commit 0d0391f931768e118d29e69259c5a69c293e4d05
author Midas Chien <midaschieh@google.com> Wed Jun 17 22:13:21 2020 +0800
committer Midas Chien <midaschieh@google.com> Fri Jun 19 01:45:34 2020 +0800
tree 80159eabe8d1c122cc88d00643ca1ca858a80f5c
parent 255c856596a78067aef3b5cbdc9693594f744b6c

sepolicy: allow surfaceflinger to set surfaceflinger_display_prop

W//system/bin/init: type=1107 audit(0.0:51): uid=0 auid=4294967295
ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set }
for property=graphics.display.kernel_idle_timer.enabled pid=643
uid=1000 gid=1003 scontext=u:r:surfaceflinger:s0
tcontext=u:object_r:surfaceflinger_display_prop:s0
tclass=property_service permissive=0

Bug: 157513573
Test: surfaceflinger can set graphics.display.kernel_idle_timer.enabled
Test: vendor_init can get graphics.display.kernel_idle_timer.enabled
Change-Id: I78023a7857c8aa81a8863010b875bcb885bae614

private/property.te

diff --git a/private/property.te b/private/property.te
index c5a4f83..b5505e5 100644
--- a/private/property.te
+++ b/private/property.te
@@ -409,8 +409,7 @@
 
 neverallow {
   -init
-  -vendor_init
-  -system_app
+  -surfaceflinger
 } {
   surfaceflinger_display_prop
 }:property_service set;

private/property_contexts

diff --git a/private/property_contexts b/private/property_contexts
index bab2a1a..e75fd04 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -859,6 +859,6 @@
 graphics.gpu.profiler.support          u:object_r:graphics_config_prop:s0 exact bool
 graphics.gpu.profiler.vulkan_layer_apk u:object_r:graphics_config_prop:s0 exact string
 
-# vendor-init-settable
+# surfaceflinger-settable
 graphics.display.kernel_idle_timer.enabled u:object_r:surfaceflinger_display_prop:s0 exact bool
 

private/surfaceflinger.te

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index a160246..37601b9 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -56,9 +56,7 @@
 set_prop(surfaceflinger, exported_system_prop)
 set_prop(surfaceflinger, exported3_system_prop)
 set_prop(surfaceflinger, ctl_bootanim_prop)
-
-# Get properties
-get_prop(surfaceflinger, surfaceflinger_display_prop)
+set_prop(surfaceflinger, surfaceflinger_display_prop)
 
 # Use open files supplied by an app.
 allow surfaceflinger appdomain:fd use;

private/system_app.te

diff --git a/private/system_app.te b/private/system_app.te
index 18d4a87..e160ff4 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -57,8 +57,6 @@
 auditallow system_app usb_prop:property_service set;
 # Allow Settings to enable Dynamic System Update
 set_prop(system_app, dynamic_system_prop)
-# Allow Settings to config display kernel idle timer
-set_prop(system_app, surfaceflinger_display_prop)
 
 # ctl interface
 set_prop(system_app, ctl_default_prop)