Address orientation changes sepolicy denials
Turns out vnc_server communicates with system_server over a Unix domain
socket /var/run/system/sensors_hal_socket. This will hopefully go away
soon -- see b/65062047.
denied { write } for comm="system-server-i" name="system" dev="tmpfs" scontext=u:r:system_server:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
denied { add_name } for comm="system-server-i" name="sensors_hal_socket" scontext=u:r:system_server:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
denied { create } for comm="system-server-i" name="sensors_hal_socket" scontext=u:r:system_server:s0 tcontext=u:object_r:tmpfs:s0 tclass=sock_file
denied { setattr } for comm="system-server-i" name="sensors_hal_socket" dev="tmpfs" scontext=u:r:system_server:s0 tcontext=u:object_r:tmpfs:s0 tclass=sock_file
denied { write } for comm="vnc_server" name="sensors_hal_socket" dev="tmpfs" scontext=u:r:vnc_server:s0 tcontext=u:object_r:tmpfs:s0 tclass=sock_file
denied { connectto } for comm="vnc_server" path="/var/run/system/sensors_hal_socket" scontext=u:r:vnc_server:s0 tcontext=u:r:system_server:s0 tclass=unix_stream_socket
denied { search } for pid=1605 comm="vnc_server" name="system" dev="tmpfs" ino=6486 scontext=u:r:vnc_server:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir
Test: Device boots, VNC works fine, incl. orientation changes between
portrait and landscape. No SELinux denials to do with
system_server or vnc_server.
Bug: 28053261
Change-Id: I23f0b23b6a92cc8f2f907551bc5f76dd69bd7a51
diff --git a/shared/sepolicy/file.te b/shared/sepolicy/file.te
index f79af7d..bbbe4aa 100644
--- a/shared/sepolicy/file.te
+++ b/shared/sepolicy/file.te
@@ -1,7 +1,9 @@
# File types
type fb_ctl_file, file_type;
type initial_metadata_file, file_type;
+type sensors_hal_socket, file_type;
# USB related portion of sysfs requiring privileged access, as opposed to sysfs_usb which is
type sysfs_usb_priv, sysfs_type, file_type;
type tombstone_snapshot_file, file_type;
type userspace_fb_file, file_type;
+type var_run_system_file, file_type;
diff --git a/shared/sepolicy/file_contexts b/shared/sepolicy/file_contexts
index 069a548..29c71b0 100644
--- a/shared/sepolicy/file_contexts
+++ b/shared/sepolicy/file_contexts
@@ -15,6 +15,10 @@
/ts_snap\.txt u:object_r:tombstone_snapshot_file:s0
#############################
+# var files
+/var/run/system(/.*)? u:object_r:var_run_system_file:s0
+
+#############################
# sysfs files
#
/sys/bus/usb(/.*)? u:object_r:sysfs_usb_priv:s0
diff --git a/shared/sepolicy/system_server.te b/shared/sepolicy/system_server.te
new file mode 100644
index 0000000..6fc111a
--- /dev/null
+++ b/shared/sepolicy/system_server.te
@@ -0,0 +1,5 @@
+# TODO(b/65062047): Remove these rules (incl. the two file type definitions) once vnc_server is gone
+# Create /var/run/system directory and sensors_hal_socket socket in the directory.
+allow system_server var_run_system_file:dir w_dir_perms;
+type_transition system_server var_run_system_file:sock_file sensors_hal_socket;
+allow system_server sensors_hal_socket:sock_file { create setattr };
diff --git a/shared/sepolicy/vnc_server.te b/shared/sepolicy/vnc_server.te
index b3dd53d..7756261 100644
--- a/shared/sepolicy/vnc_server.te
+++ b/shared/sepolicy/vnc_server.te
@@ -16,3 +16,10 @@
# Framebuffer I/O
allow vnc_server fb_ctl_file:file rw_file_perms;
allow vnc_server userspace_fb_file:file rw_file_perms;
+
+# TODO(b/65062047): Remove these rules (incl. the two file type definitions) once vnc_server is gone
+# I/O with system_server via sensors_hal_socket Unix domain socket. Needed for orientation changes.
+unix_socket_connect(vnc_server, sensors_hal, system_server)
+# For some reason vnc_server attempts a search of /var/run/system directory instead of going
+# straight for opening the sensors_hal_socket
+allow vnc_server var_run_system_file:dir search;