Define a domain for the bootanim service.

Leave the domain permissive initially until it gets more testing. Change-Id: I9d88d76d1ffdc79a2eff4545d37a9e615482df50 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Define a domain for the bootanim service.
acde43f2 · Stephen Smalley · 3ba90125 · acde43f2 · acde43f2 · acde43f2
Commit acde43f2 authored 11 years ago by Stephen Smalley
--- a/bootanim.te
+++ b/bootanim.te
+# bootanimation oneshot service
+type bootanim, domain;
+permissive bootanim;
+type bootanim_exec, exec_type, file_type;
+
+init_daemon_domain(bootanim)
+
+binder_use(bootanim)
+binder_call(bootanim, surfaceflinger)
+
+allow bootanim gpu_device:chr_file rw_file_perms;
--- a/file_contexts
+++ b/file_contexts
@@ -116,6 +116,7 @@
 /system(/.*)?		u:object_r:system_file:s0
 /system/bin/sh		--	u:object_r:shell_exec:s0
 /system/bin/run-as	--	u:object_r:runas_exec:s0
+/system/bin/bootanimation u:object_r:bootanim_exec:s0
 /system/bin/app_process	u:object_r:zygote_exec:s0
 /system/bin/servicemanager	u:object_r:servicemanager_exec:s0
 /system/bin/surfaceflinger	u:object_r:surfaceflinger_exec:s0

--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -13,7 +13,6 @@ unix_socket_connect(surfaceflinger, property, init)
 binder_use(surfaceflinger)
 binder_call(surfaceflinger, system_server)
 binder_service(surfaceflinger)
-allow surfaceflinger init:binder transfer;

 # Access the GPU.
 allow surfaceflinger gpu_device:chr_file rw_file_perms;
@@ -36,3 +35,6 @@ allow surfaceflinger ctl_default_prop:property_service set;
 allow surfaceflinger appdomain:fd use;
 allow surfaceflinger platform_app_data_file:file { read write };
 allow surfaceflinger app_data_file:file { read write };
+
+# Use open file provided by bootanim.
+allow surfaceflinger bootanim:fd use;