# surfaceflinger - display compositor service typeattribute surfaceflinger coredomain; type surfaceflinger_exec, system_file_type, exec_type, file_type; init_daemon_domain(surfaceflinger) tmpfs_domain(surfaceflinger) typeattribute surfaceflinger mlstrustedsubject; typeattribute surfaceflinger display_service_server; read_runtime_log_tags(surfaceflinger) # Perform HwBinder IPC. hal_client_domain(surfaceflinger, hal_graphics_allocator) hal_client_domain(surfaceflinger, hal_graphics_composer) typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs; hal_client_domain(surfaceflinger, hal_codec2) hal_client_domain(surfaceflinger, hal_omx) hal_client_domain(surfaceflinger, hal_configstore) hal_client_domain(surfaceflinger, hal_power) allow surfaceflinger hidl_token_hwservice:hwservice_manager find; # Perform Binder IPC. binder_use(surfaceflinger) binder_call(surfaceflinger, binderservicedomain) binder_call(surfaceflinger, appdomain) binder_call(surfaceflinger, bootanim) binder_call(surfaceflinger, system_server); binder_service(surfaceflinger) # Binder IPC to bu, presently runs in adbd domain. binder_call(surfaceflinger, adbd) # Read /proc/pid files for Binder clients. r_dir_file(surfaceflinger, binderservicedomain) r_dir_file(surfaceflinger, appdomain) # Access the GPU. allow surfaceflinger gpu_device:chr_file rw_file_perms; allow surfaceflinger gpu_device:dir r_dir_perms; allow surfaceflinger sysfs_gpu:file r_file_perms; # Access /dev/graphics/fb0. allow surfaceflinger graphics_device:dir search; allow surfaceflinger graphics_device:chr_file rw_file_perms; # Access /dev/video1. allow surfaceflinger video_device:dir r_dir_perms; allow surfaceflinger video_device:chr_file rw_file_perms; # Create and use netlink kobject uevent sockets. allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; # Set properties. set_prop(surfaceflinger, system_prop) set_prop(surfaceflinger, bootanim_system_prop) set_prop(surfaceflinger, exported_system_prop) set_prop(surfaceflinger, exported3_system_prop) set_prop(surfaceflinger, ctl_bootanim_prop) set_prop(surfaceflinger, surfaceflinger_display_prop) # Get properties. get_prop(surfaceflinger, qemu_sf_lcd_density_prop) get_prop(surfaceflinger, device_config_surface_flinger_native_boot_prop) # Use open files supplied by an app. allow surfaceflinger appdomain:fd use; allow surfaceflinger { app_data_file privapp_data_file }:file { read write }; # Allow writing surface traces to /data/misc/wmtrace. userdebug_or_eng(` allow surfaceflinger wm_trace_data_file:dir rw_dir_perms; allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms }; ') # Allow userspace tracing via perfetto. perfetto_producer(surfaceflinger) # Allow to be profiled by performance tools. can_profile_heap(surfaceflinger) can_profile_perf(surfaceflinger) # Use socket supplied by adbd, for cmd gpu vkjson etc. allow surfaceflinger adbd:unix_stream_socket { read write getattr }; # Allow a dumpstate triggered screenshot binder_call(surfaceflinger, dumpstate) binder_call(surfaceflinger, shell) r_dir_file(surfaceflinger, dumpstate) # media.player service # do not use add_service() as hal_graphics_composer_default may be the # provider as well #add_service(surfaceflinger, surfaceflinger_service) allow surfaceflinger surfaceflinger_service:service_manager { add find }; allow surfaceflinger mediaserver_service:service_manager find; allow surfaceflinger permission_service:service_manager find; allow surfaceflinger power_service:service_manager find; allow surfaceflinger vr_manager_service:service_manager find; allow surfaceflinger window_service:service_manager find; allow surfaceflinger inputflinger_service:service_manager find; # allow self to set SCHED_FIFO allow surfaceflinger self:global_capability_class_set sys_nice; allow surfaceflinger proc_meminfo:file r_file_perms; r_dir_file(surfaceflinger, cgroup) r_dir_file(surfaceflinger, cgroup_v2) r_dir_file(surfaceflinger, system_file) allow surfaceflinger tmpfs:dir r_dir_perms; allow surfaceflinger system_server:fd use; allow surfaceflinger system_server:unix_stream_socket { read write }; allow surfaceflinger ion_device:chr_file r_file_perms; allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms; # pdx IPC pdx_server(surfaceflinger, display_client) pdx_server(surfaceflinger, display_manager) pdx_server(surfaceflinger, display_screenshot) pdx_server(surfaceflinger, display_vsync) pdx_client(surfaceflinger, bufferhub_client) pdx_client(surfaceflinger, performance_client) # Allow supplying timestats statistics to statsd allow surfaceflinger stats_service:service_manager find; allow surfaceflinger statsmanager_service:service_manager find; # TODO(146461633): remove this once native pullers talk to StatsManagerService binder_call(surfaceflinger, statsd); # Allow to use files supplied by hal_evs allow surfaceflinger hal_evs:fd use; # Allow pushing jank event atoms to statsd userdebug_or_eng(` unix_socket_send(surfaceflinger, statsdw, statsd) ') # Surfaceflinger should not be reading default vendor-defined properties. dontaudit surfaceflinger vendor_default_prop:file read; ### ### Neverallow rules ### ### surfaceflinger should NEVER do any of this # Do not allow accessing SDcard files as unsafe ejection could # cause the kernel to kill the process. neverallow surfaceflinger { sdcard_type fuse }:file rw_file_perms; # b/68864350 dontaudit surfaceflinger unlabeled:dir search;