platform_system_sepolicy/private/gpuservice.te

# gpuservice - server for gpu stats and other gpu related services
typeattribute gpuservice coredomain;
typeattribute gpuservice bpfdomain;

type gpuservice_exec, system_file_type, exec_type, file_type;

init_daemon_domain(gpuservice)

binder_call(gpuservice, adbd)
binder_call(gpuservice, shell)
binder_call(gpuservice, system_server)
binder_use(gpuservice)

# Access the GPU.
allow gpuservice gpu_device:chr_file rw_file_perms;

# GPU service will need to load GPU driver, for example Vulkan driver in order
# to get the capability of the driver.
allow gpuservice same_process_hal_file:file { open read getattr execute map };
allow gpuservice ion_device:chr_file r_file_perms;
get_prop(gpuservice, hwservicemanager_prop)
hwbinder_use(gpuservice)

# Access /dev/graphics/fb0.
allow gpuservice graphics_device:dir search;
allow gpuservice graphics_device:chr_file rw_file_perms;

# Allow shell access
allow gpuservice adbd:fd use;
allow gpuservice adbd:unix_stream_socket { getattr read write };
allow gpuservice shell:fifo_file { getattr read write };

# Needed for perfetto producer.
perfetto_producer(gpuservice)

# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };

# Needed for dumpstate to dumpsys gpu.
allow gpuservice dumpstate:fd use;
allow gpuservice dumpstate:fifo_file write;

# Needed for stats callback registration to statsd.
allow gpuservice stats_service:service_manager find;
allow gpuservice statsmanager_service:service_manager find;
# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
binder_call(gpuservice, statsd);

# Needed for reading tracepoint ids in order to attach bpf programs.
allow gpuservice debugfs_tracing:file r_file_perms;
allow gpuservice self:perf_event { cpu kernel open write };
neverallow gpuservice self:perf_event ~{ cpu kernel open write };

# Needed for interact with bpf fs.
# Write is needed to open read/write bpf maps.
allow gpuservice fs_bpf:file { read write };

# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
allow gpuservice bpfloader:bpf { map_read map_write prog_run };

add_service(gpuservice, gpu_service)

# Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice.
set_prop(gpuservice, graphics_config_writable_prop)

neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set;

# Needed for querying permission
allow gpuservice permission_service:service_manager find;

# Only uncomment below line when in development
# userdebug_or_eng(`permissive gpuservice;')
Game Driver: sepolicy update for plumbing GpuStats into GpuService Allow all the app process with GUI to send GPU health metrics stats to GpuService during the GraphicsEnvironment setup stage for the process. Bug: 123529932 Test: Build, flash and boot. No selinux denials. Change-Id: Ic7687dac3c8a3ea43fa744a6ae8a45716951c4df 2019-02-08 00:00:55 +01:00			`# gpuservice - server for gpu stats and other gpu related services`
			`typeattribute gpuservice coredomain;`
bpfdomain: attribute for domain which can use BPF Require all domains which can be used for BPF to be marked as bpfdomain, and add a restriction for these domains to not be able to use net_raw or net_admin. We want to make sure the network stack has exclusive access to certain BPF attach points. Bug: 140330870 Bug: 162057235 Test: build (compile-time neverallows) Change-Id: I29100e48a757fdcf600931d5eb42988101275325 2022-02-10 01:32:44 +01:00			`typeattribute gpuservice bpfdomain;`

[SEPolicy] Configure policy for gpu service. Historically GPU service lives in SurfaceFlinger as a convenient hack. Howerver, SurfaceFlinger doesn't need to know about anything specific about GPU capability, and shouldn't know about anything about GPU. This patch moves GPU service out of SurfaceFlinger. GPU service is a service that accesses to GPU driver, queries GPU capabilities and reports back. Currently we use this information in CTS and some benchmarks. BUG: 118347356 Test: Build, flash and boot, use `adb shell cmd gpu vkjson` to verify Change-Id: I007989e0f3f73b5caf80277979986820dd127c32 2018-11-01 21:47:51 +01:00			`type gpuservice_exec, system_file_type, exec_type, file_type;`

			`init_daemon_domain(gpuservice)`

			`binder_call(gpuservice, adbd)`
			`binder_call(gpuservice, shell)`
GpuService binder call StatsManagerService This binder call is needed because we want to migrate libstatspull to use StatsManagerService instead of Statsd The binder call to statsd can be removed after the migration. Test: m -j Bug: 148641240 Change-Id: Id1387a2cbe74ba8d84f4973c6e4d17c5e0b88009 2020-02-06 20:54:33 +01:00			`binder_call(gpuservice, system_server)`
[SEPolicy] Configure policy for gpu service. Historically GPU service lives in SurfaceFlinger as a convenient hack. Howerver, SurfaceFlinger doesn't need to know about anything specific about GPU capability, and shouldn't know about anything about GPU. This patch moves GPU service out of SurfaceFlinger. GPU service is a service that accesses to GPU driver, queries GPU capabilities and reports back. Currently we use this information in CTS and some benchmarks. BUG: 118347356 Test: Build, flash and boot, use `adb shell cmd gpu vkjson` to verify Change-Id: I007989e0f3f73b5caf80277979986820dd127c32 2018-11-01 21:47:51 +01:00			`binder_use(gpuservice)`

			`# Access the GPU.`
			`allow gpuservice gpu_device:chr_file rw_file_perms;`

			`# GPU service will need to load GPU driver, for example Vulkan driver in order`
			`# to get the capability of the driver.`
			`allow gpuservice same_process_hal_file:file { open read getattr execute map };`
			`allow gpuservice ion_device:chr_file r_file_perms;`
			`get_prop(gpuservice, hwservicemanager_prop)`
			`hwbinder_use(gpuservice)`

			`# Access /dev/graphics/fb0.`
			`allow gpuservice graphics_device:dir search;`
			`allow gpuservice graphics_device:chr_file rw_file_perms;`

Add fifo_file read access to enable gpuservice within device cts Bug: 299537644 Test: atest -c CtsGraphicsTestCases:VulkanFeaturesTest#testAndroidBaselineProfile2021Support Change-Id: Iab5c4255f01317c197488158ef8cc63fcf0ebb3b 2024-02-15 23:10:39 +01:00			`# Allow shell access`
			`allow gpuservice adbd:fd use;`
			`allow gpuservice adbd:unix_stream_socket { getattr read write };`
			`allow gpuservice shell:fifo_file { getattr read write };`
[gpuservice] allow "adb shell cmd gpu vkjson" Also allow adb shell dumpsys gpu to not return error. Bug: 120095213 Test: flash non-eng build and adb shell cmd gpu vkjson Change-Id: Ia4a50a475ce76ec35e082dd52d4a6c80dde7f571 2018-11-28 00:21:43 +01:00
Allow gpuservice to be a perfetto producer To enable GpuMemTracer to emit initial counter packets, gpuservice must be allowed to advertise a datasource and producer events. Test: adb shell perfetto --query \| grep gpu Bug: 157142645 Change-Id: Ie7e825d178dfdbfa1eaf0d4cac8f120bad6c2766 2020-06-19 20:02:28 +02:00			`# Needed for perfetto producer.`
			`perfetto_producer(gpuservice)`

gpuservice: allow cmd gpu vkjson in interactive shell Bug: 122860343 Test: adb shell, then 'cmd gpu vkjson' Change-Id: I2720d1bbc27152f416cd7e61f4dcccb4a13c7b82 2019-01-23 23:28:56 +01:00			`# Needed for interactive shell`
			`allow gpuservice devpts:chr_file { read write getattr };`

Allow dumpstate to dumpsys gpu Bug: 132402890 Test: adb bugreport and verify dumpsys gpu is included. Change-Id: Ib145937889f9616a0dcdabb7b58839fb715bf6c3 2019-05-10 08:15:49 +02:00			`# Needed for dumpstate to dumpsys gpu.`
			`allow gpuservice dumpstate:fd use;`
			`allow gpuservice dumpstate:fifo_file write;`

GpuStats: sepolicy change for using new statsd puller api Bug: 148421389 Test: statsd_testdrive 10054 Change-Id: Icf1a4bf809b1413c0e413290bbeadd987faff710 2020-02-05 00:55:59 +01:00			`# Needed for stats callback registration to statsd.`
			`allow gpuservice stats_service:service_manager find;`
GpuService binder call StatsManagerService This binder call is needed because we want to migrate libstatspull to use StatsManagerService instead of Statsd The binder call to statsd can be removed after the migration. Test: m -j Bug: 148641240 Change-Id: Id1387a2cbe74ba8d84f4973c6e4d17c5e0b88009 2020-02-06 20:54:33 +01:00			`allow gpuservice statsmanager_service:service_manager find;`
			`# TODO(b/146461633): remove this once native pullers talk to StatsManagerService`
GpuStats: sepolicy change for using new statsd puller api Bug: 148421389 Test: statsd_testdrive 10054 Change-Id: Icf1a4bf809b1413c0e413290bbeadd987faff710 2020-02-05 00:55:59 +01:00			`binder_call(gpuservice, statsd);`

GPU Memory: add sepolicy rules around bpf for gpuservice 1. Allow gpuservice to access tracepoint id 2. Allow gpuservice to access bpf program 3. Allow gpuservice to attach bpf program to tracepoint 4. Allow gpuservice to access bpf filesystem 5. Allow gpuservice to run bpf program and read map through bpfloader 6. Allow gpuservice to check a property to ensure bpf program loaded Bug: 136023082 Test: adb shell dumpsys gpu --gpumem Change-Id: Ic808a7e452b71c54908cdff806f41f51ab66ffd8 2020-02-19 07:58:26 +01:00			`# Needed for reading tracepoint ids in order to attach bpf programs.`
			`allow gpuservice debugfs_tracing:file r_file_perms;`
			`allow gpuservice self:perf_event { cpu kernel open write };`
			`neverallow gpuservice self:perf_event ~{ cpu kernel open write };`

			`# Needed for interact with bpf fs.`
Add additional sepolicy rules for gpuservice Allow gpuservice to access read/write BPF maps. Bug: b/213577594 Change-Id: I487754c008a53819715a6bfc5da10182d87de413 2022-01-17 17:34:03 +01:00			`# Write is needed to open read/write bpf maps.`
			`allow gpuservice fs_bpf:file { read write };`
GPU Memory: add sepolicy rules around bpf for gpuservice 1. Allow gpuservice to access tracepoint id 2. Allow gpuservice to access bpf program 3. Allow gpuservice to attach bpf program to tracepoint 4. Allow gpuservice to access bpf filesystem 5. Allow gpuservice to run bpf program and read map through bpfloader 6. Allow gpuservice to check a property to ensure bpf program loaded Bug: 136023082 Test: adb shell dumpsys gpu --gpumem Change-Id: Ic808a7e452b71c54908cdff806f41f51ab66ffd8 2020-02-19 07:58:26 +01:00
Add additional sepolicy rules for gpuservice Allow gpuservice to access read/write BPF maps. Bug: b/213577594 Change-Id: I487754c008a53819715a6bfc5da10182d87de413 2022-01-17 17:34:03 +01:00			`# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).`
			`allow gpuservice bpfloader:bpf { map_read map_write prog_run };`
GPU Memory: add sepolicy rules around bpf for gpuservice 1. Allow gpuservice to access tracepoint id 2. Allow gpuservice to access bpf program 3. Allow gpuservice to attach bpf program to tracepoint 4. Allow gpuservice to access bpf filesystem 5. Allow gpuservice to run bpf program and read map through bpfloader 6. Allow gpuservice to check a property to ensure bpf program loaded Bug: 136023082 Test: adb shell dumpsys gpu --gpumem Change-Id: Ic808a7e452b71c54908cdff806f41f51ab66ffd8 2020-02-19 07:58:26 +01:00
[SEPolicy] Configure policy for gpu service. Historically GPU service lives in SurfaceFlinger as a convenient hack. Howerver, SurfaceFlinger doesn't need to know about anything specific about GPU capability, and shouldn't know about anything about GPU. This patch moves GPU service out of SurfaceFlinger. GPU service is a service that accesses to GPU driver, queries GPU capabilities and reports back. Currently we use this information in CTS and some benchmarks. BUG: 118347356 Test: Build, flash and boot, use `adb shell cmd gpu vkjson` to verify Change-Id: I007989e0f3f73b5caf80277979986820dd127c32 2018-11-01 21:47:51 +01:00			`add_service(gpuservice, gpu_service)`

Add a new system property persist.graphics.egl This new system property will be read and written by a new developer option switch, through gpuservice. Based on the value stored in persis.graphics.egl, we will load different GLES driver. e.g. persist.graphics.egl == $ro.hardware.egl: load native GLES driver persist.graphics.egl == angle: load angle as GLES driver Bug: b/270994705 Test: m; flash and check Pixel 7 boots fine Change-Id: Idec4b947d0c69c52cd798df4f834053bd306cf5f 2023-04-09 02:15:43 +02:00			`# Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice.`
			`set_prop(gpuservice, graphics_config_writable_prop)`

Allow graphics_config_writable_prop to be modified. vendor_init needs to set graphics_config_writable_prop, moving it to system_public_prop. Bug: b/270994705 Test: atest CtsAngleIntegrationHostTestCases Test: m && boot Change-Id: I2f47c1048aad4565cb13d4289b9a018734d18c07 2023-05-03 19:12:39 +02:00			`neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set;`

Allow gpuservice to query permission Bug: b/270994705 Test: Flash, verify Pixel 7 can boot. Change-Id: I11e61034a8b4404aa998af2b9a04e08af9095fec 2023-04-17 06:12:43 +02:00			`# Needed for querying permission`
			`allow gpuservice permission_service:service_manager find;`

[SEPolicy] Configure policy for gpu service. Historically GPU service lives in SurfaceFlinger as a convenient hack. Howerver, SurfaceFlinger doesn't need to know about anything specific about GPU capability, and shouldn't know about anything about GPU. This patch moves GPU service out of SurfaceFlinger. GPU service is a service that accesses to GPU driver, queries GPU capabilities and reports back. Currently we use this information in CTS and some benchmarks. BUG: 118347356 Test: Build, flash and boot, use `adb shell cmd gpu vkjson` to verify Change-Id: I007989e0f3f73b5caf80277979986820dd127c32 2018-11-01 21:47:51 +01:00			`# Only uncomment below line when in development`
			# userdebug_or_eng(`permissive gpuservice;')