SELinux policies for PDX services Specify per-service rules for PDX transport. Now being able to grant permissions to individual services provided by processes, not all services of a process. Also tighter control over which permissions are required for client and server for individual components of IPC (endpoints, channels, etc). Bug: 37646189 Change-Id: I78eb8ae8b6e08105666445a66bfcbd2f1d69d0ea

commit: 41daa7f859be06a49e4770a1f1d33b0d3070fa5a [log] [tgz]
author: Alex Vakulenko <avakulenko@google.com> Mon May 01 13:01:44 2017 -0700
committer: Alex Vakulenko <avakulenko@google.com> Wed May 10 16:39:19 2017 -0700
tree: 4649ed117e5ee1391ecc1266ba2b56b9d9eb4fb2
parent: e1074f8bfc1b0cbce831a775161b1fb791bd4079 [diff] [blame]
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 8e5892b..1e425ba 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te

@@ -91,11 +91,15 @@
 allow surfaceflinger ion_device:chr_file r_file_perms;
 
 # pdx IPC
-pdx_server(surfaceflinger)
+pdx_server(surfaceflinger, display_client)
+pdx_server(surfaceflinger, display_manager)
+pdx_server(surfaceflinger, display_screenshot)
+pdx_server(surfaceflinger, display_vsync)
 
-use_pdx(surfaceflinger, bufferhubd)
-use_pdx(surfaceflinger, performanced)
-use_pdx(surfaceflinger, sensord)
+pdx_client(surfaceflinger, bufferhub_client)
+pdx_client(surfaceflinger, performance_client)
+pdx_client(surfaceflinger, sensors_client)
+pdx_client(surfaceflinger, pose_client)
 
 ###
 ### Neverallow rules
commit	41daa7f859be06a49e4770a1f1d33b0d3070fa5a	[log] [tgz]
author	Alex Vakulenko <avakulenko@google.com>	Mon May 01 13:01:44 2017 -0700
committer	Alex Vakulenko <avakulenko@google.com>	Wed May 10 16:39:19 2017 -0700
tree	4649ed117e5ee1391ecc1266ba2b56b9d9eb4fb2
parent	e1074f8bfc1b0cbce831a775161b1fb791bd4079 [diff] [blame]