Revert "Add screencap domain."
This reverts commit 9216a6adc9.
Bug: 65206688
Merged-In: I8e61b77a1abe9543e4fba77defb8062407676fcf
Change-Id: I8e61b77a1abe9543e4fba77defb8062407676fcf
This commit is contained in:
Steven Moreland
parent
cdaf97bfbf
commit
5b2ebd3b25
8 changed files with 13 additions and 43 deletions
|
|
@ -65,9 +65,14 @@ get_prop(adbd, serialno_prop)
|
||||||
# Run /system/bin/bu
|
# Run /system/bin/bu
|
||||||
allow adbd system_file:file rx_file_perms;
|
allow adbd system_file:file rx_file_perms;
|
||||||
|
|
||||||
# Use screencap
|
# Perform binder IPC to surfaceflinger (screencap)
|
||||||
domain_auto_trans(adbd, screencap_exec, screencap)
|
# XXX Run screencap in a separate domain?
|
||||||
allow adbd screencap:process signal;
|
binder_use(adbd)
|
||||||
|
binder_call(adbd, surfaceflinger)
|
||||||
|
# b/13188914
|
||||||
|
allow adbd gpu_device:chr_file rw_file_perms;
|
||||||
|
allow adbd ion_device:chr_file rw_file_perms;
|
||||||
|
r_dir_file(adbd, system_file)
|
||||||
|
|
||||||
# Needed for various screenshots
|
# Needed for various screenshots
|
||||||
hal_client_domain(adbd, hal_graphics_allocator)
|
hal_client_domain(adbd, hal_graphics_allocator)
|
||||||
|
|
@ -134,5 +139,5 @@ allow adbd rootfs:dir r_dir_perms;
|
||||||
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
|
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
|
||||||
# transitions to the shell domain (except when it crashes). In particular, we
|
# transitions to the shell domain (except when it crashes). In particular, we
|
||||||
# never want to see a transition from adbd to su (aka "adb root")
|
# never want to see a transition from adbd to su (aka "adb root")
|
||||||
neverallow adbd { domain -crash_dump -shell -screencap }:process transition;
|
neverallow adbd { domain -crash_dump -shell }:process transition;
|
||||||
neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
|
neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
|
||||||
|
|
|
||||||
|
|
@ -411,9 +411,7 @@ neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
|
||||||
# sigchld allowed for parent death notification.
|
# sigchld allowed for parent death notification.
|
||||||
# signull allowed for kill(pid, 0) existence test.
|
# signull allowed for kill(pid, 0) existence test.
|
||||||
# All others prohibited.
|
# All others prohibited.
|
||||||
neverallow { appdomain -shell } { domain -appdomain }:process
|
neverallow appdomain { domain -appdomain }:process
|
||||||
{ sigkill sigstop signal };
|
|
||||||
neverallow shell { domain -appdomain -screencap }:process
|
|
||||||
{ sigkill sigstop signal };
|
{ sigkill sigstop signal };
|
||||||
|
|
||||||
# Transition to a non-app domain.
|
# Transition to a non-app domain.
|
||||||
|
|
|
||||||
|
|
@ -23,7 +23,3 @@ binder_call(dumpstate, storaged)
|
||||||
|
|
||||||
# Collect metrics on boot time created by init
|
# Collect metrics on boot time created by init
|
||||||
get_prop(dumpstate, boottime_prop)
|
get_prop(dumpstate, boottime_prop)
|
||||||
|
|
||||||
# Use screencap
|
|
||||||
domain_auto_trans(dumpstate, screencap_exec, screencap)
|
|
||||||
allow dumpstate screencap:process signal;
|
|
||||||
|
|
|
||||||
|
|
@ -210,7 +210,6 @@
|
||||||
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
|
/system/bin/mediametrics u:object_r:mediametrics_exec:s0
|
||||||
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
|
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
|
||||||
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
|
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
|
||||||
/system/bin/screencap u:object_r:screencap_exec:s0
|
|
||||||
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
|
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
|
||||||
/system/bin/installd u:object_r:installd_exec:s0
|
/system/bin/installd u:object_r:installd_exec:s0
|
||||||
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
|
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
|
||||||
|
|
|
||||||
|
|
@ -1,26 +0,0 @@
|
||||||
type screencap, domain;
|
|
||||||
type screencap_exec, exec_type, file_type;
|
|
||||||
|
|
||||||
typeattribute screencap coredomain;
|
|
||||||
|
|
||||||
allow screencap gpu_device:chr_file rw_file_perms;
|
|
||||||
allow screencap ion_device:chr_file rw_file_perms;
|
|
||||||
|
|
||||||
allow screencap adbd:fifo_file write;
|
|
||||||
allow screencap adbd:fd use;
|
|
||||||
allow screencap adbd:unix_stream_socket { read write };
|
|
||||||
|
|
||||||
allow screencap shell_data_file:file write;
|
|
||||||
allow screencap shell:fd use;
|
|
||||||
allow screencap shell:unix_stream_socket { read write };
|
|
||||||
|
|
||||||
allow screencap dumpstate:fd use;
|
|
||||||
allow screencap dumpstate:unix_stream_socket { read write };
|
|
||||||
|
|
||||||
binder_use(screencap)
|
|
||||||
binder_call(screencap, surfaceflinger)
|
|
||||||
allow screencap surfaceflinger_service:service_manager find;
|
|
||||||
allow screencap surfaceflinger:fd use;
|
|
||||||
|
|
||||||
hwbinder_use(screencap)
|
|
||||||
hal_client_domain(screencap, hal_graphics_allocator)
|
|
||||||
|
|
@ -27,7 +27,3 @@ binder_call(shell, storaged)
|
||||||
# Perform SELinux access checks, needed for CTS
|
# Perform SELinux access checks, needed for CTS
|
||||||
selinux_check_access(shell)
|
selinux_check_access(shell)
|
||||||
selinux_check_context(shell)
|
selinux_check_context(shell)
|
||||||
|
|
||||||
# Use screencap
|
|
||||||
domain_auto_trans(shell, screencap_exec, screencap)
|
|
||||||
allow shell screencap:process signal;
|
|
||||||
|
|
|
||||||
|
|
@ -22,7 +22,6 @@ binder_use(surfaceflinger)
|
||||||
binder_call(surfaceflinger, binderservicedomain)
|
binder_call(surfaceflinger, binderservicedomain)
|
||||||
binder_call(surfaceflinger, appdomain)
|
binder_call(surfaceflinger, appdomain)
|
||||||
binder_call(surfaceflinger, bootanim)
|
binder_call(surfaceflinger, bootanim)
|
||||||
binder_call(surfaceflinger, screencap)
|
|
||||||
binder_service(surfaceflinger)
|
binder_service(surfaceflinger)
|
||||||
|
|
||||||
# Binder IPC to bu, presently runs in adbd domain.
|
# Binder IPC to bu, presently runs in adbd domain.
|
||||||
|
|
|
||||||
|
|
@ -141,6 +141,9 @@ allow dumpstate bluetooth_data_file:dir search;
|
||||||
allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
|
allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
|
||||||
allow dumpstate bluetooth_logs_data_file:file r_file_perms;
|
allow dumpstate bluetooth_logs_data_file:file r_file_perms;
|
||||||
|
|
||||||
|
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
|
||||||
|
allow dumpstate gpu_device:chr_file rw_file_perms;
|
||||||
|
|
||||||
# logd access
|
# logd access
|
||||||
read_logd(dumpstate)
|
read_logd(dumpstate)
|
||||||
control_logd(dumpstate)
|
control_logd(dumpstate)
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue