Blame - surfaceflinger.te - fp2-dev/platform/external/sepolicy

blob: 2a3087b6f9f6648272c5f31a26868c68f6149bf1 [file] [log] [blame]

Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	1	# surfaceflinger - display compositor service
				2	type surfaceflinger, domain;
Nick Kralevich	623975f	2014-01-11 01:31:03 -0800	[diff] [blame]	3	permissive_or_unconfined(surfaceflinger)
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	4	type surfaceflinger_exec, exec_type, file_type;
				5
				6	init_daemon_domain(surfaceflinger)
Stephen Smalley	52a8523	2013-10-29 14:42:40 -0400	[diff] [blame]	7	typeattribute surfaceflinger mlstrustedsubject;
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	8
				9	# Talk to init over the property socket.
				10	unix_socket_connect(surfaceflinger, property, init)
Stephen Smalley	52a8523	2013-10-29 14:42:40 -0400	[diff] [blame]	11
				12	# Perform Binder IPC.
				13	binder_use(surfaceflinger)
				14	binder_call(surfaceflinger, system_server)
Nick Kralevich	629c98c	2014-02-05 11:25:24 -0800	[diff] [blame]	15	binder_call(surfaceflinger, nfc)
rpcraig	e21871c	2014-02-04 16:24:08 -0500	[diff] [blame]	16	binder_call(surfaceflinger, mediaserver)
Stephen Smalley	52a8523	2013-10-29 14:42:40 -0400	[diff] [blame]	17	binder_service(surfaceflinger)
Stephen Smalley	52a8523	2013-10-29 14:42:40 -0400	[diff] [blame]	18
Stephen Smalley	3ba9012	2013-12-12 09:09:53 -0500	[diff] [blame]	19	# Access the GPU.
				20	allow surfaceflinger gpu_device:chr_file rw_file_perms;
				21
Stephen Smalley	52a8523	2013-10-29 14:42:40 -0400	[diff] [blame]	22	# Access /dev/graphics/fb0.
				23	allow surfaceflinger graphics_device:dir search;
				24	allow surfaceflinger graphics_device:chr_file rw_file_perms;
				25
				26	# Access /dev/video1.
Nick Kralevich	37339c7	2014-01-06 12:39:19 -0800	[diff] [blame]	27	allow surfaceflinger video_device:dir r_dir_perms;
Stephen Smalley	52a8523	2013-10-29 14:42:40 -0400	[diff] [blame]	28	allow surfaceflinger video_device:chr_file rw_file_perms;
				29
				30	# Create and use netlink kobject uevent sockets.
				31	allow surfaceflinger self:netlink_kobject_uevent_socket *;
				32
				33	# Set properties.
				34	allow surfaceflinger system_prop:property_service set;
				35	allow surfaceflinger ctl_default_prop:property_service set;
				36
				37	# Use open files supplied by an app.
				38	allow surfaceflinger appdomain:fd use;
				39	allow surfaceflinger platform_app_data_file:file { read write };
				40	allow surfaceflinger app_data_file:file { read write };
Stephen Smalley	acde43f	2013-12-11 15:17:53 -0500	[diff] [blame]	41
				42	# Use open file provided by bootanim.
				43	allow surfaceflinger bootanim:fd use;
Nick Kralevich	3d770d2	2014-01-06 14:04:34 -0800	[diff] [blame]	44
				45	# Allow a dumpstate triggered screenshot
				46	binder_call(surfaceflinger, dumpstate)
Stephen Smalley	a506613	2014-01-07 13:25:25 -0500	[diff] [blame]	47	binder_call(surfaceflinger, shell)
Nick Kralevich	e45603d	2014-01-08 11:19:52 -0800	[diff] [blame]	48
				49	# Needed on some devices for playing DRM protected content,
				50	# but seems expected and appropriate for all devices.
				51	allow surfaceflinger tee:unix_stream_socket connectto;
				52	allow surfaceflinger tee_device:chr_file rw_file_perms;