Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 8d5403c51794a98ed2717c6e72e3d1d4e6f548c4^! / . / private / surfaceflinger.te
commit8d5403c51794a98ed2717c6e72e3d1d4e6f548c4[log] [tgz]
authorHridya Valsaraju <hridya@google.com>Mon Feb 15 21:57:42 2021 -0800
committerHridya Valsaraju <hridya@google.com>Wed Mar 03 14:22:48 2021 -0800
treebe1862a6da52ea114f88b2d3268f604864f509a4
parent4357d55debdee181f0347b31e27993e786193812 [diff] [blame]
Add missing permission for accessing the DMA-BUF system heap

This patch fixes the following denials:

avc: denied { open } for comm="composer@2.4-se" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_sensors_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="android.hardwar" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file permissive=1
avc: denied { open } for comm="BootAnimation"
path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:bootanim:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { open } for comm="Binder:470_2" path="/dev/dma_heap/system"
dev="tmpfs" ino=700 scontext=u:r:surfaceflinger:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { read } for comm="HwBinder:946_2" name="system" dev="tmpfs"
ino=588 scontext=u:r:cameraserver:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1
avc: denied { open } for comm="HwBinder:946_2" path="/dev/dma_heap/system"
dev="tmpfs" ino=588 scontext=u:r:cameraserver:s0
tcontext=u:object_r:dmabuf_system_heap_device:s0 tclass=chr_file
permissive=1

Bug: 178865267
Test: boot without these denials
Signed-off-by: Hyesoo Yu <hyesoo.yu@samsung.com>

Change-Id: Ic31dffd1328a8693b721433e1dcbbc650d3a3c07

diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 640306f..a32f89c 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te

@@ -109,6 +109,7 @@
 allow surfaceflinger system_server:fd use;
 allow surfaceflinger system_server:unix_stream_socket { read write };
 allow surfaceflinger ion_device:chr_file r_file_perms;
+allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms;
 
 # pdx IPC
 pdx_server(surfaceflinger, display_client)