From 63f4677342eb93dd2ac90187671a52282190533a Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Wed, 8 Nov 2017 15:42:34 -0800
Subject: [PATCH] Allow vendor apps to use surfaceflinger_service

Vendor apps may only use servicemanager provided services
marked as app_api_service. surfaceflinger_service should be
available to vendor apps, so add this attribute and clean up
duplicate grants.

Addresses:
avc:  denied  { find } scontext=u:r:qtelephony:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:ssr_detector:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager
avc:  denied  { find } scontext=u:r:qcneservice:s0
tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager

Bug: 69064190
Test: build
Change-Id: I00fcf43b0a8bde232709aac1040a5d7f4792fa0f
---
 private/bluetooth.te         | 1 -
 private/ephemeral_app.te     | 1 -
 private/mediaprovider.te     | 1 -
 private/nfc.te               | 1 -
 private/platform_app.te      | 1 -
 private/priv_app.te          | 1 -
 private/untrusted_app_all.te | 1 -
 private/untrusted_v2_app.te  | 1 -
 public/domain.te             | 1 -
 public/radio.te              | 1 -
 public/service.te            | 2 +-
 11 files changed, 1 insertion(+), 11 deletions(-)

diff --git a/private/bluetooth.te b/private/bluetooth.te
index 451d27af0..41867ae45 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -47,7 +47,6 @@ allow bluetooth bluetooth_service:service_manager find;
 allow bluetooth drmserver_service:service_manager find;
 allow bluetooth mediaserver_service:service_manager find;
 allow bluetooth radio_service:service_manager find;
-allow bluetooth surfaceflinger_service:service_manager find;
 allow bluetooth app_api_service:service_manager find;
 allow bluetooth system_api_service:service_manager find;
 
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 169373636..eeb022bf9 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -28,7 +28,6 @@ allow ephemeral_app mediacodec_service:service_manager find;
 allow ephemeral_app mediametrics_service:service_manager find;
 allow ephemeral_app mediadrmserver_service:service_manager find;
 allow ephemeral_app drmserver_service:service_manager find;
-allow ephemeral_app surfaceflinger_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
 allow ephemeral_app ephemeral_app_api_service:service_manager find;
 
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 63f56c876..5a5e701bf 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -19,7 +19,6 @@ allow mediaprovider app_api_service:service_manager find;
 allow mediaprovider audioserver_service:service_manager find;
 allow mediaprovider drmserver_service:service_manager find;
 allow mediaprovider mediaserver_service:service_manager find;
-allow mediaprovider surfaceflinger_service:service_manager find;
 
 # Allow MediaProvider to read/write cached ringtones (opened by system).
 allow mediaprovider ringtone_file:file { getattr read write };
diff --git a/private/nfc.te b/private/nfc.te
index b41558c86..56446f4f7 100644
--- a/private/nfc.te
+++ b/private/nfc.te
@@ -21,7 +21,6 @@ allow nfc mediaextractor_service:service_manager find;
 allow nfc mediaserver_service:service_manager find;
 
 allow nfc radio_service:service_manager find;
-allow nfc surfaceflinger_service:service_manager find;
 allow nfc app_api_service:service_manager find;
 allow nfc system_api_service:service_manager find;
 allow nfc vr_manager_service:service_manager find;
diff --git a/private/platform_app.te b/private/platform_app.te
index 884c4364b..ee0590cad 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -53,7 +53,6 @@ allow platform_app mediacodec_service:service_manager find;
 allow platform_app mediadrmserver_service:service_manager find;
 allow platform_app persistent_data_block_service:service_manager find;
 allow platform_app radio_service:service_manager find;
-allow platform_app surfaceflinger_service:service_manager find;
 allow platform_app thermal_service:service_manager find;
 allow platform_app timezone_service:service_manager find;
 allow platform_app app_api_service:service_manager find;
diff --git a/private/priv_app.te b/private/priv_app.te
index f4cfc1736..fce2c9019 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -32,7 +32,6 @@ allow priv_app mediaserver_service:service_manager find;
 allow priv_app nfc_service:service_manager find;
 allow priv_app oem_lock_service:service_manager find;
 allow priv_app radio_service:service_manager find;
-allow priv_app surfaceflinger_service:service_manager find;
 allow priv_app app_api_service:service_manager find;
 allow priv_app system_api_service:service_manager find;
 allow priv_app persistent_data_block_service:service_manager find;
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index cce589ea2..f96cae0e1 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -75,7 +75,6 @@ allow untrusted_app_all mediametrics_service:service_manager find;
 allow untrusted_app_all mediadrmserver_service:service_manager find;
 allow untrusted_app_all nfc_service:service_manager find;
 allow untrusted_app_all radio_service:service_manager find;
-allow untrusted_app_all surfaceflinger_service:service_manager find;
 allow untrusted_app_all app_api_service:service_manager find;
 allow untrusted_app_all vr_manager_service:service_manager find;
 
diff --git a/private/untrusted_v2_app.te b/private/untrusted_v2_app.te
index 7ed388188..60634aefb 100644
--- a/private/untrusted_v2_app.te
+++ b/private/untrusted_v2_app.te
@@ -34,7 +34,6 @@ allow untrusted_v2_app mediametrics_service:service_manager find;
 allow untrusted_v2_app mediadrmserver_service:service_manager find;
 allow untrusted_v2_app nfc_service:service_manager find;
 allow untrusted_v2_app radio_service:service_manager find;
-allow untrusted_v2_app surfaceflinger_service:service_manager find;
 # TODO: potentially provide a tighter list of services here
 allow untrusted_v2_app app_api_service:service_manager find;
 
diff --git a/public/domain.te b/public/domain.te
index 51f4081f6..d283006e3 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -551,7 +551,6 @@ full_treble_only(`
     -mediaserver_service
     -nfc_service
     -radio_service
-    -surfaceflinger_service
     -virtual_touchpad_service
     -vr_hwc_service
     -vr_manager_service
diff --git a/public/radio.te b/public/radio.te
index 6f29a705d..094d39ba6 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -30,7 +30,6 @@ allow radio cameraserver_service:service_manager find;
 allow radio drmserver_service:service_manager find;
 allow radio mediaserver_service:service_manager find;
 allow radio nfc_service:service_manager find;
-allow radio surfaceflinger_service:service_manager find;
 allow radio app_api_service:service_manager find;
 allow radio system_api_service:service_manager find;
 
diff --git a/public/service.te b/public/service.te
index 3b9d60b67..bc1244a78 100644
--- a/public/service.te
+++ b/public/service.te
@@ -23,7 +23,7 @@ type nfc_service,               service_manager_type;
 type radio_service,             service_manager_type;
 type statscompanion_service,    service_manager_type;
 type storaged_service,          service_manager_type;
-type surfaceflinger_service,    service_manager_type;
+type surfaceflinger_service,    app_api_service, ephemeral_app_api_service, service_manager_type;
 type system_app_service,        service_manager_type;
 type thermal_service,           service_manager_type;
 type update_engine_service,     service_manager_type;
-- 
GitLab