| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # surfaceflinger - display compositor service |
| 2 | type surfaceflinger, domain; |
| Nick Kralevich | 623975f | 2014-01-11 01:31:03 -0800 | [diff] [blame] | 3 | permissive_or_unconfined(surfaceflinger) |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 4 | type surfaceflinger_exec, exec_type, file_type; |
| 5 | |
| 6 | init_daemon_domain(surfaceflinger) |
| Stephen Smalley | 52a8523 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 7 | typeattribute surfaceflinger mlstrustedsubject; |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 8 | |
| 9 | # Talk to init over the property socket. |
| 10 | unix_socket_connect(surfaceflinger, property, init) |
| Stephen Smalley | 52a8523 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 11 | |
| 12 | # Perform Binder IPC. |
| 13 | binder_use(surfaceflinger) |
| Stephen Smalley | 244aa02 | 2014-03-05 10:17:16 -0500 | [diff] [blame] | 14 | binder_call(surfaceflinger, binderservicedomain) |
| 15 | binder_call(surfaceflinger, appdomain) |
| Nick Kralevich | fd352f1 | 2014-04-16 16:31:23 -0700 | [diff] [blame] | 16 | binder_call(surfaceflinger, bootanim) |
| Stephen Smalley | 52a8523 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 17 | binder_service(surfaceflinger) |
| Stephen Smalley | 52a8523 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 18 | |
| Stephen Smalley | 244aa02 | 2014-03-05 10:17:16 -0500 | [diff] [blame] | 19 | # Binder IPC to bu, presently runs in adbd domain. |
| 20 | binder_call(surfaceflinger, adbd) |
| 21 | |
| 22 | # Read /proc/pid files for Binder clients. |
| 23 | r_dir_file(surfaceflinger, binderservicedomain) |
| 24 | r_dir_file(surfaceflinger, appdomain) |
| 25 | |
| Stephen Smalley | 3ba9012 | 2013-12-12 09:09:53 -0500 | [diff] [blame] | 26 | # Access the GPU. |
| 27 | allow surfaceflinger gpu_device:chr_file rw_file_perms; |
| 28 | |
| Stephen Smalley | 52a8523 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 29 | # Access /dev/graphics/fb0. |
| 30 | allow surfaceflinger graphics_device:dir search; |
| 31 | allow surfaceflinger graphics_device:chr_file rw_file_perms; |
| 32 | |
| Greg Hackmann | 7004789 | 2014-05-06 15:42:18 -0700 | [diff] [blame] | 33 | # Access ADF device nodes. |
| 34 | allow surfaceflinger adf_device:chr_file rw_file_perms; |
| 35 | |
| Stephen Smalley | 52a8523 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 36 | # Access /dev/video1. |
| Nick Kralevich | 37339c7 | 2014-01-06 12:39:19 -0800 | [diff] [blame] | 37 | allow surfaceflinger video_device:dir r_dir_perms; |
| Stephen Smalley | 52a8523 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 38 | allow surfaceflinger video_device:chr_file rw_file_perms; |
| 39 | |
| 40 | # Create and use netlink kobject uevent sockets. |
| Stephen Smalley | 1601132 | 2014-02-24 15:06:11 -0500 | [diff] [blame] | 41 | allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms; |
| Stephen Smalley | 52a8523 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 42 | |
| 43 | # Set properties. |
| 44 | allow surfaceflinger system_prop:property_service set; |
| Robert Craig | 4b3893f | 2014-02-18 13:24:26 -0500 | [diff] [blame] | 45 | allow surfaceflinger ctl_bootanim_prop:property_service set; |
| Stephen Smalley | 52a8523 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 46 | |
| 47 | # Use open files supplied by an app. |
| 48 | allow surfaceflinger appdomain:fd use; |
| Stephen Smalley | 52a8523 | 2013-10-29 14:42:40 -0400 | [diff] [blame] | 49 | allow surfaceflinger app_data_file:file { read write }; |
| Stephen Smalley | acde43f | 2013-12-11 15:17:53 -0500 | [diff] [blame] | 50 | |
| 51 | # Use open file provided by bootanim. |
| 52 | allow surfaceflinger bootanim:fd use; |
| Nick Kralevich | 3d770d2 | 2014-01-06 14:04:34 -0800 | [diff] [blame] | 53 | |
| 54 | # Allow a dumpstate triggered screenshot |
| 55 | binder_call(surfaceflinger, dumpstate) |
| Stephen Smalley | a506613 | 2014-01-07 13:25:25 -0500 | [diff] [blame] | 56 | binder_call(surfaceflinger, shell) |
| Stephen Smalley | 5795571 | 2014-03-21 10:36:24 -0400 | [diff] [blame] | 57 | r_dir_file(surfaceflinger, dumpstate) |
| Nick Kralevich | e45603d | 2014-01-08 11:19:52 -0800 | [diff] [blame] | 58 | |
| 59 | # Needed on some devices for playing DRM protected content, |
| 60 | # but seems expected and appropriate for all devices. |
| 61 | allow surfaceflinger tee:unix_stream_socket connectto; |
| 62 | allow surfaceflinger tee_device:chr_file rw_file_perms; |
| Stephen Smalley | 244aa02 | 2014-03-05 10:17:16 -0500 | [diff] [blame] | 63 | |
| 64 | ### |
| 65 | ### Neverallow rules |
| 66 | ### |
| 67 | ### surfaceflinger should NEVER do any of this |
| 68 | |
| 69 | # Do not allow accessing SDcard files as unsafe ejection could |
| 70 | # cause the kernel to kill the process. |
| 71 | # TODO: Remove -unconfineddomain when we remove permissive_or_unconfined above. |
| 72 | neverallow { surfaceflinger -unconfineddomain } sdcard_type:file rw_file_perms; |