From 5ff294c0a20302e01695ebc82180d0ad6ea11501 Mon Sep 17 00:00:00 2001
From: Sashko <sashko506@gmail.com>
Date: Sun, 3 Nov 2019 02:07:03 +0200
Subject: [PATCH] sepolicy: Resolve surfaceflinger denials

denied { read open } for name=msm_fb_split dev=sysfs ino=11739 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

denied { getattr } for path=/sys/devices/virtual/graphics/fb0/msm_fb_split dev=sysfs ino=11739 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=1

denied { read open } for name=fb2 dev=sysfs ino=11788 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs:s0 tclass=dir permissive=1

denied { search read open } for name=fb0 dev=sysfs ino=11697 scontext=u:r:surfaceflinger:s0 tcontext=u:object_r:sysfs_surfaceflinger:s0 tclass=dir permissive=1

denied { write } for name=rgb dev=sysfs ino=11740 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs_surfaceflinger:s0 tclass=file permissive=1

Change-Id: I404b61992eb082d87c5b3b1b7875a7bc83f8cf7d
---
 sepolicy/file_contexts     | 4 +---
 sepolicy/surfaceflinger.te | 1 +
 sepolicy/system_server.te  | 2 ++
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 9ec66741..cb9b79e7 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -142,9 +142,7 @@
 /sys/module/pm_8x60/modes(/.*)?        u:object_r:sysfs_mpdecision:s0
 
 # Sysfs files used by surfaceflinger
-/sys/devices/virtual/graphics/fb1/hpd          -- u:object_r:sysfs_surfaceflinger:s0
-/sys/devices/virtual/graphics/fb1/vendor_name  -- u:object_r:sysfs_surfaceflinger:s0
-/sys/devices/virtual/graphics/fb1/product_description       -- u:object_r:sysfs_surfaceflinger:s0
+/sys/devices/virtual/graphics/fb([0-2])+(/.*)? 	u:object_r:sysfs_surfaceflinger:s0
 
 /sys/devices/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/gpuclk        u:object_r:sysfs_thermal:s0
 /sys/devices/fdb00000\.qcom,kgsl-3d0/kgsl/kgsl-3d0/max_gpuclk    u:object_r:sysfs_thermal:s0
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
index a92feab8..e2760a36 100644
--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@@ -1,3 +1,4 @@
+allow surfaceflinger sysfs_surfaceflinger:dir r_dir_perms;
 allow surfaceflinger sysfs_surfaceflinger:file rw_file_perms;
 allow surfaceflinger sysfs_thermal:file r_file_perms;
 allow surfaceflinger qdisplay_service:service_manager { add find };
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index ab211feb..cf161518 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -22,6 +22,8 @@ allow system_server self:netlink_socket create_socket_perms_no_ioctl;
 
 allow system_server sysfs_thermal:file r_file_perms;
 
+allow system_server sysfs_surfaceflinger:file write;
+
 allow system_server sensors_device:chr_file getattr;
 
 allowxperm system_server self:udp_socket ioctl { SIOCSIFFLAGS SIOCDEVPRIVATE_D };