Merge "Allow surfaceflinger to read and write app Unix sockets" into main am: f3bb3720bb am: 8243e00ec0 Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/3164560 Change-Id: If88accf2c8eb671832046d6ceed533ead178bc31 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

commit: a700ef91fd2de2e02a5eff82bcd1cc3243120f58 [log] [tgz]
author: Patrick Williams <pdwilliams@google.com> Fri Jul 19 17:55:47 2024 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Fri Jul 19 17:55:47 2024 +0000
tree: e204274e9493785313d769664387997ef3ee8549
parent: 69ba0b035a715160db39f16967c764719a6ab99e [diff]
parent: 8243e00ec0b30d0c9201519aeb88831c277a2142 [diff]
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 91e9aba..f6f1d9b 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te

@@ -85,6 +85,10 @@
 # Use socket supplied by adbd, for cmd gpu vkjson etc.
 allow surfaceflinger adbd:unix_stream_socket { read write getattr };
 
+# Allow reading and writing to sockets used for BLAST buffer releases
+allow surfaceflinger { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:unix_stream_socket { read write };
+allow surfaceflinger bootanim:unix_stream_socket { read write };
+
 # Allow a dumpstate triggered screenshot
 binder_call(surfaceflinger, dumpstate)
 binder_call(surfaceflinger, shell)
commit	a700ef91fd2de2e02a5eff82bcd1cc3243120f58	[log] [tgz]
author	Patrick Williams <pdwilliams@google.com>	Fri Jul 19 17:55:47 2024 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Fri Jul 19 17:55:47 2024 +0000
tree	e204274e9493785313d769664387997ef3ee8549
parent	69ba0b035a715160db39f16967c764719a6ab99e [diff]
parent	8243e00ec0b30d0c9201519aeb88831c277a2142 [diff]