Add screencap domain.

Only seeing this denial in permissive: allow shell screencap_exec:file getattr; Bug: 37565047 Test: adb shell screencap w/o root Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases Merged-In: I9f31d2067e002e7042646ee38dbfc06687481ac7 Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7

Add screencap domain.
9216a6ad · Steven Moreland · 530e168c · 9216a6ad · 9216a6ad · 9216a6ad
Commit 9216a6ad authored 7 years ago by Steven Moreland
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -63,14 +63,9 @@ get_prop(adbd, serialno_prop)
 # Run /system/bin/bu
 allow adbd system_file:file rx_file_perms;
-# Perform binder IPC to surfaceflinger (screencap)
+# Use screencap
-# XXX Run screencap in a separate domain?
+domain_auto_trans(adbd, screencap_exec, screencap)
-binder_use(adbd)
+allow adbd screencap:process signal;
-binder_call(adbd, surfaceflinger)
-# b/13188914
-allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file rw_file_perms;
-r_dir_file(adbd, system_file)
 # Needed for various screenshots
 hal_client_domain(adbd, hal_graphics_allocator)
@@ -137,5 +132,5 @@ allow adbd rootfs:dir r_dir_perms;
 # No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
 # transitions to the shell domain (except when it crashes). In particular, we
 # never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
+neverallow adbd { domain -crash_dump -shell -screencap }:process transition;
 neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
--- a/private/app.te
+++ b/private/app.te
@@ -411,7 +411,9 @@ neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
 # sigchld allowed for parent death notification.
 # signull allowed for kill(pid, 0) existence test.
 # All others prohibited.
-neverallow appdomain { domain -appdomain }:process
+neverallow { appdomain -shell } { domain -appdomain }:process
+    { sigkill sigstop signal };
+neverallow shell { domain -appdomain -screencap }:process
    { sigkill sigstop signal };
 # Transition to a non-app domain.

--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -23,3 +23,7 @@ binder_call(dumpstate, storaged)
 # Collect metrics on boot time created by init
 get_prop(dumpstate, boottime_prop)
+# Use screencap
+domain_auto_trans(dumpstate, screencap_exec, screencap)
+allow dumpstate screencap:process signal;
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -210,6 +210,7 @@
 /system/bin/mediametrics	u:object_r:mediametrics_exec:s0
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
+/system/bin/screencap	u:object_r:screencap_exec:s0
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/otapreopt_chroot   u:object_r:otapreopt_chroot_exec:s0

--- a/private/screencap.te
+++ b/private/screencap.te
+type screencap, domain;
+type screencap_exec, exec_type, file_type;
+typeattribute screencap coredomain;
+allow screencap gpu_device:chr_file rw_file_perms;
+allow screencap ion_device:chr_file rw_file_perms;
+allow screencap adbd:fifo_file write;
+allow screencap adbd:fd use;
+allow screencap adbd:unix_stream_socket { read write };
+allow screencap shell_data_file:file write;
+allow screencap shell:fd use;
+allow screencap shell:unix_stream_socket { read write };
+allow screencap dumpstate:fd use;
+allow screencap dumpstate:unix_stream_socket { read write };
+binder_use(screencap)
+binder_call(screencap, surfaceflinger)
+allow screencap surfaceflinger_service:service_manager find;
+allow screencap surfaceflinger:fd use;
+hwbinder_use(screencap)
+hal_client_domain(screencap, hal_graphics_allocator)
--- a/private/shell.te
+++ b/private/shell.te
@@ -27,3 +27,7 @@ binder_call(shell, storaged)
 # Perform SELinux access checks, needed for CTS
 selinux_check_access(shell)
 selinux_check_context(shell)
+# Use screencap
+domain_auto_trans(shell, screencap_exec, screencap)
+allow shell screencap:process signal;
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -22,6 +22,7 @@ binder_use(surfaceflinger)
 binder_call(surfaceflinger, binderservicedomain)
 binder_call(surfaceflinger, appdomain)
 binder_call(surfaceflinger, bootanim)
+binder_call(surfaceflinger, screencap)
 binder_service(surfaceflinger)
 # Binder IPC to bu, presently runs in adbd domain.

--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -141,9 +141,6 @@ allow dumpstate bluetooth_data_file:dir search;
 allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
 allow dumpstate bluetooth_logs_data_file:file r_file_perms;
-# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
-allow dumpstate gpu_device:chr_file rw_file_perms;
 # logd access
 read_logd(dumpstate)
 control_logd(dumpstate)