Diff - e21871c8b7250f5dfc746298ab170a869e6be94d^! - fp2-dev/platform/external/sepolicy

commit	e21871c8b7250f5dfc746298ab170a869e6be94d	[log] [tgz]
author	rpcraig <rpcraig@tycho.ncsc.mil>	Tue Feb 04 16:24:08 2014 -0500
committer	Robert Craig <rpcraig@tycho.ncsc.mil>	Thu Feb 06 06:13:24 2014 -0500
tree	5b8d9b074123564068f99eed9cbe1ef5f60c0e3f
parent	629c98c211580999fe000d337a4cbcf38dc4395e [diff] [blame]

Address screenrecord denials.

Steps to reproduce across devices.
  adb shell screenrecord --bit-rate 8000000 --time-limit 10 /data/local/tmp/test.mp4

* Allow surfaceflinger to talk to mediaserver
   avc:  denied  { call } for  pid=122 comm="surfaceflinger" scontext=u:r:surfaceflinger:s0 tcontext=u:r:mediaserver:s0 tclass=binder

* Give mediaserver access to gpu_device
   avc:  denied  { read write } for  pid=2793 comm="VideoEncMsgThre" name="kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
   avc:  denied  { open } for  pid=2793 comm="VideoEncMsgThre" name="kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file
   avc:  denied  { ioctl } for  pid=2793 comm="VideoEncMsgThre" path="/dev/kgsl-3d0" dev="tmpfs" ino=6556 scontext=u:r:mediaserver:s0 tcontext=u:object_r:gpu_device:s0 tclass=chr_file

Change-Id: Id1812ec95662f4b2433e2989f5fccce6a85c3a41
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>

diff --git a/surfaceflinger.te b/surfaceflinger.te
index 9c58afa..2a3087b 100644
--- a/surfaceflinger.te
+++ b/surfaceflinger.te

@@ -13,6 +13,7 @@
 binder_use(surfaceflinger)
 binder_call(surfaceflinger, system_server)
 binder_call(surfaceflinger, nfc)
+binder_call(surfaceflinger, mediaserver)
 binder_service(surfaceflinger)
 
 # Access the GPU.