tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add missing permission for accessing the DMA-BUF system heap

Browse source 
This patch fixes the following denials:

avc: denied { open } for comm="composer@2.4-se" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="BootAnimation"
path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:bootanim:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { open } for comm="Binder:470_2" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:surfaceflinger:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { read } for comm="HwBinder:946_2" name="system" dev="tmpfs"
ino=588 scontext=u:r:cameraserver:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { open } for comm="HwBinder:946_2" path="/dev/dma_heap/system"
dev="tmpfs" ino=588 scontext=u:r:cameraserver:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1

Bug: 178865267
Test: boot without these denials
Signed-off-by: Hyesoo Yu <hyesoo.yu@samsung.com>

Change-Id: Ic31dffd1328a8693b721433e1dcbbc650d3a3c07
This commit is contained in:
Hridya Valsaraju 2021-02-15 21:57:42 -08:00
parent 4357d55deb
commit 8d5403c517
7 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
private/surfaceflinger.te
View file

@ -109,6 +109,7 @@ allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use; allow surfaceflinger system_server:fd use;
allow surfaceflinger system_server:unix_stream_socket { read write }; allow surfaceflinger system_server:unix_stream_socket { read write };
allow surfaceflinger ion_device:chr_file r_file_perms; allow surfaceflinger ion_device:chr_file r_file_perms;
allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms;
# pdx IPC # pdx IPC
pdx_server(surfaceflinger, display_client) pdx_server(surfaceflinger, display_client)

4
public/bootanim.te
View file

@ -27,6 +27,10 @@ allow bootanim surfaceflinger:unix_stream_socket { read write };
# Allow access to ion memory allocation device # Allow access to ion memory allocation device
allow bootanim ion_device:chr_file rw_file_perms; allow bootanim ion_device:chr_file rw_file_perms;
# Allow access to DMA-BUF system heap
allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
allow bootanim hal_graphics_allocator:fd use; allow bootanim hal_graphics_allocator:fd use;
# Fences # Fences

1
public/cameraserver.te
View file

@ -13,6 +13,7 @@ hal_client_domain(cameraserver, hal_camera)
hal_client_domain(cameraserver, hal_graphics_allocator) hal_client_domain(cameraserver, hal_graphics_allocator)
allow cameraserver ion_device:chr_file rw_file_perms; allow cameraserver ion_device:chr_file rw_file_perms;
allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
# Talk with graphics composer fences # Talk with graphics composer fences
allow cameraserver hal_graphics_composer:fd use; allow cameraserver hal_graphics_composer:fd use;

2
public/hal_camera.te
View file

@ -9,6 +9,8 @@ allow hal_camera video_device:dir r_dir_perms;
allow hal_camera video_device:chr_file rw_file_perms; allow hal_camera video_device:chr_file rw_file_perms;
allow hal_camera camera_device:chr_file rw_file_perms; allow hal_camera camera_device:chr_file rw_file_perms;
allow hal_camera ion_device:chr_file rw_file_perms; allow hal_camera ion_device:chr_file rw_file_perms;
allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;
# Both the client and the server need to use the graphics allocator # Both the client and the server need to use the graphics allocator
allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use; allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;

1
public/hal_graphics_allocator.te
View file

@ -8,6 +8,7 @@ allow hal_graphics_allocator_client same_process_hal_file:file { execute read op
# GPU device access # GPU device access
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms; allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
allow hal_graphics_allocator ion_device:chr_file r_file_perms; allow hal_graphics_allocator ion_device:chr_file r_file_perms;
allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
# allow to run with real-time scheduling policy # allow to run with real-time scheduling policy
allow hal_graphics_allocator self:global_capability_class_set sys_nice; allow hal_graphics_allocator self:global_capability_class_set sys_nice;

1
public/hal_graphics_composer.te
View file

@ -16,6 +16,7 @@ allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manag
# GPU device access # GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms; allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
allow hal_graphics_composer ion_device:chr_file r_file_perms; allow hal_graphics_composer ion_device:chr_file r_file_perms;
allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
allow hal_graphics_composer hal_graphics_allocator:fd use; allow hal_graphics_composer hal_graphics_allocator:fd use;
# Access /dev/graphics/fb0. # Access /dev/graphics/fb0.

1
vendor/hal_sensors_default.te vendored
View file

@ -13,6 +13,7 @@ allow hal_sensors_default input_device:chr_file r_file_perms;
# android.hardware.graphics.allocator # android.hardware.graphics.allocator
allow hal_sensors_default hal_graphics_allocator_default:fd use; allow hal_sensors_default hal_graphics_allocator_default:fd use;
allow hal_sensors_default ion_device:chr_file r_file_perms; allow hal_sensors_default ion_device:chr_file r_file_perms;
allow hal_sensors_default dmabuf_system_heap_device:chr_file r_file_perms;
# allow sensor hal to use lock for keeping system awake for wake up # allow sensor hal to use lock for keeping system awake for wake up
# events delivery. # events delivery.