Address surfaceflinger denials.
Resolves denials such as:
avc: denied { call } for pid=257 comm="Binder_2" scontext=u:r:surfaceflinger:s0 tcontext=u:r:adbd:s0 tclass=binder
avc: denied { call } for pid=1002 comm="Binder_4" scontext=u:r:surfaceflinger:s0 tcontext=u:r:platform_app:s0 tclass=binder
avc: denied { open } for pid=1468 comm="Binder_1" name="cmdline" dev="proc" ino=10222 scontext=u:r:surfaceflinger:s0 tcontext=u:r:mediaserver:s0 tclass=file
avc: denied { open } for pid=1275 comm="Binder_5" name="cmdline" dev="proc" ino=38036 scontext=u:r:surfaceflinger:s0 tcontext=u:r:system_app:s0 tclass=file
Change-Id: I92147a1636b44a851d0e0e059f70ec8267cecf08
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 7d73696..1268247 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -11,11 +11,17 @@
# Perform Binder IPC.
binder_use(surfaceflinger)
-binder_call(surfaceflinger, system_server)
-binder_call(surfaceflinger, nfc)
-binder_call(surfaceflinger, mediaserver)
+binder_call(surfaceflinger, binderservicedomain)
+binder_call(surfaceflinger, appdomain)
binder_service(surfaceflinger)
+# Binder IPC to bu, presently runs in adbd domain.
+binder_call(surfaceflinger, adbd)
+
+# Read /proc/pid files for Binder clients.
+r_dir_file(surfaceflinger, binderservicedomain)
+r_dir_file(surfaceflinger, appdomain)
+
# Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms;
@@ -50,3 +56,13 @@
# but seems expected and appropriate for all devices.
allow surfaceflinger tee:unix_stream_socket connectto;
allow surfaceflinger tee_device:chr_file rw_file_perms;
+
+###
+### Neverallow rules
+###
+### surfaceflinger should NEVER do any of this
+
+# Do not allow accessing SDcard files as unsafe ejection could
+# cause the kernel to kill the process.
+# TODO: Remove -unconfineddomain when we remove permissive_or_unconfined above.
+neverallow { surfaceflinger -unconfineddomain } sdcard_type:file rw_file_perms;