From f27bba93d1559c22c0c07f8e0bec4e4e5945e230 Mon Sep 17 00:00:00 2001
From: Steven Moreland <smoreland@google.com>
Date: Tue, 1 Aug 2017 13:27:32 -0700
Subject: [PATCH] Add screencap domain.

Only seeing this denial in permissive:
allow shell screencap_exec:file getattr;

Bug: 37565047
Test: adb shell screencap w/o root
Test: cts-tradefed run cts-dev --module CtsAadbHostTestCases
Change-Id: I9f31d2067e002e7042646ee38dbfc06687481ac7
---
 prebuilts/api/26.0/26.0.ignore.cil |  8 ++++++++
 private/adbd.te                    | 13 ++++---------
 private/app.te                     |  4 +++-
 private/dumpstate.te               |  4 ++++
 private/file_contexts              |  1 +
 private/screencap.te               | 26 ++++++++++++++++++++++++++
 private/shell.te                   |  4 ++++
 private/surfaceflinger.te          |  1 +
 public/dumpstate.te                |  3 ---
 9 files changed, 51 insertions(+), 13 deletions(-)
 create mode 100644 private/screencap.te

diff --git a/prebuilts/api/26.0/26.0.ignore.cil b/prebuilts/api/26.0/26.0.ignore.cil
index e89ea63a0..6b37df7fa 100644
--- a/prebuilts/api/26.0/26.0.ignore.cil
+++ b/prebuilts/api/26.0/26.0.ignore.cil
@@ -23,3 +23,11 @@
     thermalserviced_tmpfs
     timezone_service
     tombstoned_java_trace_socket))
+
+;; private_objects - a collection of types that were labeled differently in
+;;     older policy, but that should not remain accessible to vendor policy.
+;;     Thus, these types are also not mapped, but recorded for checkapi tests
+(typeattribute priv_objects)
+(typeattributeset priv_objects
+     ( screencap
+       screencap_exec ))
diff --git a/private/adbd.te b/private/adbd.te
index 52597ebbf..200836428 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -63,14 +63,9 @@ get_prop(adbd, serialno_prop)
 # Run /system/bin/bu
 allow adbd system_file:file rx_file_perms;
 
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
-# b/13188914
-allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file rw_file_perms;
-r_dir_file(adbd, system_file)
+# Use screencap
+domain_auto_trans(adbd, screencap_exec, screencap)
+allow adbd screencap:process signal;
 
 # Needed for various screenshots
 hal_client_domain(adbd, hal_graphics_allocator)
@@ -137,5 +132,5 @@ allow adbd rootfs:dir r_dir_perms;
 # No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
 # transitions to the shell domain (except when it crashes). In particular, we
 # never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
+neverallow adbd { domain -crash_dump -shell -screencap }:process transition;
 neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/private/app.te b/private/app.te
index 9251ed9cb..068f09539 100644
--- a/private/app.te
+++ b/private/app.te
@@ -409,7 +409,9 @@ neverallow appdomain { domain -appdomain }:file write;
 # sigchld allowed for parent death notification.
 # signull allowed for kill(pid, 0) existence test.
 # All others prohibited.
-neverallow appdomain { domain -appdomain }:process
+neverallow { appdomain -shell } { domain -appdomain }:process
+    { sigkill sigstop signal };
+neverallow shell { domain -appdomain -screencap }:process
     { sigkill sigstop signal };
 
 # Transition to a non-app domain.
diff --git a/private/dumpstate.te b/private/dumpstate.te
index 0fe2adfc6..a2f4e258a 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -24,3 +24,7 @@ binder_call(dumpstate, storaged)
 
 # Collect metrics on boot time created by init
 get_prop(dumpstate, boottime_prop)
+
+# Use screencap
+domain_auto_trans(dumpstate, screencap_exec, screencap)
+allow dumpstate screencap:process signal;
diff --git a/private/file_contexts b/private/file_contexts
index 7f9f5129e..2599e3912 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -212,6 +212,7 @@
 /system/bin/mediametrics	u:object_r:mediametrics_exec:s0
 /system/bin/cameraserver	u:object_r:cameraserver_exec:s0
 /system/bin/mediaextractor	u:object_r:mediaextractor_exec:s0
+/system/bin/screencap	u:object_r:screencap_exec:s0
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/otapreopt_chroot   u:object_r:otapreopt_chroot_exec:s0
diff --git a/private/screencap.te b/private/screencap.te
new file mode 100644
index 000000000..579373aa6
--- /dev/null
+++ b/private/screencap.te
@@ -0,0 +1,26 @@
+type screencap, domain;
+type screencap_exec, exec_type, file_type;
+
+typeattribute screencap coredomain;
+
+allow screencap gpu_device:chr_file rw_file_perms;
+allow screencap ion_device:chr_file rw_file_perms;
+
+allow screencap adbd:fifo_file write;
+allow screencap adbd:fd use;
+allow screencap adbd:unix_stream_socket { read write };
+
+allow screencap shell_data_file:file write;
+allow screencap shell:fd use;
+allow screencap shell:unix_stream_socket { read write };
+
+allow screencap dumpstate:fd use;
+allow screencap dumpstate:unix_stream_socket { read write };
+
+binder_use(screencap)
+binder_call(screencap, surfaceflinger)
+allow screencap surfaceflinger_service:service_manager find;
+allow screencap surfaceflinger:fd use;
+
+hwbinder_use(screencap)
+hal_client_domain(screencap, hal_graphics_allocator)
diff --git a/private/shell.te b/private/shell.te
index 5299532ac..095dc4391 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -26,3 +26,7 @@ binder_call(shell, storaged)
 # Perform SELinux access checks, needed for CTS
 selinux_check_access(shell)
 selinux_check_context(shell)
+
+# Use screencap
+domain_auto_trans(shell, screencap_exec, screencap)
+allow shell screencap:process signal;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index b33035e8e..7184fbcc7 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -21,6 +21,7 @@ binder_use(surfaceflinger)
 binder_call(surfaceflinger, binderservicedomain)
 binder_call(surfaceflinger, appdomain)
 binder_call(surfaceflinger, bootanim)
+binder_call(surfaceflinger, screencap)
 binder_service(surfaceflinger)
 
 # Binder IPC to bu, presently runs in adbd domain.
diff --git a/public/dumpstate.te b/public/dumpstate.te
index f6d6a0a69..3e977311f 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -142,9 +142,6 @@ allow dumpstate bluetooth_data_file:dir search;
 allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
 allow dumpstate bluetooth_logs_data_file:file r_file_perms;
 
-# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
-allow dumpstate gpu_device:chr_file rw_file_perms;
-
 # logd access
 read_logd(dumpstate)
 control_logd(dumpstate)
-- 
GitLab