From 7bec967402f3624cac3c64497f03c94b3ce31b4b Mon Sep 17 00:00:00 2001
From: Steven Thomas <steventhomas@google.com>
Date: Fri, 13 Jul 2018 17:17:01 -0700
Subject: [PATCH] Selinux changes for vr flinger vsync service
Add selinux policy for the new Binder-based vr flinger vsync service.
Bug: 72890037
Test: - Manually confirmed that I can't bind to the new vsync service
from a normal Android application, and system processes (other than
vr_hwc) are prevented from connecting by selinux.
- Confirmed the CTS test
android.security.cts.SELinuxHostTest#testAospServiceContexts, when
built from the local source tree with this CL applied, passes.
- Confirmed the CTS test
android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules521,
when built from the local source tree with this CL applied, passes.
Change-Id: Ib7a6bfcb1c2ebe1051f3accc18b481be1b188b06
---
private/compat/26.0/26.0.ignore.cil | 1 +
private/compat/27.0/27.0.ignore.cil | 1 +
private/service_contexts | 1 +
private/surfaceflinger.te | 2 ++
public/service.te | 1 +
public/vr_hwc.te | 2 ++
6 files changed, 8 insertions(+)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index ae36f1c70..5212b62fc 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -151,6 +151,7 @@
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
+ vrflinger_vsync_service
wait_for_keymaster
wait_for_keymaster_exec
wait_for_keymaster_tmpfs
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index 4530df498..4b7ef9212 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -126,6 +126,7 @@
vold_prepare_subdirs
vold_prepare_subdirs_exec
vold_service
+ vrflinger_vsync_service
wait_for_keymaster
wait_for_keymaster_exec
wait_for_keymaster_tmpfs
diff --git a/private/service_contexts b/private/service_contexts
index 0513073a7..de784d35c 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -176,6 +176,7 @@ virtual_touchpad u:object_r:virtual_touchpad_service:s0
voiceinteraction u:object_r:voiceinteraction_service:s0
vold u:object_r:vold_service:s0
vr_hwc u:object_r:vr_hwc_service:s0
+vrflinger_vsync u:object_r:vrflinger_vsync_service:s0
vrmanager u:object_r:vr_manager_service:s0
wallpaper u:object_r:wallpaper_service:s0
webviewupdate u:object_r:webviewupdate_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 61c89e1c1..d9d7dea6e 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -84,6 +84,8 @@ add_service(surfaceflinger, gpu_service)
#add_service(surfaceflinger, surfaceflinger_service)
allow surfaceflinger surfaceflinger_service:service_manager { add find };
+add_service(surfaceflinger, vrflinger_vsync_service)
+
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
diff --git a/public/service.te b/public/service.te
index 11fb831dc..1ec01028d 100644
--- a/public/service.te
+++ b/public/service.te
@@ -32,6 +32,7 @@ type update_engine_service, service_manager_type;
type virtual_touchpad_service, service_manager_type;
type vold_service, service_manager_type;
type vr_hwc_service, service_manager_type;
+type vrflinger_vsync_service, service_manager_type;
# system_server_services broken down
type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
diff --git a/public/vr_hwc.te b/public/vr_hwc.te
index c05dd638a..8e3cb5133 100644
--- a/public/vr_hwc.te
+++ b/public/vr_hwc.te
@@ -29,3 +29,5 @@ pdx_client(vr_hwc, display_client)
# Requires access to the permission service to validate that clients have the
# appropriate VR permissions.
allow vr_hwc permission_service:service_manager find;
+
+allow vr_hwc vrflinger_vsync_service:service_manager find;
--
GitLab