From 8d5403c51794a98ed2717c6e72e3d1d4e6f548c4 Mon Sep 17 00:00:00 2001 From: Hridya Valsaraju Date: Mon, 15 Feb 2021 21:57:42 -0800 Subject: [PATCH] Add missing permission for accessing the DMA-BUF system heap This patch fixes the following denials: avc: denied { open } for comm="composer@2.4-se" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:hal_graphics_composer_default:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:hal_camera_default:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="BootAnimation" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:bootanim:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="Binder:470_2" path="/dev/dma_heap/system" dev="tmpfs" ino=700 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { read } for comm="HwBinder:946_2" name="system" dev="tmpfs" ino=588 scontext=u:r:cameraserver:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 avc: denied { open } for comm="HwBinder:946_2" path="/dev/dma_heap/system" dev="tmpfs" ino=588 scontext=u:r:cameraserver:s0 tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1 Bug: 178865267 Test: boot without these denials Signed-off-by: Hyesoo Yu Change-Id: Ic31dffd1328a8693b721433e1dcbbc650d3a3c07 --- private/surfaceflinger.te | 1 + public/bootanim.te | 4 ++++ public/cameraserver.te | 1 + public/hal_camera.te | 2 ++ public/hal_graphics_allocator.te | 1 + public/hal_graphics_composer.te | 1 + vendor/hal_sensors_default.te | 1 + 7 files changed, 11 insertions(+) diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te index 640306fd6..a32f89c5f 100644 --- a/private/surfaceflinger.te +++ b/private/surfaceflinger.te @@ -109,6 +109,7 @@ allow surfaceflinger tmpfs:dir r_dir_perms; allow surfaceflinger system_server:fd use; allow surfaceflinger system_server:unix_stream_socket { read write }; allow surfaceflinger ion_device:chr_file r_file_perms; +allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms; # pdx IPC pdx_server(surfaceflinger, display_client) diff --git a/public/bootanim.te b/public/bootanim.te index acef6da81..88fe17365 100644 --- a/public/bootanim.te +++ b/public/bootanim.te @@ -27,6 +27,10 @@ allow bootanim surfaceflinger:unix_stream_socket { read write }; # Allow access to ion memory allocation device allow bootanim ion_device:chr_file rw_file_perms; + +# Allow access to DMA-BUF system heap +allow bootanim dmabuf_system_heap_device:chr_file r_file_perms; + allow bootanim hal_graphics_allocator:fd use; # Fences diff --git a/public/cameraserver.te b/public/cameraserver.te index 365af7894..7a29240c3 100644 --- a/public/cameraserver.te +++ b/public/cameraserver.te @@ -13,6 +13,7 @@ hal_client_domain(cameraserver, hal_camera) hal_client_domain(cameraserver, hal_graphics_allocator) allow cameraserver ion_device:chr_file rw_file_perms; +allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms; # Talk with graphics composer fences allow cameraserver hal_graphics_composer:fd use; diff --git a/public/hal_camera.te b/public/hal_camera.te index 77216e4a3..45fad56e7 100644 --- a/public/hal_camera.te +++ b/public/hal_camera.te @@ -9,6 +9,8 @@ allow hal_camera video_device:dir r_dir_perms; allow hal_camera video_device:chr_file rw_file_perms; allow hal_camera camera_device:chr_file rw_file_perms; allow hal_camera ion_device:chr_file rw_file_perms; +allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms; + # Both the client and the server need to use the graphics allocator allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use; diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te index 991e147c7..3ec6b9618 100644 --- a/public/hal_graphics_allocator.te +++ b/public/hal_graphics_allocator.te @@ -8,6 +8,7 @@ allow hal_graphics_allocator_client same_process_hal_file:file { execute read op # GPU device access allow hal_graphics_allocator gpu_device:chr_file rw_file_perms; allow hal_graphics_allocator ion_device:chr_file r_file_perms; +allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms; # allow to run with real-time scheduling policy allow hal_graphics_allocator self:global_capability_class_set sys_nice; diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te index cb4a1307f..1c69c9993 100644 --- a/public/hal_graphics_composer.te +++ b/public/hal_graphics_composer.te @@ -16,6 +16,7 @@ allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manag # GPU device access allow hal_graphics_composer gpu_device:chr_file rw_file_perms; allow hal_graphics_composer ion_device:chr_file r_file_perms; +allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms; allow hal_graphics_composer hal_graphics_allocator:fd use; # Access /dev/graphics/fb0. diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te index f00b25a54..875236434 100644 --- a/vendor/hal_sensors_default.te +++ b/vendor/hal_sensors_default.te @@ -13,6 +13,7 @@ allow hal_sensors_default input_device:chr_file r_file_perms; # android.hardware.graphics.allocator allow hal_sensors_default hal_graphics_allocator_default:fd use; allow hal_sensors_default ion_device:chr_file r_file_perms; +allow hal_sensors_default dmabuf_system_heap_device:chr_file r_file_perms; # allow sensor hal to use lock for keeping system awake for wake up # events delivery.