From fb08872a40a7299954a92cf043fb8f498e286aa9 Mon Sep 17 00:00:00 2001 From: Chia-I Wu Date: Tue, 18 Oct 2016 10:58:22 +0800 Subject: [PATCH] Add sepolicy for hwcomposer HAL Allow SurfaceFlinger to call into IComposer, and vice versa for IComposerCallback. Specifically, hwbinder_use(...) for avc: denied { call } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1 avc: denied { transfer } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1 binder_call(..., surfaceflinger) for avc: denied { call } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:surfaceflinger:s0 tclass=binder permissive=1 allow ... gpu_device:chr_file rw_file_perms for avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1 allow ... ion_device:chr_file r_file_perms for avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1 allow ... graphics_device ... for avc: denied { ioctl } for path="/dev/graphics/fb0" dev="tmpfs" ino=15121 ioctlcmd=5380 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file permissive=1 allow ... ...:fd use for avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hal_graphics_allocator_service:s0 tclass=fd permissive=1 avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:bootanim:s0 tclass=fd permissive=1 avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:surfaceflinger:s0 tclass=fd permissive=1 avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=fd permissive=1 binder_call(surfaceflinger, ...) for avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=binder permissive=1 avc: denied { transfer } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=binder permissive=1 avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 ioctlcmd=3e02 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1 avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1 allow bootanim ...:fd use for avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=11947 scontext=u:r:bootanim:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1 Bug: 32021609 Test: make bootimage Change-Id: I036cdbebf0c619fef7559f294f1865f381b17588 --- private/file_contexts | 1 + private/hal_graphics_composer.te | 1 + public/bootanim.te | 3 +++ public/hal_graphics_composer.te | 22 ++++++++++++++++++++++ public/surfaceflinger.te | 1 + 5 files changed, 28 insertions(+) create mode 100644 private/hal_graphics_composer.te create mode 100644 public/hal_graphics_composer.te diff --git a/private/file_contexts b/private/file_contexts index 382a20d29..a341d7e86 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -226,6 +226,7 @@ /system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_exec:s0 /system/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0 /system/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_exec:s0 +/system/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_exec:s0 /system/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_exec:s0 /system/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_exec:s0 /system/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_exec:s0 diff --git a/private/hal_graphics_composer.te b/private/hal_graphics_composer.te new file mode 100644 index 000000000..128171f01 --- /dev/null +++ b/private/hal_graphics_composer.te @@ -0,0 +1 @@ +init_daemon_domain(hal_graphics_composer) diff --git a/public/bootanim.te b/public/bootanim.te index 4d16f551a..3e0af8e1e 100644 --- a/public/bootanim.te +++ b/public/bootanim.te @@ -22,6 +22,9 @@ allow bootanim surfaceflinger_service:service_manager find; allow bootanim ion_device:chr_file rw_file_perms; allow bootanim hal_graphics_allocator:fd use; +# Fences +allow bootanim hal_graphics_composer:fd use; + # Read access to pseudo filesystems. r_dir_file(bootanim, proc) allow bootanim proc_meminfo:file r_file_perms; diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te new file mode 100644 index 000000000..e92eeafd5 --- /dev/null +++ b/public/hal_graphics_composer.te @@ -0,0 +1,22 @@ +# graphics composer subsystem +type hal_graphics_composer, domain; +type hal_graphics_composer_exec, exec_type, file_type; + +# HwBinder access +hwbinder_use(hal_graphics_composer) +# IComposerCallback +binder_call(hal_graphics_composer, surfaceflinger) + +# GPU device access +allow hal_graphics_composer gpu_device:chr_file rw_file_perms; +allow hal_graphics_composer ion_device:chr_file r_file_perms; +allow hal_graphics_composer hal_graphics_allocator:fd use; + +# Access /dev/graphics/fb0. +allow hal_graphics_composer graphics_device:dir search; +allow hal_graphics_composer graphics_device:chr_file rw_file_perms; + +# Fences +allow hal_graphics_composer system_server:fd use; +allow hal_graphics_composer bootanim:fd use; +allow hal_graphics_composer {appdomain ephemeral_app}:fd use; diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te index 4f9f8efaf..608afc5d6 100644 --- a/public/surfaceflinger.te +++ b/public/surfaceflinger.te @@ -7,6 +7,7 @@ typeattribute surfaceflinger mlstrustedsubject; # Perform HwBinder IPC. hwbinder_use(surfaceflinger) binder_call(surfaceflinger, hal_graphics_allocator) +binder_call(surfaceflinger, hal_graphics_composer) # Perform Binder IPC. binder_use(surfaceflinger)