From 303349ca33b80052b0f16defdddc7f4c126f5349 Mon Sep 17 00:00:00 2001
From: Adrian DC <radian.dc@gmail.com>
Date: Sun, 3 Nov 2019 00:54:38 +0200
Subject: [PATCH] sepolicy: Resolve surfaceflinger access to qdisplay service

 * denied { add find } for service=display.qservice uid=1000
    scontext=u:r:surfaceflinger:s0
    tcontext=u:object_r:qdisplay_service:s0 tclass=service_manager

Change-Id: I9e8af53ecbc475056497926d401d2312b43283c9
---
 sepolicy/service.te        | 1 +
 sepolicy/service_contexts  | 1 +
 sepolicy/surfaceflinger.te | 1 +
 3 files changed, 3 insertions(+)
 create mode 100644 sepolicy/service.te
 create mode 100644 sepolicy/service_contexts

diff --git a/sepolicy/service.te b/sepolicy/service.te
new file mode 100644
index 00000000..60490a58
--- /dev/null
+++ b/sepolicy/service.te
@@ -0,0 +1 @@
+type qdisplay_service, service_manager_type;
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
new file mode 100644
index 00000000..3d6b681b
--- /dev/null
+++ b/sepolicy/service_contexts
@@ -0,0 +1 @@
+display.qservice u:object_r:qdisplay_service:s0
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
index 02adf8ac..a92feab8 100644
--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@@ -1,2 +1,3 @@
 allow surfaceflinger sysfs_surfaceflinger:file rw_file_perms;
 allow surfaceflinger sysfs_thermal:file r_file_perms;
+allow surfaceflinger qdisplay_service:service_manager { add find };