commit 8d5403c51794a98ed2717c6e72e3d1d4e6f548c4
author Hridya Valsaraju <hridya@google.com> Mon Feb 15 21:57:42 2021 -0800
committer Hridya Valsaraju <hridya@google.com> Wed Mar 03 14:22:48 2021 -0800
tree be1862a6da52ea114f88b2d3268f604864f509a4
parent 4357d55debdee181f0347b31e27993e786193812

Add missing permission for accessing the DMA-BUF system heap

This patch fixes the following denials:

avc: denied { open } for comm="composer@2.4-se" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="BootAnimation"
path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:bootanim:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { open } for comm="Binder:470_2" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:surfaceflinger:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { read } for comm="HwBinder:946_2" name="system" dev="tmpfs"
ino=588 scontext=u:r:cameraserver:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { open } for comm="HwBinder:946_2" path="/dev/dma_heap/system"
dev="tmpfs" ino=588 scontext=u:r:cameraserver:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1

Bug: 178865267
Test: boot without these denials
Signed-off-by: Hyesoo Yu <hyesoo.yu@samsung.com>

Change-Id: Ic31dffd1328a8693b721433e1dcbbc650d3a3c07

private/surfaceflinger.te

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 640306f..a32f89c 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -109,6 +109,7 @@
 allow surfaceflinger system_server:fd use;
 allow surfaceflinger system_server:unix_stream_socket { read write };
 allow surfaceflinger ion_device:chr_file r_file_perms;
+allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms;
 
 # pdx IPC
 pdx_server(surfaceflinger, display_client)

public/bootanim.te

diff --git a/public/bootanim.te b/public/bootanim.te
index acef6da..88fe173 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -27,6 +27,10 @@
 
 # Allow access to ion memory allocation device
 allow bootanim ion_device:chr_file rw_file_perms;
+
+# Allow access to DMA-BUF system heap
+allow bootanim dmabuf_system_heap_device:chr_file r_file_perms;
+
 allow bootanim hal_graphics_allocator:fd use;
 
 # Fences

public/cameraserver.te

diff --git a/public/cameraserver.te b/public/cameraserver.te
index 365af78..7a29240 100644
--- a/public/cameraserver.te
+++ b/public/cameraserver.te
@@ -13,6 +13,7 @@
 hal_client_domain(cameraserver, hal_graphics_allocator)
 
 allow cameraserver ion_device:chr_file rw_file_perms;
+allow cameraserver dmabuf_system_heap_device:chr_file r_file_perms;
 
 # Talk with graphics composer fences
 allow cameraserver hal_graphics_composer:fd use;

public/hal_camera.te

diff --git a/public/hal_camera.te b/public/hal_camera.te
index 77216e4..45fad56 100644
--- a/public/hal_camera.te
+++ b/public/hal_camera.te
@@ -9,6 +9,8 @@
 allow hal_camera video_device:chr_file rw_file_perms;
 allow hal_camera camera_device:chr_file rw_file_perms;
 allow hal_camera ion_device:chr_file rw_file_perms;
+allow hal_camera dmabuf_system_heap_device:chr_file r_file_perms;
+
 # Both the client and the server need to use the graphics allocator
 allow { hal_camera_client hal_camera_server } hal_graphics_allocator:fd use;
 

public/hal_graphics_allocator.te

diff --git a/public/hal_graphics_allocator.te b/public/hal_graphics_allocator.te
index 991e147..3ec6b96 100644
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@@ -8,6 +8,7 @@
 # GPU device access
 allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
 allow hal_graphics_allocator ion_device:chr_file r_file_perms;
+allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
 
 # allow to run with real-time scheduling policy
 allow hal_graphics_allocator self:global_capability_class_set sys_nice;

public/hal_graphics_composer.te

diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
index cb4a130..1c69c99 100644
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@@ -16,6 +16,7 @@
 # GPU device access
 allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
 allow hal_graphics_composer ion_device:chr_file r_file_perms;
+allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
 allow hal_graphics_composer hal_graphics_allocator:fd use;
 
 # Access /dev/graphics/fb0.

vendor/hal_sensors_default.te

diff --git a/vendor/hal_sensors_default.te b/vendor/hal_sensors_default.te
index f00b25a..8752364 100644
--- a/vendor/hal_sensors_default.te
+++ b/vendor/hal_sensors_default.te
@@ -13,6 +13,7 @@
 # android.hardware.graphics.allocator
 allow hal_sensors_default hal_graphics_allocator_default:fd use;
 allow hal_sensors_default ion_device:chr_file r_file_perms;
+allow hal_sensors_default dmabuf_system_heap_device:chr_file r_file_perms;
 
 # allow sensor hal to use lock for keeping system awake for wake up
 # events delivery.