Selinux changes for vr flinger vsync service

Add selinux policy for the new Binder-based vr flinger vsync service. Bug: 72890037 Test: - Manually confirmed that I can't bind to the new vsync service from a normal Android application, and system processes (other than vr_hwc) are prevented from connecting by selinux. - Confirmed the CTS test android.security.cts.SELinuxHostTest#testAospServiceContexts, when built from the local source tree with this CL applied, passes. - Confirmed the CTS test android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules521, when built from the local source tree with this CL applied, passes. Change-Id: Ib7a6bfcb1c2ebe1051f3accc18b481be1b188b06
2018-07-13 17:17:01 -07:00 · 2018-07-13 17:17:01 -07:00 · 7bec967402
commit 7bec967402
parent 6397d7e0cb
6 changed files with 8 additions and 0 deletions
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@ -151,6 +151,7 @@
    vold_prepare_subdirs
    vold_prepare_subdirs_exec
    vold_service
+    vrflinger_vsync_service
    wait_for_keymaster
    wait_for_keymaster_exec
    wait_for_keymaster_tmpfs
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@ -126,6 +126,7 @@
    vold_prepare_subdirs
    vold_prepare_subdirs_exec
    vold_service
+    vrflinger_vsync_service
    wait_for_keymaster
    wait_for_keymaster_exec
    wait_for_keymaster_tmpfs
--- a/private/service_contexts
+++ b/private/service_contexts
@ -176,6 +176,7 @@ virtual_touchpad                          u:object_r:virtual_touchpad_service:s0
 voiceinteraction                          u:object_r:voiceinteraction_service:s0
 vold                                      u:object_r:vold_service:s0
 vr_hwc                                    u:object_r:vr_hwc_service:s0
+vrflinger_vsync                           u:object_r:vrflinger_vsync_service:s0
 vrmanager                                 u:object_r:vr_manager_service:s0
 wallpaper                                 u:object_r:wallpaper_service:s0
 webviewupdate                             u:object_r:webviewupdate_service:s0
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@ -84,6 +84,8 @@ add_service(surfaceflinger, gpu_service)
 #add_service(surfaceflinger, surfaceflinger_service)
 allow surfaceflinger surfaceflinger_service:service_manager { add find };

+add_service(surfaceflinger, vrflinger_vsync_service)
+
 allow surfaceflinger mediaserver_service:service_manager find;
 allow surfaceflinger permission_service:service_manager find;
 allow surfaceflinger power_service:service_manager find;
--- a/public/service.te
+++ b/public/service.te
@ -32,6 +32,7 @@ type update_engine_service,     service_manager_type;
 type virtual_touchpad_service,  service_manager_type;
 type vold_service,              service_manager_type;
 type vr_hwc_service,            service_manager_type;
+type vrflinger_vsync_service,   service_manager_type;

 # system_server_services broken down
 type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type;
--- a/public/vr_hwc.te
+++ b/public/vr_hwc.te
@ -29,3 +29,5 @@ pdx_client(vr_hwc, display_client)
 # Requires access to the permission service to validate that clients have the
 # appropriate VR permissions.
 allow vr_hwc permission_service:service_manager find;
+
+allow vr_hwc vrflinger_vsync_service:service_manager find;