Selinux changes for vr flinger vsync service

Add selinux policy for the new Binder-based vr flinger vsync service. Bug: 72890037 Test: - Manually confirmed that I can't bind to the new vsync service from a normal Android application, and system processes (other than vr_hwc) are prevented from connecting by selinux. - Confirmed the CTS test android.security.cts.SELinuxHostTest#testAospServiceContexts, when built from the local source tree with this CL applied, passes. - Confirmed the CTS test android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules521, when built from the local source tree with this CL applied, passes. Change-Id: Ib7a6bfcb1c2ebe1051f3accc18b481be1b188b06

Selinux changes for vr flinger vsync service
Add selinux policy for the new Binder-based vr flinger vsync service. Bug: 72890037 Test: - Manually confirmed that I can't bind to the new vsync service from a normal Android application, and system processes (other than vr_hwc) are prevented from connecting by selinux. - Confirmed the CTS test android.security.cts.SELinuxHostTest#testAospServiceContexts, when built from the local source tree with this CL applied, passes. - Confirmed the CTS test android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules521, when built from the local source tree with this CL applied, passes. Change-Id: Ib7a6bfcb1c2ebe1051f3accc18b481be1b188b06
7bec9674 · Steven Thomas · 6397d7e0 · 7bec9674 · 7bec9674 · 7bec9674
Commit 7bec9674 authored 6 years ago by Steven Thomas
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -151,6 +151,7 @@
    vold_prepare_subdirs
    vold_prepare_subdirs_exec
    vold_service
+    vrflinger_vsync_service
    wait_for_keymaster
    wait_for_keymaster_exec
    wait_for_keymaster_tmpfs

--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -126,6 +126,7 @@
    vold_prepare_subdirs
    vold_prepare_subdirs_exec
    vold_service
+    vrflinger_vsync_service
    wait_for_keymaster
    wait_for_keymaster_exec
    wait_for_keymaster_tmpfs

--- a/private/service_contexts
+++ b/private/service_contexts
@@ -176,6 +176,7 @@ virtual_touchpad                          u:object_r:virtual_touchpad_service:s0
 voiceinteraction                          u:object_r:voiceinteraction_service:s0
 vold                                      u:object_r:vold_service:s0
 vr_hwc                                    u:object_r:vr_hwc_service:s0
+vrflinger_vsync                           u:object_r:vrflinger_vsync_service:s0
 vrmanager                                 u:object_r:vr_manager_service:s0
 wallpaper                                 u:object_r:wallpaper_service:s0
 webviewupdate                             u:object_r:webviewupdate_service:s0

--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -84,6 +84,8 @@ add_service(surfaceflinger, gpu_service)
 #add_service(surfaceflinger, surfaceflinger_service)
 allow surfaceflinger surfaceflinger_service:service_manager { add find };
+add_service(surfaceflinger, vrflinger_vsync_service)
 allow surfaceflinger mediaserver_service:service_manager find;
 allow surfaceflinger permission_service:service_manager find;
 allow surfaceflinger power_service:service_manager find;

--- a/public/service.te
+++ b/public/service.te
@@ -32,6 +32,7 @@ type update_engine_service,     service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
 type vold_service,              service_manager_type;
 type vr_hwc_service,            service_manager_type;
+type vrflinger_vsync_service,   service_manager_type;
 # system_server_services broken down
 type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;

--- a/public/vr_hwc.te
+++ b/public/vr_hwc.te
@@ -29,3 +29,5 @@ pdx_client(vr_hwc, display_client)
 # Requires access to the permission service to validate that clients have the
 # appropriate VR permissions.
 allow vr_hwc permission_service:service_manager find;
+allow vr_hwc vrflinger_vsync_service:service_manager find;