Android-x86
Fork
Donation

  • R/O
  • HTTP
  • SSH
  • HTTPS

device-generic-common: Commit

device/generic/common


Commit MetaInfo

Revisionb6c5a59e165febc5f71be21a79e73e98dee3b7c8 (tree)
Time2019-07-25 18:18:24
AuthorChih-Wei Huang <cwhuang@linu...>
CommiterChih-Wei Huang

Log Message

sepolicy: fix avc denied of surfaceflinger

Change Summary

  • modified: BoardConfig.mk (diff)
  • add: sepolicy/plat_private/file_contexts (diff)
  • add: sepolicy/plat_private/surfaceflinger.te (diff)
  • add: sepolicy/plat_private/zygote.te (diff)
  • delete: sepolicy/{ => nonplat}/adbd.te
  • delete: sepolicy/{ => nonplat}/audioserver.te
  • delete: sepolicy/{ => nonplat}/bootanim.te
  • delete: sepolicy/{ => nonplat}/cameraserver.te
  • delete: sepolicy/{ => nonplat}/device.te
  • delete: sepolicy/{ => nonplat}/domain.te
  • delete: sepolicy/{ => nonplat}/file.te
  • delete: sepolicy/{ => nonplat}/file_contexts
  • delete: sepolicy/{ => nonplat}/hal_camera_default.te
  • delete: sepolicy/{ => nonplat}/hal_cas_default.te
  • delete: sepolicy/{ => nonplat}/hal_drm_default.te
  • delete: sepolicy/{ => nonplat}/hal_drm_widevine.te
  • delete: sepolicy/{ => nonplat}/hal_gnss_default.te
  • delete: sepolicy/{ => nonplat}/hal_graphics_composer_default.te
  • delete: sepolicy/{ => nonplat}/healthd.te
  • delete: sepolicy/{ => nonplat}/init.te
  • delete: sepolicy/{ => nonplat}/installd.te
  • delete: sepolicy/{ => nonplat}/logpersist.te
  • delete: sepolicy/{ => nonplat}/mediacodec.te
  • delete: sepolicy/{ => nonplat}/netd.te
  • delete: sepolicy/{ => nonplat}/priv_app.te
  • delete: sepolicy/{ => nonplat}/property.te
  • delete: sepolicy/{ => nonplat}/property_contexts
  • delete: sepolicy/{ => nonplat}/shell.te
  • delete: sepolicy/{ => nonplat}/surfaceflinger.te
  • delete: sepolicy/{ => nonplat}/system_server.te
  • delete: sepolicy/{ => nonplat}/vold.te
  • delete: sepolicy/{ => nonplat}/zygote.te

Incremental Difference

--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -87,5 +87,7 @@ ZIP_OPTIMIZATION_NO_INTEGRITY := true
8787
8888 DEVICE_MANIFEST_FILE := device/generic/common/manifest.xml
8989
90-BOARD_SEPOLICY_DIRS += device/generic/common/sepolicy \
90+BOARD_SEPOLICY_DIRS += device/generic/common/sepolicy/nonplat \
9191 system/bt/vendor_libs/linux/sepolicy \
92+
93+BOARD_PLAT_PRIVATE_SEPOLICY_DIR := device/generic/common/sepolicy/plat_private
--- /dev/null
+++ b/sepolicy/plat_private/file_contexts
@@ -0,0 +1,3 @@
1+# surfaceflinger
2+/dev/dri(/.*)? u:object_r:gpu_device:s0
3+/dev/tty0 u:object_r:gpu_device:s0
--- /dev/null
+++ b/sepolicy/plat_private/surfaceflinger.te
@@ -0,0 +1,24 @@
1+allow surfaceflinger surfaceflinger_tmpfs:file { map };
2+allow surfaceflinger tmpfs:lnk_file { read };
3+allow surfaceflinger self:capability { sys_tty_config };
4+
5+allowxperm surfaceflinger gpu_device:chr_file ioctl {
6+ 0x5605
7+ 0x6409
8+ 0x640a
9+ 0x640b
10+ 0x641e
11+ 0x641f
12+ 0x6457
13+ 0x6458
14+ 0x645b
15+ 0x645e
16+ 0x645f
17+ 0x6461
18+ 0x6462
19+ 0x6469
20+ 0x6466
21+ 0x646c
22+ 0x64a2
23+ 0x64b0
24+};
--- /dev/null
+++ b/sepolicy/plat_private/zygote.te
@@ -0,0 +1,2 @@
1+allow zygote surfaceflinger:binder call;
2+allow zygote surfaceflinger:unix_stream_socket { read };
Show on old repository browser