent to do this
     allow mm-pp-daemon shell_exec:file rx_file_perms;