7004789de3
ADF is a modern replacement for fbdev. ADF's device nodes (/dev/adf[X]), interface nodes (/dev/adf-interface[X].[Y]), and overlay engine nodes (/dev/adf-overlay-engine[X].[Y]) are collectively used in similar contexts as fbdev nodes. Vendor HW composers (via SurfaceFlinger) and healthd will need to send R/W ioctls to these nodes to prepare and update the display. Ordinary apps should not talk to ADF directly. Change-Id: Ic0a76b1e82c0cc1e8f240f219928af1783e79343 Signed-off-by: Greg Hackmann <ghackmann@google.com>
73 lines
2.3 KiB
Plaintext
73 lines
2.3 KiB
Plaintext
# surfaceflinger - display compositor service
|
|
type surfaceflinger, domain;
|
|
permissive_or_unconfined(surfaceflinger)
|
|
type surfaceflinger_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(surfaceflinger)
|
|
typeattribute surfaceflinger mlstrustedsubject;
|
|
|
|
# Talk to init over the property socket.
|
|
unix_socket_connect(surfaceflinger, property, init)
|
|
|
|
# Perform Binder IPC.
|
|
binder_use(surfaceflinger)
|
|
binder_call(surfaceflinger, binderservicedomain)
|
|
binder_call(surfaceflinger, appdomain)
|
|
binder_call(surfaceflinger, bootanim)
|
|
binder_service(surfaceflinger)
|
|
|
|
# Binder IPC to bu, presently runs in adbd domain.
|
|
binder_call(surfaceflinger, adbd)
|
|
|
|
# Read /proc/pid files for Binder clients.
|
|
r_dir_file(surfaceflinger, binderservicedomain)
|
|
r_dir_file(surfaceflinger, appdomain)
|
|
|
|
# Access the GPU.
|
|
allow surfaceflinger gpu_device:chr_file rw_file_perms;
|
|
|
|
# Access /dev/graphics/fb0.
|
|
allow surfaceflinger graphics_device:dir search;
|
|
allow surfaceflinger graphics_device:chr_file rw_file_perms;
|
|
|
|
# Access ADF device nodes.
|
|
allow surfaceflinger adf_device:chr_file rw_file_perms;
|
|
|
|
# Access /dev/video1.
|
|
allow surfaceflinger video_device:dir r_dir_perms;
|
|
allow surfaceflinger video_device:chr_file rw_file_perms;
|
|
|
|
# Create and use netlink kobject uevent sockets.
|
|
allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms;
|
|
|
|
# Set properties.
|
|
allow surfaceflinger system_prop:property_service set;
|
|
allow surfaceflinger ctl_bootanim_prop:property_service set;
|
|
|
|
# Use open files supplied by an app.
|
|
allow surfaceflinger appdomain:fd use;
|
|
allow surfaceflinger app_data_file:file { read write };
|
|
|
|
# Use open file provided by bootanim.
|
|
allow surfaceflinger bootanim:fd use;
|
|
|
|
# Allow a dumpstate triggered screenshot
|
|
binder_call(surfaceflinger, dumpstate)
|
|
binder_call(surfaceflinger, shell)
|
|
r_dir_file(surfaceflinger, dumpstate)
|
|
|
|
# Needed on some devices for playing DRM protected content,
|
|
# but seems expected and appropriate for all devices.
|
|
allow surfaceflinger tee:unix_stream_socket connectto;
|
|
allow surfaceflinger tee_device:chr_file rw_file_perms;
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
### surfaceflinger should NEVER do any of this
|
|
|
|
# Do not allow accessing SDcard files as unsafe ejection could
|
|
# cause the kernel to kill the process.
|
|
# TODO: Remove -unconfineddomain when we remove permissive_or_unconfined above.
|
|
neverallow { surfaceflinger -unconfineddomain } sdcard_type:file rw_file_perms;
|