Address screenrecord denials.

Steps to reproduce across devices. adb shell screenrecord --bit-rate 8000000 --time-limit 10 /data/local/tmp/test.mp4 * Allow surfaceflinger to talk to mediaserver avc: denied { call } for pid=122 comm="surfaceflinger" scontext=u:r:surfaceflinger:s0 tcontext=u:r:mediaserver:s0 tclass=binder * Give mediaserver access to gpu_device avc: denied { read write } for pid=2793 comm="VideoEncMsgThre" name="kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file avc: denied { open } for pid=2793 comm="VideoEncMsgThre" name="kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file avc: denied { ioctl } for pid=2793 comm="VideoEncMsgThre" path="/dev/kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file Change-Id: Id1812ec95662f4b2433e2989f5fccce6a85c3a41 Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

Address screenrecord denials.
e21871c8 · rpcraig · Robert Craig · 629c98c2 · e21871c8 · e21871c8
Commit e21871c8 authored 11 years ago by rpcraig Committed by Robert Craig 11 years ago
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -24,7 +24,7 @@ allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file rw_file_perms;
 allow mediaserver platform_app_data_file:file { getattr read };
 allow mediaserver sdcard_type:file write;
-allow mediaserver graphics_device:chr_file rw_file_perms;
+allow mediaserver { gpu_device graphics_device }:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
 allow mediaserver audio_device:dir r_dir_perms;

--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -13,6 +13,7 @@ unix_socket_connect(surfaceflinger, property, init)
 binder_use(surfaceflinger)
 binder_call(surfaceflinger, system_server)
 binder_call(surfaceflinger, nfc)
+binder_call(surfaceflinger, mediaserver)
 binder_service(surfaceflinger)
 # Access the GPU.