Add SELinux policies for vr_window_manager

This set of rules is neeeded to allow vr_windows_manager to run successfully on the system. Bug: 32541196 Test: `m -j32` succeeds. Sailfish device boots. Change-Id: I0aec94d80f655a6f47691cf2622dd158ce9e475f

Add SELinux policies for vr_window_manager
c5680561 · Alex Vakulenko · 20a63911 · c5680561 · c5680561 · c5680561
Commit c5680561 authored 8 years ago by Alex Vakulenko
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -246,6 +246,7 @@
 /system/bin/webview_zygote32     u:object_r:webview_zygote_exec:s0
 /system/bin/webview_zygote64     u:object_r:webview_zygote_exec:s0
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
+/system/bin/vr_wm                u:object_r:vr_wm_exec:s0
 /system/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
 /system/bin/hw/android\.hidl\.memory@1\.0-service             u:object_r:hal_allocator_exec:s0

--- a/private/service_contexts
+++ b/private/service_contexts
@@ -154,6 +154,7 @@ user                                      u:object_r:user_service:s0
 vibrator                                  u:object_r:vibrator_service:s0
 virtual_touchpad                          u:object_r:virtual_touchpad_service:s0
 voiceinteraction                          u:object_r:voiceinteraction_service:s0
+vr_window_manager                         u:object_r:vr_window_manager_service:s0
 vrmanager                                 u:object_r:vr_manager_service:s0
 wallpaper                                 u:object_r:wallpaper_service:s0
 webviewupdate                             u:object_r:webviewupdate_service:s0

--- a/private/system_app.te
+++ b/private/system_app.te
@@ -56,7 +56,7 @@ binder_call(system_app, incidentd)
 allow system_app servicemanager:service_manager list;
 # TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service }:service_manager find;
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service }:service_manager find;
 allow system_app keystore:keystore_key {
    get_state

--- a/private/vr_wm.te
+++ b/private/vr_wm.te
+# vr_wm - VR Window Manager
+# The vr_wm is started by init.
+init_daemon_domain(vr_wm)
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -10,9 +10,9 @@ allow performanced self:capability { setuid setgid sys_nice };
 # Access /proc to validate we're only affecting threads in the same thread group.
 # Performanced also shields unbound kernel threads.  It scans every task in the
 # root cpu set, but only affects the kernel threads.
-r_dir_file(performanced, { appdomain bufferhubd kernel sensord surfaceflinger })
+r_dir_file(performanced, { appdomain bufferhubd kernel sensord surfaceflinger vr_wm })
 dontaudit performanced domain:dir read;
-allow performanced { appdomain bufferhubd kernel sensord surfaceflinger }:process setsched;
+allow performanced { appdomain bufferhubd kernel sensord surfaceflinger vr_wm }:process setsched;
 # Access /dev/cpuset/cpuset.cpus
 r_dir_file(performanced, cgroup)
--- a/public/service.te
+++ b/public/service.te
@@ -26,6 +26,7 @@ type surfaceflinger_service,    service_manager_type;
 type system_app_service,        service_manager_type;
 type update_engine_service,     service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
+type vr_window_manager_service, service_manager_type;
 # system_server_services broken down
 type accessibility_service, app_api_service, system_server_service, service_manager_type;

--- a/public/virtual_touchpad.te
+++ b/public/virtual_touchpad.te
@@ -9,4 +9,4 @@ add_service(virtual_touchpad, virtual_touchpad_service)
 allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
 # Limit access so that nothing else can inject input.
-neverallow { domain -system_app -virtual_touchpad } virtual_touchpad_service:service_manager find;
+neverallow { domain -virtual_touchpad -vr_wm } virtual_touchpad_service:service_manager find;
--- a/public/vr_wm.te
+++ b/public/vr_wm.te
+type vr_wm, domain;
+type vr_wm_exec, exec_type, file_type;
+binder_use(vr_wm)
+binder_call(vr_wm, surfaceflinger)
+binder_call(vr_wm, virtual_touchpad)
+allow vr_wm virtual_touchpad_service:service_manager find;
+binder_service(vr_wm)
+add_service(vr_wm, vr_window_manager_service)
+# Hosts the VR HWC implementation and provides a simple Binder interface for VR
+# Window Manager to receive the layers/buffers.
+hwbinder_use(vr_wm)
+# Load vendor libraries.
+allow vr_wm system_file:dir r_dir_perms;
+allow vr_wm gpu_device:chr_file rw_file_perms;
+allow vr_wm ion_device:chr_file r_file_perms;
+use_pdx(vr_wm, bufferhubd)
+use_pdx(vr_wm, sensord)
+use_pdx(vr_wm, surfaceflinger)
+use_pdx(vr_wm, performanced)