1# surfaceflinger - display compositor service 2 3typeattribute surfaceflinger coredomain; 4 5type surfaceflinger_exec, system_file_type, exec_type, file_type; 6init_daemon_domain(surfaceflinger) 7tmpfs_domain(surfaceflinger) 8 9typeattribute surfaceflinger mlstrustedsubject; 10typeattribute surfaceflinger display_service_server; 11 12read_runtime_log_tags(surfaceflinger) 13 14# Perform HwBinder IPC. 15hal_client_domain(surfaceflinger, hal_graphics_allocator) 16hal_client_domain(surfaceflinger, hal_graphics_composer) 17typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs; 18hal_client_domain(surfaceflinger, hal_codec2) 19hal_client_domain(surfaceflinger, hal_omx) 20hal_client_domain(surfaceflinger, hal_configstore) 21hal_client_domain(surfaceflinger, hal_power) 22allow surfaceflinger hidl_token_hwservice:hwservice_manager find; 23 24# Perform Binder IPC. 25binder_use(surfaceflinger) 26binder_call(surfaceflinger, binderservicedomain) 27binder_call(surfaceflinger, appdomain) 28binder_call(surfaceflinger, bootanim) 29binder_call(surfaceflinger, system_server); 30binder_service(surfaceflinger) 31 32# Binder IPC to bu, presently runs in adbd domain. 33binder_call(surfaceflinger, adbd) 34 35# Read /proc/pid files for Binder clients. 36r_dir_file(surfaceflinger, binderservicedomain) 37r_dir_file(surfaceflinger, appdomain) 38 39# Access the GPU. 40allow surfaceflinger gpu_device:chr_file rw_file_perms; 41allow surfaceflinger gpu_device:dir r_dir_perms; 42allow surfaceflinger sysfs_gpu:file r_file_perms; 43 44# Access /dev/graphics/fb0. 45allow surfaceflinger graphics_device:dir search; 46allow surfaceflinger graphics_device:chr_file rw_file_perms; 47 48# Access /dev/video1. 49allow surfaceflinger video_device:dir r_dir_perms; 50allow surfaceflinger video_device:chr_file rw_file_perms; 51 52# Access the secure heap. 53allow surfaceflinger dmabuf_system_secure_heap_device:chr_file r_file_perms; 54 55# Create and use netlink kobject uevent sockets. 56allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 57 58# Set properties. 59set_prop(surfaceflinger, system_prop) 60set_prop(surfaceflinger, bootanim_system_prop) 61set_prop(surfaceflinger, exported_system_prop) 62set_prop(surfaceflinger, exported3_system_prop) 63set_prop(surfaceflinger, ctl_bootanim_prop) 64set_prop(surfaceflinger, locale_prop) 65set_prop(surfaceflinger, surfaceflinger_display_prop) 66set_prop(surfaceflinger, timezone_prop) 67 68# Get properties. 69get_prop(surfaceflinger, qemu_sf_lcd_density_prop) 70get_prop(surfaceflinger, device_config_surface_flinger_native_boot_prop) 71 72# Use open files supplied by an app. 73allow surfaceflinger appdomain:fd use; 74allow surfaceflinger { app_data_file privapp_data_file }:file { read write }; 75 76# Allow writing surface traces to /data/misc/wmtrace. 77userdebug_or_eng(` 78 allow surfaceflinger wm_trace_data_file:dir rw_dir_perms; 79 allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms }; 80') 81 82# Needed to register as a Perfetto producer. 83perfetto_producer(surfaceflinger) 84 85# Use socket supplied by adbd, for cmd gpu vkjson etc. 86allow surfaceflinger adbd:unix_stream_socket { read write getattr }; 87 88# Allow a dumpstate triggered screenshot 89binder_call(surfaceflinger, dumpstate) 90binder_call(surfaceflinger, shell) 91r_dir_file(surfaceflinger, dumpstate) 92 93# media.player service 94 95# do not use add_service() as hal_graphics_composer_default may be the 96# provider as well 97#add_service(surfaceflinger, surfaceflinger_service) 98allow surfaceflinger surfaceflinger_service:service_manager { add find }; 99 100allow surfaceflinger mediaserver_service:service_manager find; 101allow surfaceflinger permission_service:service_manager find; 102allow surfaceflinger power_service:service_manager find; 103allow surfaceflinger vr_manager_service:service_manager find; 104allow surfaceflinger window_service:service_manager find; 105allow surfaceflinger inputflinger_service:service_manager find; 106 107 108# allow self to set SCHED_FIFO 109allow surfaceflinger self:global_capability_class_set sys_nice; 110allow surfaceflinger proc_meminfo:file r_file_perms; 111r_dir_file(surfaceflinger, cgroup) 112r_dir_file(surfaceflinger, cgroup_v2) 113r_dir_file(surfaceflinger, system_file) 114allow surfaceflinger tmpfs:dir r_dir_perms; 115allow surfaceflinger system_server:fd use; 116allow surfaceflinger system_server:unix_stream_socket { read write }; 117allow surfaceflinger ion_device:chr_file r_file_perms; 118allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms; 119 120# pdx IPC 121pdx_server(surfaceflinger, display_client) 122pdx_server(surfaceflinger, display_manager) 123pdx_server(surfaceflinger, display_screenshot) 124pdx_server(surfaceflinger, display_vsync) 125 126pdx_client(surfaceflinger, bufferhub_client) 127pdx_client(surfaceflinger, performance_client) 128 129# Allow supplying timestats statistics to statsd 130allow surfaceflinger stats_service:service_manager find; 131allow surfaceflinger statsmanager_service:service_manager find; 132# TODO(146461633): remove this once native pullers talk to StatsManagerService 133binder_call(surfaceflinger, statsd); 134 135# Allow to use files supplied by hal_evs 136allow surfaceflinger hal_evs:fd use; 137 138# Allow to use release fence fds supplied by hal_camera 139allow surfaceflinger hal_camera:fd use; 140 141# Allow pushing jank event atoms to statsd 142userdebug_or_eng(` 143 unix_socket_send(surfaceflinger, statsdw, statsd) 144') 145 146# Surfaceflinger should not be reading default vendor-defined properties. 147dontaudit surfaceflinger vendor_default_prop:file read; 148 149### 150### Neverallow rules 151### 152### surfaceflinger should NEVER do any of this 153 154# Do not allow accessing SDcard files as unsafe ejection could 155# cause the kernel to kill the process. 156neverallow surfaceflinger { sdcard_type fuse }:file rw_file_perms; 157 158# b/68864350 159dontaudit surfaceflinger unlabeled:dir search; 160