From c56805614c5a277bca55582c2f70344c37895766 Mon Sep 17 00:00:00 2001
From: Alex Vakulenko <avakulenko@google.com>
Date: Tue, 14 Feb 2017 15:28:52 -0800
Subject: [PATCH] Add SELinux policies for vr_window_manager

This set of rules is neeeded to allow vr_windows_manager to run
successfully on the system.

Bug: 32541196
Test: `m -j32` succeeds. Sailfish device boots.
Change-Id: I0aec94d80f655a6f47691cf2622dd158ce9e475f
---
 private/file_contexts      |  1 +
 private/service_contexts   |  1 +
 private/system_app.te      |  2 +-
 private/vr_wm.te           |  4 ++++
 public/performanced.te     |  4 ++--
 public/service.te          |  1 +
 public/virtual_touchpad.te |  2 +-
 public/vr_wm.te            | 26 ++++++++++++++++++++++++++
 8 files changed, 37 insertions(+), 4 deletions(-)
 create mode 100644 private/vr_wm.te
 create mode 100644 public/vr_wm.te

diff --git a/private/file_contexts b/private/file_contexts
index 8cd812383..d6a248327 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -246,6 +246,7 @@
 /system/bin/webview_zygote32     u:object_r:webview_zygote_exec:s0
 /system/bin/webview_zygote64     u:object_r:webview_zygote_exec:s0
 /system/bin/virtual_touchpad     u:object_r:virtual_touchpad_exec:s0
+/system/bin/vr_wm                u:object_r:vr_wm_exec:s0
 /system/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
 /system/bin/hw/android\.hidl\.memory@1\.0-service             u:object_r:hal_allocator_exec:s0
 
diff --git a/private/service_contexts b/private/service_contexts
index 3b01c0b8d..2eab12f8d 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -154,6 +154,7 @@ user                                      u:object_r:user_service:s0
 vibrator                                  u:object_r:vibrator_service:s0
 virtual_touchpad                          u:object_r:virtual_touchpad_service:s0
 voiceinteraction                          u:object_r:voiceinteraction_service:s0
+vr_window_manager                         u:object_r:vr_window_manager_service:s0
 vrmanager                                 u:object_r:vr_manager_service:s0
 wallpaper                                 u:object_r:wallpaper_service:s0
 webviewupdate                             u:object_r:webviewupdate_service:s0
diff --git a/private/system_app.te b/private/system_app.te
index 7539da226..6de36936f 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -56,7 +56,7 @@ binder_call(system_app, incidentd)
 
 allow system_app servicemanager:service_manager list;
 # TODO: scope this down? Too broad?
-allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service }:service_manager find;
+allow system_app { service_manager_type -netd_service -dumpstate_service -installd_service -virtual_touchpad_service }:service_manager find;
 
 allow system_app keystore:keystore_key {
     get_state
diff --git a/private/vr_wm.te b/private/vr_wm.te
new file mode 100644
index 000000000..276d434d8
--- /dev/null
+++ b/private/vr_wm.te
@@ -0,0 +1,4 @@
+# vr_wm - VR Window Manager
+
+# The vr_wm is started by init.
+init_daemon_domain(vr_wm)
diff --git a/public/performanced.te b/public/performanced.te
index 8f9d16b05..95038cd48 100644
--- a/public/performanced.te
+++ b/public/performanced.te
@@ -10,9 +10,9 @@ allow performanced self:capability { setuid setgid sys_nice };
 # Access /proc to validate we're only affecting threads in the same thread group.
 # Performanced also shields unbound kernel threads.  It scans every task in the
 # root cpu set, but only affects the kernel threads.
-r_dir_file(performanced, { appdomain bufferhubd kernel sensord surfaceflinger })
+r_dir_file(performanced, { appdomain bufferhubd kernel sensord surfaceflinger vr_wm })
 dontaudit performanced domain:dir read;
-allow performanced { appdomain bufferhubd kernel sensord surfaceflinger }:process setsched;
+allow performanced { appdomain bufferhubd kernel sensord surfaceflinger vr_wm }:process setsched;
 
 # Access /dev/cpuset/cpuset.cpus
 r_dir_file(performanced, cgroup)
diff --git a/public/service.te b/public/service.te
index 7ef271184..208c6d786 100644
--- a/public/service.te
+++ b/public/service.te
@@ -26,6 +26,7 @@ type surfaceflinger_service,    service_manager_type;
 type system_app_service,        service_manager_type;
 type update_engine_service,     service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
+type vr_window_manager_service, service_manager_type;
 
 # system_server_services broken down
 type accessibility_service, app_api_service, system_server_service, service_manager_type;
diff --git a/public/virtual_touchpad.te b/public/virtual_touchpad.te
index 92d5c274a..544550a86 100644
--- a/public/virtual_touchpad.te
+++ b/public/virtual_touchpad.te
@@ -9,4 +9,4 @@ add_service(virtual_touchpad, virtual_touchpad_service)
 allow virtual_touchpad uhid_device:chr_file { w_file_perms ioctl };
 
 # Limit access so that nothing else can inject input.
-neverallow { domain -system_app -virtual_touchpad } virtual_touchpad_service:service_manager find;
+neverallow { domain -virtual_touchpad -vr_wm } virtual_touchpad_service:service_manager find;
diff --git a/public/vr_wm.te b/public/vr_wm.te
new file mode 100644
index 000000000..7b6e3c077
--- /dev/null
+++ b/public/vr_wm.te
@@ -0,0 +1,26 @@
+type vr_wm, domain;
+type vr_wm_exec, exec_type, file_type;
+
+binder_use(vr_wm)
+binder_call(vr_wm, surfaceflinger)
+binder_call(vr_wm, virtual_touchpad)
+
+allow vr_wm virtual_touchpad_service:service_manager find;
+
+binder_service(vr_wm)
+add_service(vr_wm, vr_window_manager_service)
+
+# Hosts the VR HWC implementation and provides a simple Binder interface for VR
+# Window Manager to receive the layers/buffers.
+hwbinder_use(vr_wm)
+
+# Load vendor libraries.
+allow vr_wm system_file:dir r_dir_perms;
+
+allow vr_wm gpu_device:chr_file rw_file_perms;
+allow vr_wm ion_device:chr_file r_file_perms;
+
+use_pdx(vr_wm, bufferhubd)
+use_pdx(vr_wm, sensord)
+use_pdx(vr_wm, surfaceflinger)
+use_pdx(vr_wm, performanced)
-- 
GitLab