From 7bec967402f3624cac3c64497f03c94b3ce31b4b Mon Sep 17 00:00:00 2001 From: Steven Thomas Date: Fri, 13 Jul 2018 17:17:01 -0700 Subject: [PATCH] Selinux changes for vr flinger vsync service Add selinux policy for the new Binder-based vr flinger vsync service. Bug: 72890037 Test: - Manually confirmed that I can't bind to the new vsync service from a normal Android application, and system processes (other than vr_hwc) are prevented from connecting by selinux. - Confirmed the CTS test android.security.cts.SELinuxHostTest#testAospServiceContexts, when built from the local source tree with this CL applied, passes. - Confirmed the CTS test android.cts.security.SELinuxNeverallowRulesTest#testNeverallowRules521, when built from the local source tree with this CL applied, passes. Change-Id: Ib7a6bfcb1c2ebe1051f3accc18b481be1b188b06 --- private/compat/26.0/26.0.ignore.cil | 1 + private/compat/27.0/27.0.ignore.cil | 1 + private/service_contexts | 1 + private/surfaceflinger.te | 2 ++ public/service.te | 1 + public/vr_hwc.te | 2 ++ 6 files changed, 8 insertions(+) diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil index ae36f1c70..5212b62fc 100644 --- a/private/compat/26.0/26.0.ignore.cil +++ b/private/compat/26.0/26.0.ignore.cil @@ -151,6 +151,7 @@ vold_prepare_subdirs vold_prepare_subdirs_exec vold_service + vrflinger_vsync_service wait_for_keymaster wait_for_keymaster_exec wait_for_keymaster_tmpfs diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil index 4530df498..4b7ef9212 100644 --- a/private/compat/27.0/27.0.ignore.cil +++ b/private/compat/27.0/27.0.ignore.cil @@ -126,6 +126,7 @@ vold_prepare_subdirs vold_prepare_subdirs_exec vold_service + vrflinger_vsync_service wait_for_keymaster wait_for_keymaster_exec wait_for_keymaster_tmpfs diff --git a/private/service_contexts b/private/service_contexts index 0513073a7..de784d35c 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -176,6 +176,7 @@ virtual_touchpad u:object_r:virtual_touchpad_service:s0 voiceinteraction u:object_r:voiceinteraction_service:s0 vold u:object_r:vold_service:s0 vr_hwc u:object_r:vr_hwc_service:s0 +vrflinger_vsync u:object_r:vrflinger_vsync_service:s0 vrmanager u:object_r:vr_manager_service:s0 wallpaper u:object_r:wallpaper_service:s0 webviewupdate u:object_r:webviewupdate_service:s0 diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te index 61c89e1c1..d9d7dea6e 100644 --- a/private/surfaceflinger.te +++ b/private/surfaceflinger.te @@ -84,6 +84,8 @@ add_service(surfaceflinger, gpu_service) #add_service(surfaceflinger, surfaceflinger_service) allow surfaceflinger surfaceflinger_service:service_manager { add find }; +add_service(surfaceflinger, vrflinger_vsync_service) + allow surfaceflinger mediaserver_service:service_manager find; allow surfaceflinger permission_service:service_manager find; allow surfaceflinger power_service:service_manager find; diff --git a/public/service.te b/public/service.te index 11fb831dc..1ec01028d 100644 --- a/public/service.te +++ b/public/service.te @@ -32,6 +32,7 @@ type update_engine_service, service_manager_type; type virtual_touchpad_service, service_manager_type; type vold_service, service_manager_type; type vr_hwc_service, service_manager_type; +type vrflinger_vsync_service, service_manager_type; # system_server_services broken down type accessibility_service, app_api_service, ephemeral_app_api_service, system_server_service, service_manager_type; diff --git a/public/vr_hwc.te b/public/vr_hwc.te index c05dd638a..8e3cb5133 100644 --- a/public/vr_hwc.te +++ b/public/vr_hwc.te @@ -29,3 +29,5 @@ pdx_client(vr_hwc, display_client) # Requires access to the permission service to validate that clients have the # appropriate VR permissions. allow vr_hwc permission_service:service_manager find; + +allow vr_hwc vrflinger_vsync_service:service_manager find;