From acde43f23fbe9b2d180034c6a99b8711a6af7f21 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 11 Dec 2013 15:17:53 -0500
Subject: [PATCH] Define a domain for the bootanim service.

Leave the domain permissive initially until it gets more testing.

Change-Id: I9d88d76d1ffdc79a2eff4545d37a9e615482df50
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 bootanim.te       | 11 +++++++++++
 file_contexts     |  1 +
 surfaceflinger.te |  4 +++-
 3 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 bootanim.te

diff --git a/bootanim.te b/bootanim.te
new file mode 100644
index 000000000..c716b1174
--- /dev/null
+++ b/bootanim.te
@@ -0,0 +1,11 @@
+# bootanimation oneshot service
+type bootanim, domain;
+permissive bootanim;
+type bootanim_exec, exec_type, file_type;
+
+init_daemon_domain(bootanim)
+
+binder_use(bootanim)
+binder_call(bootanim, surfaceflinger)
+
+allow bootanim gpu_device:chr_file rw_file_perms;
diff --git a/file_contexts b/file_contexts
index 5c2554526..ebb32488f 100644
--- a/file_contexts
+++ b/file_contexts
@@ -116,6 +116,7 @@
 /system(/.*)?		u:object_r:system_file:s0
 /system/bin/sh		--	u:object_r:shell_exec:s0
 /system/bin/run-as	--	u:object_r:runas_exec:s0
+/system/bin/bootanimation u:object_r:bootanim_exec:s0
 /system/bin/app_process	u:object_r:zygote_exec:s0
 /system/bin/servicemanager	u:object_r:servicemanager_exec:s0
 /system/bin/surfaceflinger	u:object_r:surfaceflinger_exec:s0
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 4f2838220..c9dbda9ae 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -13,7 +13,6 @@ unix_socket_connect(surfaceflinger, property, init)
 binder_use(surfaceflinger)
 binder_call(surfaceflinger, system_server)
 binder_service(surfaceflinger)
-allow surfaceflinger init:binder transfer;
 
 # Access the GPU.
 allow surfaceflinger gpu_device:chr_file rw_file_perms;
@@ -36,3 +35,6 @@ allow surfaceflinger ctl_default_prop:property_service set;
 allow surfaceflinger appdomain:fd use;
 allow surfaceflinger platform_app_data_file:file { read write };
 allow surfaceflinger app_data_file:file { read write };
+
+# Use open file provided by bootanim.
+allow surfaceflinger bootanim:fd use;
-- 
GitLab