From 6b780b358fd4dbedd6c57770f2197cab0c00f42e Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Tue, 1 Aug 2017 13:27:32 -0700
Subject: [PATCH] Add screencap domain.

Only seeing this denial in permissive:
allow shell screencap_exec:file getattr;

Bug: 37565047
Test: adb shell screencap w/o root
Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases
Merged-In: I9f31d2067e002e7042646ee38dbfc06687481ac7
Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7
---
 private/adbd.te           | 13 ++++---------
 private/app.te            |  4 +++-
 private/dumpstate.te      |  4 ++++
 private/file_contexts     |  1 +
 private/screencap.te      | 26 ++++++++++++++++++++++++++
 private/shell.te          |  4 ++++
 private/surfaceflinger.te |  1 +
 public/dumpstate.te       |  3 ---
 8 files changed, 43 insertions(+), 13 deletions(-)
 create mode 100644 private/screencap.te

diff --git a/private/adbd.te b/private/adbd.te
index 73302acd1..6ee2e1eb1 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -63,14 +63,9 @@ get_prop(adbd, serialno_prop)
 # Run /system/bin/bu
 allow adbd system_file:file rx_file_perms;
 
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
-# b/13188914
-allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file rw_file_perms;
-r_dir_file(adbd, system_file)
+# Use screencap
+domain_auto_trans(adbd, screencap_exec, screencap)
+allow adbd screencap:process signal;
 
 # Needed for various screenshots
 hal_client_domain(adbd, hal_graphics_allocator)
@@ -129,5 +124,5 @@ allow adbd rootfs:dir r_dir_perms;
 # No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
 # transitions to the shell domain (except when it crashes). In particular, we
 # never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
+neverallow adbd { domain -crash_dump -shell -screencap }:process transition;
 neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/private/app.te b/private/app.te
index b3bb5165a..fe50dd44d 100644
--- a/private/app.te
+++ b/private/app.te
@@ -376,7 +376,9 @@ neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
 # sigchld allowed for parent death notification.
 # signull allowed for kill(pid, 0) existence test.
 # All others prohibited.
-neverallow appdomain { domain -appdomain }:process
+neverallow { appdomain -shell } { domain -appdomain }:process
+    { sigkill sigstop signal };
+neverallow shell { domain -appdomain -screencap }:process
     { sigkill sigstop signal };
 
 # Transition to a non-app domain.
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b8f81526c..8f003aab2 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -23,3 +23,7 @@ binder_call(dumpstate, storaged)
 
 # Collect metrics on boot time created by init
 get_prop(dumpstate, boottime_prop)
+
+# Use screencap
+domain_auto_trans(dumpstate, screencap_exec, screencap)
+allow dumpstate screencap:process signal;
diff --git a/private/file_contexts b/private/file_contexts
index dcb09c1c3..df5c53feb 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -215,6 +215,7 @@
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
 /system/bin/mediacodec	u:object_r:mediacodec_exec:s0
+/system/bin/screencap	u:object_r:screencap_exec:s0
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/otapreopt_chroot   u:object_r:otapreopt_chroot_exec:s0
diff --git a/private/screencap.te b/private/screencap.te
new file mode 100644
index 000000000..579373aa6
--- /dev/null
+++ b/private/screencap.te
@@ -0,0 +1,26 @@
+type screencap, domain;
+type screencap_exec, exec_type, file_type;
+
+typeattribute screencap coredomain;
+
+allow screencap gpu_device:chr_file rw_file_perms;
+allow screencap ion_device:chr_file rw_file_perms;
+
+allow screencap adbd:fifo_file write;
+allow screencap adbd:fd use;
+allow screencap adbd:unix_stream_socket { read write };
+
+allow screencap shell_data_file:file write;
+allow screencap shell:fd use;
+allow screencap shell:unix_stream_socket { read write };
+
+allow screencap dumpstate:fd use;
+allow screencap dumpstate:unix_stream_socket { read write };
+
+binder_use(screencap)
+binder_call(screencap, surfaceflinger)
+allow screencap surfaceflinger_service:service_manager find;
+allow screencap surfaceflinger:fd use;
+
+hwbinder_use(screencap)
+hal_client_domain(screencap, hal_graphics_allocator)
diff --git a/private/shell.te b/private/shell.te
index fa196fa0c..ca578041d 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -20,3 +20,7 @@ binder_call(shell, storaged)
 # Perform SELinux access checks, needed for CTS
 selinux_check_access(shell)
 selinux_check_context(shell)
+
+# Use screencap
+domain_auto_trans(shell, screencap_exec, screencap)
+allow shell screencap:process signal;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index f1ad667b8..ca36aa316 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -22,6 +22,7 @@ binder_use(surfaceflinger)
 binder_call(surfaceflinger, binderservicedomain)
 binder_call(surfaceflinger, appdomain)
 binder_call(surfaceflinger, bootanim)
+binder_call(surfaceflinger, screencap)
 binder_service(surfaceflinger)
 
 # Binder IPC to bu, presently runs in adbd domain.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index ec1f32680..028f8cb7a 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -140,9 +140,6 @@ allow dumpstate bluetooth_data_file:dir search;
 allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
 allow dumpstate bluetooth_logs_data_file:file r_file_perms;
 
-# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
-allow dumpstate gpu_device:chr_file rw_file_perms;
-
 # logd access
 read_logd(dumpstate)
 control_logd(dumpstate)
-- 
GitLab