From e06e53638808ec0d14aaee701590fdc93cfd3150 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 21 Mar 2014 10:40:56 -0400
Subject: [PATCH] Allow inputflinger to call system_server.

Resolves denials such as:
avc:  denied  { read } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { open } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { search } for  pid=752 comm="ActivityManager" name="214" dev="proc" ino=1568 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=dir
avc:  denied  { read } for  pid=752 comm="ActivityManager" name="stat" dev="proc" ino=1878 scontext=u:r:system_server:s0 tcontext=u:r:inputflinger:s0 tclass=file
avc:  denied  { call } for  pid=187 comm="Binder_2" scontext=u:r:inputflinger:s0 tcontext=u:r:system_server:s0 tclass=binder

Change-Id: I099d7dacf7116efa73163245597c3de629d358c1
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 inputflinger.te  | 2 ++
 system_server.te | 1 +
 2 files changed, 3 insertions(+)

diff --git a/inputflinger.te b/inputflinger.te
index dd5c08650..b08b3453b 100644
--- a/inputflinger.te
+++ b/inputflinger.te
@@ -6,3 +6,5 @@ type inputflinger_exec, exec_type, file_type;
 init_daemon_domain(inputflinger)
 binder_use(inputflinger)
 binder_service(inputflinger)
+
+binder_call(inputflinger, system_server)
diff --git a/system_server.te b/system_server.te
index ecd31b31a..e85281cda 100644
--- a/system_server.te
+++ b/system_server.te
@@ -132,6 +132,7 @@ binder_service(system_server)
 r_dir_file(system_server, mediaserver)
 r_dir_file(system_server, sdcardd)
 r_dir_file(system_server, surfaceflinger)
+r_dir_file(system_server, inputflinger)
 
 # Use sockets received over binder from various services.
 allow system_server mediaserver:tcp_socket rw_socket_perms;
-- 
GitLab