1# surfaceflinger - display compositor service 2 3typeattribute surfaceflinger coredomain; 4 5type surfaceflinger_exec, system_file_type, exec_type, file_type; 6init_daemon_domain(surfaceflinger) 7tmpfs_domain(surfaceflinger) 8 9typeattribute surfaceflinger mlstrustedsubject; 10typeattribute surfaceflinger display_service_server; 11 12read_runtime_log_tags(surfaceflinger) 13 14# Perform HwBinder IPC. 15hal_client_domain(surfaceflinger, hal_graphics_allocator) 16hal_client_domain(surfaceflinger, hal_graphics_composer) 17typeattribute surfaceflinger_tmpfs hal_graphics_composer_client_tmpfs; 18hal_client_domain(surfaceflinger, hal_codec2) 19hal_client_domain(surfaceflinger, hal_omx) 20hal_client_domain(surfaceflinger, hal_configstore) 21hal_client_domain(surfaceflinger, hal_power) 22allow surfaceflinger hidl_token_hwservice:hwservice_manager find; 23 24# Perform Binder IPC. 25binder_use(surfaceflinger) 26binder_call(surfaceflinger, binderservicedomain) 27binder_call(surfaceflinger, appdomain) 28binder_call(surfaceflinger, bootanim) 29binder_call(surfaceflinger, system_server); 30binder_service(surfaceflinger) 31 32# Binder IPC to bu, presently runs in adbd domain. 33binder_call(surfaceflinger, adbd) 34 35# Read /proc/pid files for Binder clients. 36r_dir_file(surfaceflinger, binderservicedomain) 37r_dir_file(surfaceflinger, appdomain) 38 39# Access the GPU. 40allow surfaceflinger gpu_device:chr_file rw_file_perms; 41allow surfaceflinger gpu_device:dir r_dir_perms; 42allow surfaceflinger sysfs_gpu:file r_file_perms; 43 44# Access /dev/graphics/fb0. 45allow surfaceflinger graphics_device:dir search; 46allow surfaceflinger graphics_device:chr_file rw_file_perms; 47 48# Access /dev/video1. 49allow surfaceflinger video_device:dir r_dir_perms; 50allow surfaceflinger video_device:chr_file rw_file_perms; 51 52# Access the secure heap. 53allow surfaceflinger dmabuf_system_secure_heap_device:chr_file r_file_perms; 54 55# Create and use netlink kobject uevent sockets. 56allow surfaceflinger self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 57 58# Set properties. 59set_prop(surfaceflinger, system_prop) 60set_prop(surfaceflinger, bootanim_system_prop) 61set_prop(surfaceflinger, exported_system_prop) 62set_prop(surfaceflinger, exported3_system_prop) 63set_prop(surfaceflinger, ctl_bootanim_prop) 64set_prop(surfaceflinger, locale_prop) 65set_prop(surfaceflinger, surfaceflinger_display_prop) 66set_prop(surfaceflinger, timezone_prop) 67 68# Get properties. 69get_prop(surfaceflinger, qemu_sf_lcd_density_prop) 70get_prop(surfaceflinger, device_config_surface_flinger_native_boot_prop) 71 72# Use open files supplied by an app. 73allow surfaceflinger appdomain:fd use; 74allow surfaceflinger { app_data_file privapp_data_file }:file { read write }; 75 76# Allow writing surface traces to /data/misc/wmtrace. 77userdebug_or_eng(` 78 allow surfaceflinger wm_trace_data_file:dir rw_dir_perms; 79 allow surfaceflinger wm_trace_data_file:file { getattr setattr create w_file_perms }; 80') 81 82# Needed to register as a Perfetto producer. 83perfetto_producer(surfaceflinger) 84 85# Use socket supplied by adbd, for cmd gpu vkjson etc. 86allow surfaceflinger adbd:unix_stream_socket { read write getattr }; 87 88# Allow reading and writing to sockets used for BLAST buffer releases. 89# SurfaceFlinger never reads from these sockets but needs read permissions in order to receive 90# the file descriptors over binder. There's no mechanism to mark a socket as write-only. 91# shutdown is used to close the read-end of the sockets that are sent to SurfaceFlinger. See 92# b/353597444 93allow surfaceflinger { appdomain -isolated_app_all -ephemeral_app -sdk_sandbox_all }:unix_stream_socket { read write }; 94allow surfaceflinger bootanim:unix_stream_socket { read write }; 95allow surfaceflinger automotive_display_service:unix_stream_socket { read write }; 96 97# Allow a dumpstate triggered screenshot 98binder_call(surfaceflinger, dumpstate) 99binder_call(surfaceflinger, shell) 100r_dir_file(surfaceflinger, dumpstate) 101 102# media.player service 103 104# do not use add_service() as hal_graphics_composer_default may be the 105# provider as well 106#add_service(surfaceflinger, surfaceflinger_service) 107allow surfaceflinger surfaceflinger_service:service_manager { add find }; 108 109allow surfaceflinger mediaserver_service:service_manager find; 110allow surfaceflinger permission_service:service_manager find; 111allow surfaceflinger power_service:service_manager find; 112allow surfaceflinger vr_manager_service:service_manager find; 113allow surfaceflinger window_service:service_manager find; 114allow surfaceflinger inputflinger_service:service_manager find; 115 116 117# allow self to set SCHED_FIFO 118allow surfaceflinger self:global_capability_class_set sys_nice; 119allow surfaceflinger proc_meminfo:file r_file_perms; 120r_dir_file(surfaceflinger, cgroup) 121r_dir_file(surfaceflinger, cgroup_v2) 122r_dir_file(surfaceflinger, system_file) 123allow surfaceflinger tmpfs:dir r_dir_perms; 124allow surfaceflinger system_server:fd use; 125allow surfaceflinger system_server:unix_stream_socket { read write }; 126allow surfaceflinger ion_device:chr_file r_file_perms; 127allow surfaceflinger dmabuf_system_heap_device:chr_file r_file_perms; 128 129# pdx IPC 130pdx_server(surfaceflinger, display_client) 131pdx_server(surfaceflinger, display_manager) 132pdx_server(surfaceflinger, display_screenshot) 133pdx_server(surfaceflinger, display_vsync) 134 135pdx_client(surfaceflinger, bufferhub_client) 136pdx_client(surfaceflinger, performance_client) 137 138# Allow supplying timestats statistics to statsd 139allow surfaceflinger stats_service:service_manager find; 140allow surfaceflinger statsmanager_service:service_manager find; 141# TODO(146461633): remove this once native pullers talk to StatsManagerService 142binder_call(surfaceflinger, statsd); 143# Allow pushing atoms to the stats bootstrap atom service 144allow surfaceflinger statsbootstrap_service:service_manager find; 145 146# Allow to use files supplied by hal_evs 147allow surfaceflinger hal_evs:fd use; 148 149# Allow to use release fence fds supplied by hal_camera 150allow surfaceflinger hal_camera:fd use; 151 152 153# Surfaceflinger should not be reading default vendor-defined properties. 154dontaudit surfaceflinger vendor_default_prop:file read; 155 156### 157### Neverallow rules 158### 159### surfaceflinger should NEVER do any of this 160 161# Do not allow accessing SDcard files as unsafe ejection could 162# cause the kernel to kill the process. 163neverallow surfaceflinger { sdcard_type fuse }:file rw_file_perms; 164 165# b/68864350 166dontaudit surfaceflinger unlabeled:dir search; 167