Merge "Remove display.qservice from service_contexts."
diff --git a/private/adbd.te b/private/adbd.te
index 73302ac..6ee2e1e 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -63,14 +63,9 @@
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
-# Perform binder IPC to surfaceflinger (screencap)
-# XXX Run screencap in a separate domain?
-binder_use(adbd)
-binder_call(adbd, surfaceflinger)
-# b/13188914
-allow adbd gpu_device:chr_file rw_file_perms;
-allow adbd ion_device:chr_file rw_file_perms;
-r_dir_file(adbd, system_file)
+# Use screencap
+domain_auto_trans(adbd, screencap_exec, screencap)
+allow adbd screencap:process signal;
# Needed for various screenshots
hal_client_domain(adbd, hal_graphics_allocator)
@@ -129,5 +124,5 @@
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
# transitions to the shell domain (except when it crashes). In particular, we
# never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
+neverallow adbd { domain -crash_dump -shell -screencap }:process transition;
neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
diff --git a/private/app.te b/private/app.te
index 28895a3..fe50dd4 100644
--- a/private/app.te
+++ b/private/app.te
@@ -367,14 +367,18 @@
# ptrace access to non-app domains.
neverallow appdomain { domain -appdomain }:process ptrace;
-# Write access to /proc/pid entries for any non-app domain.
-neverallow appdomain { domain -appdomain }:file write;
+# Read or write access to /proc/pid entries for any non-app domain.
+# A different form of hidepid=2 like protections
+neverallow appdomain { domain -appdomain }:file no_w_file_perms;
+neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
# signal access to non-app domains.
# sigchld allowed for parent death notification.
# signull allowed for kill(pid, 0) existence test.
# All others prohibited.
-neverallow appdomain { domain -appdomain }:process
+neverallow { appdomain -shell } { domain -appdomain }:process
+ { sigkill sigstop signal };
+neverallow shell { domain -appdomain -screencap }:process
{ sigkill sigstop signal };
# Transition to a non-app domain.
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b8f8152..8f003aa 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -23,3 +23,7 @@
# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)
+
+# Use screencap
+domain_auto_trans(dumpstate, screencap_exec, screencap)
+allow dumpstate screencap:process signal;
diff --git a/private/file_contexts b/private/file_contexts
index 971c080..df5c53f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -105,6 +105,7 @@
/dev/ptmx u:object_r:ptmx_device:s0
/dev/pvrsrvkm u:object_r:gpu_device:s0
/dev/kmsg u:object_r:kmsg_device:s0
+/dev/kmsg_debug u:object_r:kmsg_debug_device:s0
/dev/null u:object_r:null_device:s0
/dev/nvhdcp1 u:object_r:video_device:s0
/dev/random u:object_r:random_device:s0
@@ -214,6 +215,7 @@
/system/bin/cameraserver u:object_r:cameraserver_exec:s0
/system/bin/mediaextractor u:object_r:mediaextractor_exec:s0
/system/bin/mediacodec u:object_r:mediacodec_exec:s0
+/system/bin/screencap u:object_r:screencap_exec:s0
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/otapreopt_chroot u:object_r:otapreopt_chroot_exec:s0
diff --git a/private/screencap.te b/private/screencap.te
new file mode 100644
index 0000000..579373a
--- /dev/null
+++ b/private/screencap.te
@@ -0,0 +1,26 @@
+type screencap, domain;
+type screencap_exec, exec_type, file_type;
+
+typeattribute screencap coredomain;
+
+allow screencap gpu_device:chr_file rw_file_perms;
+allow screencap ion_device:chr_file rw_file_perms;
+
+allow screencap adbd:fifo_file write;
+allow screencap adbd:fd use;
+allow screencap adbd:unix_stream_socket { read write };
+
+allow screencap shell_data_file:file write;
+allow screencap shell:fd use;
+allow screencap shell:unix_stream_socket { read write };
+
+allow screencap dumpstate:fd use;
+allow screencap dumpstate:unix_stream_socket { read write };
+
+binder_use(screencap)
+binder_call(screencap, surfaceflinger)
+allow screencap surfaceflinger_service:service_manager find;
+allow screencap surfaceflinger:fd use;
+
+hwbinder_use(screencap)
+hal_client_domain(screencap, hal_graphics_allocator)
diff --git a/private/shell.te b/private/shell.te
index fa196fa..ca57804 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -20,3 +20,7 @@
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
+
+# Use screencap
+domain_auto_trans(shell, screencap_exec, screencap)
+allow shell screencap:process signal;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index f1ad667..ca36aa3 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -22,6 +22,7 @@
binder_call(surfaceflinger, binderservicedomain)
binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)
+binder_call(surfaceflinger, screencap)
binder_service(surfaceflinger)
# Binder IPC to bu, presently runs in adbd domain.
diff --git a/public/crash_dump.te b/public/crash_dump.te
index a0e278a..0bab782 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -15,6 +15,9 @@
userdebug_or_eng(`
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
+
+ # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
+ allow crash_dump kmsg_debug_device:chr_file { open append };
')
# Use inherited file descriptors
diff --git a/public/device.te b/public/device.te
index 4a3bec9..0f64bfa 100644
--- a/public/device.te
+++ b/public/device.te
@@ -36,6 +36,7 @@
type nfc_device, dev_type;
type ptmx_device, dev_type, mlstrustedobject;
type kmsg_device, dev_type;
+type kmsg_debug_device, dev_type;
type null_device, dev_type, mlstrustedobject;
type random_device, dev_type, mlstrustedobject;
type sensors_device, dev_type;
diff --git a/public/dumpstate.te b/public/dumpstate.te
index ec1f326..028f8cb 100644
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@@ -140,9 +140,6 @@
allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
allow dumpstate bluetooth_logs_data_file:file r_file_perms;
-# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
-allow dumpstate gpu_device:chr_file rw_file_perms;
-
# logd access
read_logd(dumpstate)
control_logd(dumpstate)
diff --git a/public/init.te b/public/init.te
index b5c698e..3223400 100644
--- a/public/init.te
+++ b/public/init.te
@@ -13,6 +13,10 @@
# /dev/kmsg
allow init tmpfs:chr_file relabelfrom;
allow init kmsg_device:chr_file { write relabelto };
+# /dev/kmsg_debug
+userdebug_or_eng(`
+ allow init kmsg_debug_device:chr_file { write relabelto };
+')
# /dev/__properties__
allow init properties_device:dir relabelto;
allow init properties_serial:file { write relabelto };
diff --git a/public/te_macros b/public/te_macros
index 582cf33..3efbe32 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -172,6 +172,8 @@
tmpfs_domain($1)
# Map with PROT_EXEC.
allow $1 $1_tmpfs:file execute;
+neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
')
#####################################