1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
# surfaceflinger - display compositor service
typeattribute surfaceflinger coredomain;
type surfaceflinger_exec, system_file_type, exec_type, file_type;
init_daemon_domain(surfaceflinger)
tmpfs_domain(surfaceflinger)
typeattribute surfaceflinger mlstrustedsubject;
typeattribute surfaceflinger display_service_server;
read_runtime_log_tags(surfaceflinger)
# Perform HwBinder IPC.
hal_client_domain(surfaceflinger, hal_graphics_allocator)
hal_client_domain(surfaceflinger, hal_graphics_composer)
typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs;
hal_client_domain(surfaceflinger, hal_codec2)
hal_client_domain(surfaceflinger, hal_omx)
hal_client_domain(surfaceflinger, hal_configstore)
hal_client_domain(surfaceflinger, hal_power)
hal_client_domain(surfaceflinger, hal_bufferhub)
allow surfaceflinger hidl_token_hwservice:hwservice_manager find;
# Perform Binder IPC.
binder_use(surfaceflinger)
binder_call(surfaceflinger, binderservicedomain)
binder_call(surfaceflinger, appdomain)
binder_call(surfaceflinger, bootanim)
binder_call(surfaceflinger, system_server);
binder_service(surfaceflinger)
# Binder IPC to bu, presently runs in adbd domain.
binder_call(surfaceflinger, adbd)
# Read /proc/pid files for Binder clients.
r_dir_file(surfaceflinger, binderservicedomain)
r_dir_file(surfaceflinger, appdomain)
# Access the GPU.
allow surfaceflinger gpu_device:chr_file rw_file_perms;
# Access /dev/graphics/fb0.
allow surfaceflinger graphics_device:dir search;
allow surfaceflinger graphics_device:chr_file rw_file_perms;
# Access /dev/video1.
allow surfaceflinger video_device:dir r_dir_perms;
allow surfaceflinger video_device:chr_file rw_file_perms;
# Create and use netlink kobject uevent sockets.
allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
# Set properties.
set_prop(surfaceflinger, system_prop)
set_prop(surfaceflinger, bootanim_system_prop)
set_prop(surfaceflinger, exported_system_prop)
set_prop(surfaceflinger, exported3_system_prop)
set_prop(surfaceflinger, ctl_bootanim_prop)
set_prop(surfaceflinger, surfaceflinger_display_prop)
# Get properties.
get_prop(surfaceflinger, qemu_sf_lcd_density_prop)
# Use open files supplied by an app.
allow surfaceflinger appdomain:fd use;
allow surfaceflinger { app_data_file privapp_data_file }:file { read write };
# Allow writing surface traces to /data/misc/wmtrace.
userdebug_or_eng(`
allow surfaceflinger wm_trace_data_file:dir rw_dir_perms;
allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms };
')
# Needed to register as a Perfetto producer.
perfetto_producer(surfaceflinger)
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow surfaceflinger adbd:unix_stream_socket { read write getattr };
# Allow a dumpstate triggered screenshot
binder_call(surfaceflinger, dumpstate)
binder_call(surfaceflinger, shell)
r_dir_file(surfaceflinger, dumpstate)
# media.player service
# do not use add_service() as hal_graphics_composer_default may be the
# provider as well
#add_service(surfaceflinger, surfaceflinger_service)
allow surfaceflinger surfaceflinger_service:service_manager { add find };
add_service(surfaceflinger, vrflinger_vsync_service)
allow surfaceflinger mediaserver_service:service_manager find;
allow surfaceflinger permission_service:service_manager find;
allow surfaceflinger power_service:service_manager find;
allow surfaceflinger vr_manager_service:service_manager find;
allow surfaceflinger window_service:service_manager find;
allow surfaceflinger inputflinger_service:service_manager find;
# allow self to set SCHED_FIFO
allow surfaceflinger self:global_capability_class_set sys_nice;
allow surfaceflinger proc_meminfo:file r_file_perms;
r_dir_file(surfaceflinger, cgroup)
r_dir_file(surfaceflinger, cgroup_v2)
r_dir_file(surfaceflinger, system_file)
allow surfaceflinger tmpfs:dir r_dir_perms;
allow surfaceflinger system_server:fd use;
allow surfaceflinger system_server:unix_stream_socket { read write };
allow surfaceflinger ion_device:chr_file r_file_perms;
allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms;
# pdx IPC
pdx_server(surfaceflinger, display_client)
pdx_server(surfaceflinger, display_manager)
pdx_server(surfaceflinger, display_screenshot)
pdx_server(surfaceflinger, display_vsync)
pdx_client(surfaceflinger, bufferhub_client)
pdx_client(surfaceflinger, performance_client)
# Allow supplying timestats statistics to statsd
allow surfaceflinger stats_service:service_manager find;
allow surfaceflinger statsmanager_service:service_manager find;
# TODO(146461633): remove this once native pullers talk to StatsManagerService
binder_call(surfaceflinger, statsd);
# Allow pushing jank event atoms to statsd
userdebug_or_eng(`
unix_socket_send(surfaceflinger, statsdw, statsd)
')
# Surfaceflinger should not be reading default vendor-defined properties.
dontaudit surfaceflinger vendor_default_prop:file read;
###
### Neverallow rules
###
### surfaceflinger should NEVER do any of this
# Do not allow accessing SDcard files as unsafe ejection could
# cause the kernel to kill the process.
neverallow surfaceflinger sdcard_type:file rw_file_perms;
# b/68864350
dontaudit surfaceflinger unlabeled:dir search;
|
