Skip to content
Snippets Groups Projects
Normal view Permalink
surfaceflinger.te 2.32 KiB
Newer Older
  • Learn to ignore specific revisions
    • Stephen Smalley's avatar
    SE Android policy.
    Stephen Smalley committed
    1 2 3 4 5 
    # surfaceflinger - display compositor service
type surfaceflinger, domain;
type surfaceflinger_exec, exec_type, file_type;

init_daemon_domain(surfaceflinger)
    Stephen Smalley's avatar
    Confine surfaceflinger, but leave it permissive for now.  
    Stephen Smalley committed
    6 
    typeattribute surfaceflinger mlstrustedsubject;
    Stephen Smalley's avatar
    SE Android policy.
    Stephen Smalley committed
    7
    Stephen Smalley's avatar
    Confine surfaceflinger, but leave it permissive for now.  
    Stephen Smalley committed
    8 9 
    # Perform Binder IPC.
binder_use(surfaceflinger)
    Stephen Smalley's avatar
    Address surfaceflinger denials.  
    Stephen Smalley committed
    10 11 
    binder_call(surfaceflinger, binderservicedomain)
binder_call(surfaceflinger, appdomain)
    Nick Kralevich's avatar
    Allow surfaceflinger to make binder call to bootanim  
    Nick Kralevich committed
    12 
    binder_call(surfaceflinger, bootanim)
    Stephen Smalley's avatar
    Confine surfaceflinger, but leave it permissive for now.  
    Stephen Smalley committed
    13 14 
    binder_service(surfaceflinger)
    Stephen Smalley's avatar
    Address surfaceflinger denials.  
    Stephen Smalley committed
    15 16 17 18 19 20 21 
    # Binder IPC to bu, presently runs in adbd domain.
binder_call(surfaceflinger, adbd)

# Read /proc/pid files for Binder clients.
r_dir_file(surfaceflinger, binderservicedomain)
r_dir_file(surfaceflinger, appdomain)
    Stephen Smalley's avatar
    Move gpu_device type and rules to core policy.  
    Stephen Smalley committed
    22 23 24 
    # Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms;
    Stephen Smalley's avatar
    Confine surfaceflinger, but leave it permissive for now.  
    Stephen Smalley committed
    25 26 27 28 29 
    # Access /dev/graphics/fb0.
allow surfaceflinger graphics_device:dir search;
allow surfaceflinger graphics_device:chr_file rw_file_perms;

# Access /dev/video1.
    Nick Kralevich's avatar
    fix mediaserver selinux denials.  
    Nick Kralevich committed
    30 
    allow surfaceflinger video_device:dir r_dir_perms;
    Stephen Smalley's avatar
    Confine surfaceflinger, but leave it permissive for now.  
    Stephen Smalley committed
    31 32 33 
    allow surfaceflinger video_device:chr_file rw_file_perms;

# Create and use netlink kobject uevent sockets.
    Stephen Smalley's avatar
    Clean up socket rules.  
    Stephen Smalley committed
    34 
    allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms;
    Stephen Smalley's avatar
    Confine surfaceflinger, but leave it permissive for now.  
    Stephen Smalley committed
    35 36 
    
# Set properties.
    William Roberts's avatar
    Replace unix_socket_connect() and explicit property sets with macro  
    William Roberts committed
    37 38 
    set_prop(surfaceflinger, system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
    Stephen Smalley's avatar
    Confine surfaceflinger, but leave it permissive for now.  
    Stephen Smalley committed
    39 40 41 42 
    
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
allow surfaceflinger app_data_file:file { read write };
    Stephen Smalley's avatar
    Define a domain for the bootanim service.  
    Stephen Smalley committed
    43 44 45 
    
# Use open file provided by bootanim.
allow surfaceflinger bootanim:fd use;
    Nick Kralevich's avatar
    surfaceflinger: fix bugreport screenshot functionality  
    Nick Kralevich committed
    46 47 48 
    
# Allow a dumpstate triggered screenshot
binder_call(surfaceflinger, dumpstate)
    Stephen Smalley's avatar
    Fix denials triggered by adb shell screencap.  
    Stephen Smalley committed
    49 
    binder_call(surfaceflinger, shell)
    Stephen Smalley's avatar
    Allow surfaceflinger to read /proc/pid/cmdline of dumpstate.  
    Stephen Smalley committed
    50 
    r_dir_file(surfaceflinger, dumpstate)
    Nick Kralevich's avatar
    address denials when playing protected content.  
    Nick Kralevich committed
    51 52 53 54 55 
    
# Needed on some devices for playing DRM protected content,
# but seems expected and appropriate for all devices.
allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
    Stephen Smalley's avatar
    Address surfaceflinger denials.  
    Stephen Smalley committed
    56
    dcashman's avatar
    Restrict service_manager find and list access.  
    dcashman committed
    57 58 59 
    
# media.player service
allow surfaceflinger mediaserver_service:service_manager find;
    dcashman's avatar
    Enforce more specific service access.  
    dcashman committed
    60 61 
    allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
    dcashman's avatar
    Restrict service_manager find and list access.  
    dcashman committed
    62 
    allow surfaceflinger surfaceflinger_service:service_manager { add find };
    dcashman's avatar
    Enforce more specific service access.  
    dcashman committed
    63 
    allow surfaceflinger window_service:service_manager find;
    dcashman's avatar
    Record surfaceflinger power_service access.  
    dcashman committed
    64
    Stephen Smalley's avatar
    Address surfaceflinger denials.  
    Stephen Smalley committed
    65 66 67 68 69 70 71 
    ###
### Neverallow rules
###
### surfaceflinger should NEVER do any of this

# Do not allow accessing SDcard files as unsafe ejection could
# cause the kernel to kill the process.
    Nick Kralevich's avatar
    surfaceflinger: remove unconfined domain reference.  
    Nick Kralevich committed
    72 
    neverallow surfaceflinger sdcard_type:file rw_file_perms;