sepolicy/vendor/surfaceflinger.te

allow surfaceflinger self:process execmem;
allow surfaceflinger ashmem_device:chr_file execute;
allow surfaceflinger gpu_device:chr_file { ioctl open read write map };
allow surfaceflinger self:vsock_socket create_socket_perms_no_ioctl;
allow surfaceflinger hal_graphics_allocator_default:vsock_socket { read write getattr };