Address screenrecord denials.
Steps to reproduce across devices.
adb shell screenrecord --bit-rate 8000000 --time-limit 10 /data/local/tmp/test.mp4
* Allow surfaceflinger to talk to mediaserver
avc: denied { call } for pid=122 comm="surfaceflinger" scontext=u:r:surfaceflinger:s0 tcontext=u:r:mediaserver:s0 tclass=binder
* Give mediaserver access to gpu_device
avc: denied { read write } for pid=2793 comm="VideoEncMsgThre" name="kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
avc: denied { open } for pid=2793 comm="VideoEncMsgThre" name="kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
avc: denied { ioctl } for pid=2793 comm="VideoEncMsgThre" path="/dev/kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
Change-Id: Id1812ec95662f4b2433e2989f5fccce6a85c3a41
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
diff --git a/surfaceflinger.te b/surfaceflinger.te
index 9c58afa..2a3087b 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te
@@ -13,6 +13,7 @@
binder_use(surfaceflinger)
binder_call(surfaceflinger, system_server)
binder_call(surfaceflinger, nfc)
+binder_call(surfaceflinger, mediaserver)
binder_service(surfaceflinger)
# Access the GPU.