cc39f63773
Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
79 lines
2.7 KiB
Text
79 lines
2.7 KiB
Text
# surfaceflinger - display compositor service
|
|
type surfaceflinger, domain, domain_deprecated;
|
|
type surfaceflinger_exec, exec_type, file_type;
|
|
|
|
typeattribute surfaceflinger mlstrustedsubject;
|
|
|
|
# Perform Binder IPC.
|
|
binder_use(surfaceflinger)
|
|
binder_call(surfaceflinger, binderservicedomain)
|
|
binder_call(surfaceflinger, { appdomain autoplay_app })
|
|
binder_call(surfaceflinger, bootanim)
|
|
binder_service(surfaceflinger)
|
|
|
|
# Binder IPC to bu, presently runs in adbd domain.
|
|
binder_call(surfaceflinger, adbd)
|
|
|
|
# Read /proc/pid files for Binder clients.
|
|
r_dir_file(surfaceflinger, binderservicedomain)
|
|
r_dir_file(surfaceflinger, { appdomain autoplay_app })
|
|
|
|
# Access the GPU.
|
|
allow surfaceflinger gpu_device:chr_file rw_file_perms;
|
|
|
|
# Access /dev/graphics/fb0.
|
|
allow surfaceflinger graphics_device:dir search;
|
|
allow surfaceflinger graphics_device:chr_file rw_file_perms;
|
|
|
|
# Access /dev/video1.
|
|
allow surfaceflinger video_device:dir r_dir_perms;
|
|
allow surfaceflinger video_device:chr_file rw_file_perms;
|
|
|
|
# Create and use netlink kobject uevent sockets.
|
|
allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
|
|
|
# Set properties.
|
|
set_prop(surfaceflinger, system_prop)
|
|
set_prop(surfaceflinger, ctl_bootanim_prop)
|
|
|
|
# Use open files supplied by an app.
|
|
allow surfaceflinger { appdomain autoplay_app }:fd use;
|
|
allow surfaceflinger app_data_file:file { read write };
|
|
|
|
# Allow a dumpstate triggered screenshot
|
|
binder_call(surfaceflinger, dumpstate)
|
|
binder_call(surfaceflinger, shell)
|
|
r_dir_file(surfaceflinger, dumpstate)
|
|
|
|
# Needed on some devices for playing DRM protected content,
|
|
# but seems expected and appropriate for all devices.
|
|
allow surfaceflinger tee:unix_stream_socket connectto;
|
|
allow surfaceflinger tee_device:chr_file rw_file_perms;
|
|
|
|
|
|
# media.player service
|
|
allow surfaceflinger mediaserver_service:service_manager find;
|
|
allow surfaceflinger permission_service:service_manager find;
|
|
allow surfaceflinger power_service:service_manager find;
|
|
allow surfaceflinger gpu_service:service_manager { add find };
|
|
allow surfaceflinger surfaceflinger_service:service_manager { add find };
|
|
allow surfaceflinger window_service:service_manager find;
|
|
|
|
# allow self to set SCHED_FIFO
|
|
allow surfaceflinger self:capability sys_nice;
|
|
allow surfaceflinger proc_meminfo:file r_file_perms;
|
|
r_dir_file(surfaceflinger, cgroup)
|
|
r_dir_file(surfaceflinger, sysfs_type)
|
|
r_dir_file(surfaceflinger, system_file)
|
|
allow surfaceflinger tmpfs:dir r_dir_perms;
|
|
allow surfaceflinger system_server:fd use;
|
|
allow surfaceflinger ion_device:chr_file r_file_perms;
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### surfaceflinger should NEVER do any of this
|
|
|
|
# Do not allow accessing SDcard files as unsafe ejection could
|
|
# cause the kernel to kill the process.
|
|
neverallow surfaceflinger sdcard_type:file rw_file_perms;
|