From 1fc0755033ba0703bb5cc8196f0df8a2c1a11ec0 Mon Sep 17 00:00:00 2001
From: Daniel Nicoara <dnicoara@google.com>
Date: Thu, 20 Apr 2017 17:34:52 -0400
Subject: [PATCH] Allow vr_hwc and virtual_touchpad to query for permissions

Allow the services to do binder calls to system_server in order to check
for app permissions.

Bug: 37542947
Test: Compiled and ran on device ensuring no permission errors
Change-Id: If91895607eb118f689cf2e11c63945e9f83bf2a0
---
 public/virtual_touchpad.te | 7 +++++++
 public/vr_hwc.te           | 6 ++++++
 2 files changed, 13 insertions(+)

diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
index 8a28cf0d2..c2800e3ef 100644
--- a/public/virtual_touchpad.te
+++ b/public/virtual_touchpad.te
@@ -5,5 +5,12 @@ binder_use(virtual_touchpad)
 binder_service(virtual_touchpad)
 add_service(virtual_touchpad, virtual_touchpad_service)
 
+# Needed to check app permissions.
+binder_call(virtual_touchpad, system_server)
+
 # Requires access to /dev/uinput to create and feed the virtual device.
 allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
+
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow virtual_touchpad permission_service:service_manager find;
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
index 7488cc04f..c0abdcd14 100644
--- a/public/vr_hwc.te
+++ b/public/vr_hwc.te
@@ -8,6 +8,8 @@ binder_use(vr_hwc)
 binder_service(vr_hwc)
 
 binder_call(vr_hwc, surfaceflinger)
+# Needed to check for app permissions.
+binder_call(vr_hwc, system_server)
 # TODO(dnicoara): Remove once vr_wm is disabled.
 binder_call(vr_hwc, vr_wm)
 
@@ -25,3 +27,7 @@ allow vr_hwc ion_device:chr_file r_file_perms;
 # Allow connection to VR DisplayClient to get the primary display metadata
 # (ie: size).
 use_pdx(vr_hwc, surfaceflinger)
+
+# Requires access to the permission service to validate that clients have the
+# appropriate VR permissions.
+allow vr_hwc permission_service:service_manager find;
-- 
GitLab