Add sepolicy for hwcomposer HAL
Allow SurfaceFlinger to call into IComposer, and vice versa for
IComposerCallback.
Specifically,
hwbinder_use(...) for
avc: denied { call } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hwservicemanager:s0 tclass=binder permissive=1
binder_call(..., surfaceflinger) for
avc: denied { call } for scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:surfaceflinger:s0 tclass=binder permissive=1
allow ... gpu_device:chr_file rw_file_perms for
avc: denied { read write } for name="kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { open } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
avc: denied { ioctl } for path="/dev/kgsl-3d0" dev="tmpfs" ino=14956 ioctlcmd=940 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file permissive=1
allow ... ion_device:chr_file r_file_perms for
avc: denied { ioctl } for path="/dev/ion" dev="tmpfs" ino=15014 ioctlcmd=4900 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:ion_device:s0 tclass=chr_file permissive=1
allow ... graphics_device ... for
avc: denied { ioctl } for path="/dev/graphics/fb0" dev="tmpfs" ino=15121 ioctlcmd=5380 scontext=u:r:hal_graphics_composer:s0 tcontext=u:object_r:graphics_device:s0 tclass=chr_file permissive=1
allow ... ...:fd use for
avc: denied { use } for path="anon_inode:dmabuf" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:hal_graphics_allocator_service:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:bootanim:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:surfaceflinger:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:hal_graphics_composer:s0 tcontext=u:r:platform_app:s0:c512,c768 tclass=fd permissive=1
binder_call(surfaceflinger, ...) for
avc: denied { call } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=binder permissive=1
avc: denied { transfer } for scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=binder permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 ioctlcmd=3e02 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=12794 scontext=u:r:surfaceflinger:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1
allow bootanim ...:fd use for
avc: denied { use } for path="anon_inode:sync_fence" dev="anon_inodefs" ino=11947 scontext=u:r:bootanim:s0 tcontext=u:r:hal_graphics_composer:s0 tclass=fd permissive=1
Bug: 32021609
Test: make bootimage
Change-Id: I036cdbebf0c619fef7559f294f1865f381b17588
diff --git a/private/file_contexts b/private/file_contexts
index 382a20d..a341d7e 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -226,6 +226,7 @@
/system/bin/hw/android\.hardware\.audio@2\.0-service u:object_r:hal_audio_exec:s0
/system/bin/hw/android\.hardware\.boot@1\.0-service u:object_r:hal_boot_exec:s0
/system/bin/hw/android\.hardware\.graphics\.allocator@2\.0-service u:object_r:hal_graphics_allocator_exec:s0
+/system/bin/hw/android\.hardware\.graphics\.composer@2\.1-service u:object_r:hal_graphics_composer_exec:s0
/system/bin/hw/android\.hardware\.light@2\.0-service u:object_r:hal_light_exec:s0
/system/bin/hw/android\.hardware\.memtrack@1\.0-service u:object_r:hal_memtrack_exec:s0
/system/bin/hw/android\.hardware\.nfc@1\.0-service u:object_r:hal_nfc_exec:s0
diff --git a/private/hal_graphics_composer.te b/private/hal_graphics_composer.te
new file mode 100644
index 0000000..128171f
--- /dev/null
+++ b/private/hal_graphics_composer.te
@@ -0,0 +1 @@
+init_daemon_domain(hal_graphics_composer)
diff --git a/public/bootanim.te b/public/bootanim.te
index 4d16f55..3e0af8e 100644
--- a/public/bootanim.te
+++ b/public/bootanim.te
@@ -22,6 +22,9 @@
allow bootanim ion_device:chr_file rw_file_perms;
allow bootanim hal_graphics_allocator:fd use;
+# Fences
+allow bootanim hal_graphics_composer:fd use;
+
# Read access to pseudo filesystems.
r_dir_file(bootanim, proc)
allow bootanim proc_meminfo:file r_file_perms;
diff --git a/public/hal_graphics_composer.te b/public/hal_graphics_composer.te
new file mode 100644
index 0000000..e92eeaf
--- /dev/null
+++ b/public/hal_graphics_composer.te
@@ -0,0 +1,22 @@
+# graphics composer subsystem
+type hal_graphics_composer, domain;
+type hal_graphics_composer_exec, exec_type, file_type;
+
+# HwBinder access
+hwbinder_use(hal_graphics_composer)
+# IComposerCallback
+binder_call(hal_graphics_composer, surfaceflinger)
+
+# GPU device access
+allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
+allow hal_graphics_composer ion_device:chr_file r_file_perms;
+allow hal_graphics_composer hal_graphics_allocator:fd use;
+
+# Access /dev/graphics/fb0.
+allow hal_graphics_composer graphics_device:dir search;
+allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
+
+# Fences
+allow hal_graphics_composer system_server:fd use;
+allow hal_graphics_composer bootanim:fd use;
+allow hal_graphics_composer {appdomain ephemeral_app}:fd use;
diff --git a/public/surfaceflinger.te b/public/surfaceflinger.te
index 4f9f8ef..608afc5 100644
--- a/public/surfaceflinger.te
+++ b/public/surfaceflinger.te
@@ -7,6 +7,7 @@
# Perform HwBinder IPC.
hwbinder_use(surfaceflinger)
binder_call(surfaceflinger, hal_graphics_allocator)
+binder_call(surfaceflinger, hal_graphics_composer)
# Perform Binder IPC.
binder_use(surfaceflinger)