Address screenrecord denials.

Steps to reproduce across devices. adb shell screenrecord --bit-rate 8000000 --time-limit 10 /data/local/tmp/test.mp4 * Allow surfaceflinger to talk to mediaserver avc: denied { call } for pid=122 comm="surfaceflinger" scontext=u:r:surfaceflinger:s0 tcontext=u:r:mediaserver:s0 tclass=binder * Give mediaserver access to gpu_device avc: denied { read write } for pid=2793 comm="VideoEncMsgThre" name="kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file avc: denied { open } for pid=2793 comm="VideoEncMsgThre" name="kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file avc: denied { ioctl } for pid=2793 comm="VideoEncMsgThre" path="/dev/kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file Change-Id: Id1812ec95662f4b2433e2989f5fccce6a85c3a41 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
2014-02-04 16:24:08 -05:00 · 2014-02-04 16:24:08 -05:00 · e21871c8b7
commit e21871c8b7
parent 629c98c211
2 changed files with 2 additions and 1 deletions
--- a/mediaserver.te
+++ b/mediaserver.te
@ -24,7 +24,7 @@ allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file rw_file_perms;
 allow mediaserver platform_app_data_file:file { getattr read };
 allow mediaserver sdcard_type:file write;
-allow mediaserver graphics_device:chr_file rw_file_perms;
+allow mediaserver { gpu_device graphics_device }:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
 allow mediaserver audio_device:dir r_dir_perms;
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@ -13,6 +13,7 @@ unix_socket_connect(surfaceflinger, property, init)
 binder_use(surfaceflinger)
 binder_call(surfaceflinger, system_server)
 binder_call(surfaceflinger, nfc)
+binder_call(surfaceflinger, mediaserver)
 binder_service(surfaceflinger)

 # Access the GPU.