From e21871c8b7250f5dfc746298ab170a869e6be94d Mon Sep 17 00:00:00 2001
From: rpcraig <rpcraig@tycho.ncsc.mil>
Date: Tue, 4 Feb 2014 16:24:08 -0500
Subject: [PATCH] Address screenrecord denials.

Steps to reproduce across devices.
  adb shell screenrecord --bit-rate 8000000 --time-limit 10 /data/local/tmp/test.mp4

* Allow surfaceflinger to talk to mediaserver
   avc:  denied  { call } for  pid=122 comm="surfaceflinger" scontext=u:r:surfaceflinger:s0 tcontext=u:r:mediaserver:s0 tclass=binder

* Give mediaserver access to gpu_device
   avc:  denied  { read write } for  pid=2793 comm="VideoEncMsgThre" name="kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
   avc:  denied  { open } for  pid=2793 comm="VideoEncMsgThre" name="kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
   avc:  denied  { ioctl } for  pid=2793 comm="VideoEncMsgThre" path="/dev/kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file

Change-Id: Id1812ec95662f4b2433e2989f5fccce6a85c3a41
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
---
 mediaserver.te    | 2 +-
 surfaceflinger.te | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/mediaserver.te b/mediaserver.te
index ab978fa90..ad7cdcb46 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -24,7 +24,7 @@ allow mediaserver app_data_file:dir search;
 allow mediaserver app_data_file:file rw_file_perms;
 allow mediaserver platform_app_data_file:file { getattr read };
 allow mediaserver sdcard_type:file write;
-allow mediaserver graphics_device:chr_file rw_file_perms;
+allow mediaserver { gpu_device graphics_device }:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
 allow mediaserver audio_device:dir r_dir_perms;
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 9c58afafc..2a3087b6f 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -13,6 +13,7 @@ unix_socket_connect(surfaceflinger, property, init)
 binder_use(surfaceflinger)
 binder_call(surfaceflinger, system_server)
 binder_call(surfaceflinger, nfc)
+binder_call(surfaceflinger, mediaserver)
 binder_service(surfaceflinger)
 
 # Access the GPU.
-- 
GitLab