| type vnc_server, domain; |
| type vnc_server_exec, exec_type, vendor_file_type, file_type; |
| |
| init_daemon_domain(vnc_server) |
| |
| # Access to netd and network over TCP/UDP sockets |
| net_domain(vnc_server) |
| allow vnc_server self:capability net_raw; |
| |
| # Read GCE initial metadata file |
| allow vnc_server initial_metadata_file:file r_file_perms; |
| |
| # Framebuffer I/O |
| allow vnc_server fb_ctl_file:file rw_file_perms; |
| allow vnc_server userspace_fb_file:file rw_file_perms; |
| |
| # TODO(b/65062047): Remove these rules (incl. the two file type definitions) once vnc_server is gone |
| # I/O with system_server via sensors_hal_socket Unix domain socket. Needed for orientation changes. |
| unix_socket_connect(vnc_server, sensors_hal, hal_sensors_server) |
| # For some reason vnc_server attempts a search of /var/run/system directory instead of going |
| # straight for opening the sensors_hal_socket |
| allow vnc_server var_run_system_file:dir search; |