shared/sepolicy/vnc_server.te - device/google/cuttlefish - Git at Google

 type vnc_server, domain;
 type vnc_server_exec, exec_type, vendor_file_type, file_type;

 init_daemon_domain(vnc_server)

 # Access to netd and network over TCP/UDP sockets
 net_domain(vnc_server)
 allow vnc_server self:capability net_raw;

 # Read GCE initial metadata file
 allow vnc_server initial_metadata_file:file r_file_perms;

 # Framebuffer I/O
 allow vnc_server fb_ctl_file:file rw_file_perms;
 allow vnc_server userspace_fb_file:file rw_file_perms;

 # TODO(b/65062047): Remove these rules (incl. the two file type definitions) once vnc_server is gone
 # I/O with system_server via sensors_hal_socket Unix domain socket. Needed for orientation changes.
 unix_socket_connect(vnc_server, sensors_hal, hal_sensors_server)
 # For some reason vnc_server attempts a search of /var/run/system directory instead of going
 # straight for opening the sensors_hal_socket
 allow vnc_server var_run_system_file:dir search;
	type vnc_server, domain;
	type vnc_server_exec, exec_type, vendor_file_type, file_type;

	init_daemon_domain(vnc_server)

	# Access to netd and network over TCP/UDP sockets
	net_domain(vnc_server)
	allow vnc_server self:capability net_raw;

	# Read GCE initial metadata file
	allow vnc_server initial_metadata_file:file r_file_perms;

	# Framebuffer I/O
	allow vnc_server fb_ctl_file:file rw_file_perms;
	allow vnc_server userspace_fb_file:file rw_file_perms;

	# TODO(b/65062047): Remove these rules (incl. the two file type definitions) once vnc_server is gone
	# I/O with system_server via sensors_hal_socket Unix domain socket. Needed for orientation changes.
	unix_socket_connect(vnc_server, sensors_hal, hal_sensors_server)
	# For some reason vnc_server attempts a search of /var/run/system directory instead of going
	# straight for opening the sensors_hal_socket
	allow vnc_server var_run_system_file:dir search;