Allow inputflinger to call system_server.

Resolves denials such as: avc: denied { read } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file avc: denied { open } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file avc: denied { search } for pid=752 comm="ActivityManager" name="214" dev="proc" ino=1568 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=dir avc: denied { read } for pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file avc: denied { call } for pid=187 comm="Binder_2" scontext=u:r:inputflinger:s0 tcontext=u:r:system_server:s0 tclass=binder Change-Id: I099d7dacf7116efa73163245597c3de629d358c1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-03-21 10:40:56 -04:00 · 2014-03-21 10:40:56 -04:00 · e06e536388
commit e06e536388
parent 01ba6834c1
2 changed files with 3 additions and 0 deletions
--- a/inputflinger.te
+++ b/inputflinger.te
@ -6,3 +6,5 @@ type inputflinger_exec, exec_type, file_type;
 init_daemon_domain(inputflinger)
 binder_use(inputflinger)
 binder_service(inputflinger)
+
+binder_call(inputflinger, system_server)
--- a/system_server.te
+++ b/system_server.te
@ -132,6 +132,7 @@ binder_service(system_server)
 r_dir_file(system_server, mediaserver)
 r_dir_file(system_server, sdcardd)
 r_dir_file(system_server, surfaceflinger)
+r_dir_file(system_server, inputflinger)

 # Use sockets received over binder from various services.
 allow system_server mediaserver:tcp_socket rw_socket_perms;