sepolicy: fix avc denied of surfaceflinger

author Chih-Wei Huang <cwhuang@linux.org.tw>

Thu, 25 Jul 2019 09:18:24 +0000 (17:18 +0800)

committer Chih-Wei Huang <cwhuang@linux.org.tw>

Thu, 25 Jul 2019 09:18:24 +0000 (17:18 +0800)
author Chih-Wei Huang <cwhuang@linux.org.tw>
Thu, 25 Jul 2019 09:18:24 +0000 (17:18 +0800)
committer Chih-Wei Huang <cwhuang@linux.org.tw>
Thu, 25 Jul 2019 09:18:24 +0000 (17:18 +0800)
diff --git a/BoardConfig.mk b/BoardConfig.mk

index bd23daf..7ab0e17 100644 (file)
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -87,5 +87,7 @@ ZIP_OPTIMIZATION_NO_INTEGRITY := true
  
  DEVICE_MANIFEST_FILE := device/generic/common/manifest.xml
  
-BOARD_SEPOLICY_DIRS += device/generic/common/sepolicy \
+BOARD_SEPOLICY_DIRS += device/generic/common/sepolicy/nonplat \
                         system/bt/vendor_libs/linux/sepolicy \
+
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR := device/generic/common/sepolicy/plat_private
diff --git a/sepolicy/adbd.te b/sepolicy/nonplat/adbd.te

similarity index 100%

rename from sepolicy/adbd.te

rename to sepolicy/nonplat/adbd.te
diff --git a/sepolicy/audioserver.te b/sepolicy/nonplat/audioserver.te

similarity index 100%

rename from sepolicy/audioserver.te

rename to sepolicy/nonplat/audioserver.te
diff --git a/sepolicy/bootanim.te b/sepolicy/nonplat/bootanim.te

similarity index 100%

rename from sepolicy/bootanim.te

rename to sepolicy/nonplat/bootanim.te
diff --git a/sepolicy/cameraserver.te b/sepolicy/nonplat/cameraserver.te

similarity index 100%

rename from sepolicy/cameraserver.te

rename to sepolicy/nonplat/cameraserver.te
diff --git a/sepolicy/device.te b/sepolicy/nonplat/device.te

similarity index 100%

rename from sepolicy/device.te

rename to sepolicy/nonplat/device.te
diff --git a/sepolicy/domain.te b/sepolicy/nonplat/domain.te

similarity index 100%

rename from sepolicy/domain.te

rename to sepolicy/nonplat/domain.te
diff --git a/sepolicy/file.te b/sepolicy/nonplat/file.te

similarity index 100%

rename from sepolicy/file.te

rename to sepolicy/nonplat/file.te
diff --git a/sepolicy/file_contexts b/sepolicy/nonplat/file_contexts

similarity index 100%

rename from sepolicy/file_contexts

rename to sepolicy/nonplat/file_contexts
diff --git a/sepolicy/hal_camera_default.te b/sepolicy/nonplat/hal_camera_default.te

similarity index 100%

rename from sepolicy/hal_camera_default.te

rename to sepolicy/nonplat/hal_camera_default.te
diff --git a/sepolicy/hal_cas_default.te b/sepolicy/nonplat/hal_cas_default.te

similarity index 100%

rename from sepolicy/hal_cas_default.te

rename to sepolicy/nonplat/hal_cas_default.te
diff --git a/sepolicy/hal_drm_default.te b/sepolicy/nonplat/hal_drm_default.te

similarity index 100%

rename from sepolicy/hal_drm_default.te

rename to sepolicy/nonplat/hal_drm_default.te
diff --git a/sepolicy/hal_drm_widevine.te b/sepolicy/nonplat/hal_drm_widevine.te

similarity index 100%

rename from sepolicy/hal_drm_widevine.te

rename to sepolicy/nonplat/hal_drm_widevine.te
diff --git a/sepolicy/hal_gnss_default.te b/sepolicy/nonplat/hal_gnss_default.te

similarity index 100%

rename from sepolicy/hal_gnss_default.te

rename to sepolicy/nonplat/hal_gnss_default.te
diff --git a/sepolicy/hal_graphics_composer_default.te b/sepolicy/nonplat/hal_graphics_composer_default.te

similarity index 100%

rename from sepolicy/hal_graphics_composer_default.te

rename to sepolicy/nonplat/hal_graphics_composer_default.te
diff --git a/sepolicy/healthd.te b/sepolicy/nonplat/healthd.te

similarity index 100%

rename from sepolicy/healthd.te

rename to sepolicy/nonplat/healthd.te
diff --git a/sepolicy/init.te b/sepolicy/nonplat/init.te

similarity index 100%

rename from sepolicy/init.te

rename to sepolicy/nonplat/init.te
diff --git a/sepolicy/installd.te b/sepolicy/nonplat/installd.te

similarity index 100%

rename from sepolicy/installd.te

rename to sepolicy/nonplat/installd.te
diff --git a/sepolicy/logpersist.te b/sepolicy/nonplat/logpersist.te

similarity index 100%

rename from sepolicy/logpersist.te

rename to sepolicy/nonplat/logpersist.te
diff --git a/sepolicy/mediacodec.te b/sepolicy/nonplat/mediacodec.te

similarity index 100%

rename from sepolicy/mediacodec.te

rename to sepolicy/nonplat/mediacodec.te
diff --git a/sepolicy/netd.te b/sepolicy/nonplat/netd.te

similarity index 100%

rename from sepolicy/netd.te

rename to sepolicy/nonplat/netd.te
diff --git a/sepolicy/priv_app.te b/sepolicy/nonplat/priv_app.te

similarity index 100%

rename from sepolicy/priv_app.te

rename to sepolicy/nonplat/priv_app.te
diff --git a/sepolicy/property.te b/sepolicy/nonplat/property.te

similarity index 100%

rename from sepolicy/property.te

rename to sepolicy/nonplat/property.te
diff --git a/sepolicy/property_contexts b/sepolicy/nonplat/property_contexts

similarity index 100%

rename from sepolicy/property_contexts

rename to sepolicy/nonplat/property_contexts
diff --git a/sepolicy/shell.te b/sepolicy/nonplat/shell.te

similarity index 100%

rename from sepolicy/shell.te

rename to sepolicy/nonplat/shell.te
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/nonplat/surfaceflinger.te

similarity index 100%

rename from sepolicy/surfaceflinger.te

rename to sepolicy/nonplat/surfaceflinger.te
diff --git a/sepolicy/system_server.te b/sepolicy/nonplat/system_server.te

similarity index 100%

rename from sepolicy/system_server.te

rename to sepolicy/nonplat/system_server.te
diff --git a/sepolicy/vold.te b/sepolicy/nonplat/vold.te

similarity index 100%

rename from sepolicy/vold.te

rename to sepolicy/nonplat/vold.te
diff --git a/sepolicy/zygote.te b/sepolicy/nonplat/zygote.te

similarity index 100%

rename from sepolicy/zygote.te

rename to sepolicy/nonplat/zygote.te
diff --git a/sepolicy/plat_private/file_contexts b/sepolicy/plat_private/file_contexts

new file mode 100644 (file)

index 0000000..9dd2aed
--- /dev/null
+++ b/sepolicy/plat_private/file_contexts
@@ -0,0 +1,3 @@
+# surfaceflinger
+/dev/dri(/.*)?               u:object_r:gpu_device:s0
+/dev/tty0                    u:object_r:gpu_device:s0
diff --git a/sepolicy/plat_private/surfaceflinger.te b/sepolicy/plat_private/surfaceflinger.te

new file mode 100644 (file)

index 0000000..8f936ca
--- /dev/null
+++ b/sepolicy/plat_private/surfaceflinger.te
@@ -0,0 +1,24 @@
+allow surfaceflinger surfaceflinger_tmpfs:file { map };
+allow surfaceflinger tmpfs:lnk_file { read };
+allow surfaceflinger self:capability { sys_tty_config };
+
+allowxperm surfaceflinger gpu_device:chr_file ioctl {
+       0x5605
+       0x6409
+       0x640a
+       0x640b
+       0x641e
+       0x641f
+       0x6457
+       0x6458
+       0x645b
+       0x645e
+       0x645f
+       0x6461
+       0x6462
+       0x6469
+       0x6466
+       0x646c
+       0x64a2
+       0x64b0
+};
diff --git a/sepolicy/plat_private/zygote.te b/sepolicy/plat_private/zygote.te

new file mode 100644 (file)

index 0000000..867e1f3
--- /dev/null
+++ b/sepolicy/plat_private/zygote.te
@@ -0,0 +1,2 @@
+allow zygote surfaceflinger:binder call;
+allow zygote surfaceflinger:unix_stream_socket { read };
author	Chih-Wei Huang <cwhuang@linux.org.tw>
	Thu, 25 Jul 2019 09:18:24 +0000 (17:18 +0800)
committer	Chih-Wei Huang <cwhuang@linux.org.tw>
	Thu, 25 Jul 2019 09:18:24 +0000 (17:18 +0800)
BoardConfig.mk		patch \| blob \| history
sepolicy/nonplat/adbd.te	[moved from sepolicy/adbd.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/audioserver.te	[moved from sepolicy/audioserver.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/bootanim.te	[moved from sepolicy/bootanim.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/cameraserver.te	[moved from sepolicy/cameraserver.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/device.te	[moved from sepolicy/device.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/domain.te	[moved from sepolicy/domain.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/file.te	[moved from sepolicy/file.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/file_contexts	[moved from sepolicy/file_contexts with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/hal_camera_default.te	[moved from sepolicy/hal_camera_default.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/hal_cas_default.te	[moved from sepolicy/hal_cas_default.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/hal_drm_default.te	[moved from sepolicy/hal_drm_default.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/hal_drm_widevine.te	[moved from sepolicy/hal_drm_widevine.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/hal_gnss_default.te	[moved from sepolicy/hal_gnss_default.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/hal_graphics_composer_default.te	[moved from sepolicy/hal_graphics_composer_default.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/healthd.te	[moved from sepolicy/healthd.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/init.te	[moved from sepolicy/init.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/installd.te	[moved from sepolicy/installd.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/logpersist.te	[moved from sepolicy/logpersist.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/mediacodec.te	[moved from sepolicy/mediacodec.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/netd.te	[moved from sepolicy/netd.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/priv_app.te	[moved from sepolicy/priv_app.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/property.te	[moved from sepolicy/property.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/property_contexts	[moved from sepolicy/property_contexts with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/shell.te	[moved from sepolicy/shell.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/surfaceflinger.te	[moved from sepolicy/surfaceflinger.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/system_server.te	[moved from sepolicy/system_server.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/vold.te	[moved from sepolicy/vold.te with 100% similarity]	patch \| blob \| history
sepolicy/nonplat/zygote.te	[moved from sepolicy/zygote.te with 100% similarity]	patch \| blob \| history
sepolicy/plat_private/file_contexts	[new file with mode: 0644]	patch \| blob
sepolicy/plat_private/surfaceflinger.te	[new file with mode: 0644]	patch \| blob
sepolicy/plat_private/zygote.te	[new file with mode: 0644]	patch \| blob