Add sepolicy for screen cast

Tracked-On: OAM-125068 Signed-off-by: chenyanxzhu <[email protected]> Signed-off-by: He, Yue <[email protected]>
projectceladon · Nov 25, 2024 · 0d58fb7 · 0d58fb7
1 parent 2c757f9
commit 0d58fb7
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 0 deletions.
diff --git a/graphics/screencast/cast_client_app.te b/graphics/screencast/cast_client_app.te
@@ -0,0 +1,32 @@
+type cast_client_app, domain;
+
+permissive cast_client_app;
+
+app_domain(cast_client_app)
+net_domain(cast_client_app)
+
+#============= cast_client_app ==============
+allow cast_client_app cast_app_data_file:dir create_dir_perms;
+allow cast_client_app cast_app_data_file:file create_file_perms;
+allow cast_client_app socket_device:dir { add_name remove_name search write };
+allow cast_client_app dm_disp_socket:sock_file { write read open unlink create};
+allow cast_client_app dm_disp_socket:file { write read open unlink create};
+allow cast_client_app dm_client_socket:sock_file { write read open unlink create};
+allow cast_client_app dm_client_socket:file { write read open unlink create};
+allow cast_client_app socket_device:sock_file create;
+allow cast_client_app sysfs:file { getattr open read };
+
+allow cast_client_app activity_service:service_manager find;
+allow cast_client_app activity_task_service:service_manager find;
+allow cast_client_app content_capture_service:service_manager find;
+allow cast_client_app game_service:service_manager find;
+allow cast_client_app gpu_service:service_manager find;
+allow cast_client_app netstats_service:service_manager find;
+allow cast_client_app surfaceflinger_service:service_manager find;
+allow cast_client_app sysfs_gpu:dir search;
+allow cast_client_app vendor_intel_render_selection_prop:file open;
+allow cast_client_app virtual_device_service:service_manager find;
+allow cast_client_app voiceinteraction_service:service_manager find;
+allow cast_client_app vendor_intel_render_selection_prop:file { read getattr map };
+
+dontaudit cast_client_app default_prop:file *;
diff --git a/graphics/screencast/cast_service.te b/graphics/screencast/cast_service.te
@@ -0,0 +1,8 @@
+type cast_server, domain, mlstrustedsubject;
+type cast_server_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(cast_server)
+
+allow cast_server socket_device:dir { add_name remove_name search write };
+allow cast_server dm_disp_socket:sock_file { create write getattr unlink read open };
+allow cast_server dm_client_socket:sock_file { create write getattr unlink read open };
diff --git a/graphics/screencast/file.te b/graphics/screencast/file.te
@@ -0,0 +1,3 @@
+type cast_app_data_file, file_type, data_file_type, app_data_file_type;
+type dm_disp_socket, file_type;
+type dm_client_socket, file_type;
diff --git a/graphics/screencast/file_contexts b/graphics/screencast/file_contexts
@@ -0,0 +1,3 @@
+/system/bin/acrn-bkend-server             u:object_r:cast_server_exec:s0
+/dev/socket/virt_disp_server              u:object_r:dm_disp_socket:s0
+/dev/socket/virt_disp_client              u:object_r:dm_client_socket:s0
diff --git a/graphics/screencast/seapp_contexts b/graphics/screencast/seapp_contexts
@@ -0,0 +1 @@
+user=_app seinfo=platform name=com.intel.dm_backend domain=cast_client_app type=cast_app_data_file
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		user=_app seinfo=platform name=com.intel.dm_backend domain=cast_client_app type=cast_app_data_file