Address SELinux denials for vnc_server
denied { net_raw } for comm="vnc_server" capability=13 scontext=u:r:vnc_server:s0 tcontext=u:r:vnc_server:s0 tclass=capability
denied { dac_override } for comm="vnc_server" capability=1 scontext=u:r:vnc_server:s0 tcontext=u:r:vnc_server:s0 tclass=capability
denied { write } for comm="vnc_server" name="uinput" dev="tmpfs" scontext=u:r:vnc_server:s0 tcontext=u:object_r:uhid_device:s0 tclass=chr_file
denied { open } for comm="vnc_server" path="/dev/uinput" dev="tmpfs" scontext=u:r:vnc_server:s0 tcontext=u:object_r:uhid_device:s0 tclass=chr_file
denied { ioctl } for comm="vnc_server" path="/dev/uinput" dev="tmpfs" ioctlcmd=5564 scontext=u:r:vnc_server:s0 tcontext=u:object_r:uhid_device:s0 tclass=chr_file
denied { open } for comm="vnc_server" path="/initial.metadata" dev="rootfs" scontext=u:r:vnc_server:s0 tcontext=u:object_r:rootfs:s0 tclass=file
denied { read } for comm="vnc_server" name="initial.metadata" dev="rootfs" scontext=u:r:vnc_server:s0 tcontext=u:object_r:rootfs:s0 tclass=file
denied { getattr } for comm="vnc_server" path="/initial.metadata" dev="rootfs" scontext=u:r:vnc_server:s0 tcontext=u:object_r:rootfs:s0 tclass=file
denied { open } for comm="vnc_server" path="/dev/framebuffer_control" dev="tmpfs" scontext=u:r:vnc_server:s0 tcontext=u:object_r:device:s0 tclass=file
denied { read write } for comm="vnc_server" name="framebuffer_control" dev="tmpfs" scontext=u:r:vnc_server:s0 tcontext=u:object_r:device:s0 tclass=file
denied { open } for comm="vnc_server" path="/dev/userspace_framebuffer" dev="tmpfs" scontext=u:r:vnc_server:s0 tcontext=u:object_r:device:s0 tclass=file
denied { read write } for comm="vnc_server" name="userspace_framebuffer" dev="tmpfs" scontext=u:r:vnc_server:s0 tcontext=u:object_r:device:s0 tclass=file
Test: Can interact with device over VNC. No SELinux denials for
vnc_server
Bug: 28053261
Change-Id: Ie83a319d13177ead6510b5dfa26a036a5f993972
diff --git a/shared/config/init.vsoc.rc b/shared/config/init.vsoc.rc
index f08fab5..7d1466c 100644
--- a/shared/config/init.vsoc.rc
+++ b/shared/config/init.vsoc.rc
@@ -14,9 +14,12 @@
write /dev/userspace_framebuffer 0
chown system system /dev/userspace_framebuffer
chmod 0660 /dev/userspace_framebuffer
+ restorecon /dev/userspace_framebuffer
write /dev/framebuffer_control 0
chown system system /dev/framebuffer_control
chmod 0660 /dev/framebuffer_control
+ restorecon /dev/framebuffer_control
+ restorecon /initial.metadata
mount debugfs debugfs /sys/kernel/debug
chmod 0755 /sys/kernel/debug
diff --git a/shared/sepolicy/file.te b/shared/sepolicy/file.te
new file mode 100644
index 0000000..949b422
--- /dev/null
+++ b/shared/sepolicy/file.te
@@ -0,0 +1,4 @@
+# File types
+type fb_ctl_file, file_type;
+type initial_metadata_file, file_type;
+type userspace_fb_file, file_type;
diff --git a/shared/sepolicy/file_contexts b/shared/sepolicy/file_contexts
index 21978a8..6f46890 100644
--- a/shared/sepolicy/file_contexts
+++ b/shared/sepolicy/file_contexts
@@ -1,9 +1,15 @@
##########################
# Devices
#
+/dev/framebuffer_control u:object_r:fb_ctl_file:s0
+/dev/userspace_framebuffer u:object_r:userspace_fb_file:s0
/dev/vport[0-9]p[0-9]* u:object_r:virtual_serial_device:s0
#############################
+# Root files
+/initial\.metadata u:object_r:initial_metadata_file:s0
+
+#############################
# Vendor files
#
/system/vendor/bin/gce_fs_monitor u:object_r:gce_fs_monitor_exec:s0
diff --git a/shared/sepolicy/vnc_server.te b/shared/sepolicy/vnc_server.te
index 0580c0c..b3dd53d 100644
--- a/shared/sepolicy/vnc_server.te
+++ b/shared/sepolicy/vnc_server.te
@@ -2,3 +2,17 @@
type vnc_server_exec, exec_type, file_type;
init_daemon_domain(vnc_server)
+
+# Access to netd and network over TCP/UDP sockets
+net_domain(vnc_server)
+allow vnc_server self:capability { net_raw dac_override };
+
+# Read GCE initial metadata file
+allow vnc_server initial_metadata_file:file r_file_perms;
+
+# I/O with /dev/uinput
+allow vnc_server uhid_device:chr_file rw_file_perms;
+
+# Framebuffer I/O
+allow vnc_server fb_ctl_file:file rw_file_perms;
+allow vnc_server userspace_fb_file:file rw_file_perms;