Game Driver: sepolicy update for plumbing GpuStats into GpuService

Allow all the app process with GUI to send GPU health metrics stats to
GpuService during the GraphicsEnvironment setup stage for the process.

Bug: 123529932
Test: Build, flash and boot. No selinux denials.
Change-Id: Ic7687dac3c8a3ea43fa744a6ae8a45716951c4df

private/compat/28.0/28.0.ignore.cil

@@ -48,6 +48,7 @@
     flags_health_check_exec
     fwk_bufferhub_hwservice
     fwk_stats_hwservice
+    gpuservice
     gsi_data_file
     gsi_metadata_file
     gsi_service

private/ephemeral_app.te

@@ -45,6 +45,10 @@ allow ephemeral_app mediadrmserver_service:service_manager find;
 allow ephemeral_app drmserver_service:service_manager find;
 allow ephemeral_app radio_service:service_manager find;
 allow ephemeral_app ephemeral_app_api_service:service_manager find;
+allow ephemeral_app gpu_service:service_manager find;
+
+# Allow ephemeral apps to interact with gpuservice
+binder_call(ephemeral_app, gpuservice)
 
 # Write app-specific trace data to the Perfetto traced damon. This requires
 # connecting to its producer socket and obtaining a (per-process) tmpfs fd.

private/gpuservice.te

@@ -1,5 +1,5 @@
-# gpu service
-type gpuservice, domain, coredomain;
+# gpuservice - server for gpu stats and other gpu related services
+typeattribute gpuservice coredomain;
 type gpuservice_exec, system_file_type, exec_type, file_type;
 
 init_daemon_domain(gpuservice)

private/platform_app.te

@@ -67,6 +67,10 @@ allow platform_app timezone_service:service_manager find;
 allow platform_app app_api_service:service_manager find;
 allow platform_app system_api_service:service_manager find;
 allow platform_app vr_manager_service:service_manager find;
+allow platform_app gpu_service:service_manager find;
+
+# Allow platform apps to interact with gpuservice
+binder_call(platform_app, gpuservice)
 
 # Access to /data/preloads
 allow platform_app preloads_data_file:file r_file_perms;

private/priv_app.te

@@ -47,6 +47,10 @@ allow priv_app radio_service:service_manager find;
 allow priv_app recovery_service:service_manager find;
 allow priv_app stats_service:service_manager find;
 allow priv_app system_api_service:service_manager find;
+allow priv_app gpu_service:service_manager find;
+
+# Allow privileged apps to interact with gpuservice
+binder_call(priv_app, gpuservice)
 
 # Write to /cache.
 allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;

private/system_app.te

@@ -66,6 +66,9 @@ binder_call(system_app, statsd)
 # Allow system apps to interact with incidentd
 binder_call(system_app, incidentd)
 
+# Allow system apps to interact with gpuservice
+binder_call(system_app, gpuservice)
+
 allow system_app servicemanager:service_manager list;
 # TODO: scope this down? Too broad?
 allow system_app {

private/untrusted_app_all.te

@@ -98,6 +98,10 @@ allow untrusted_app_all nfc_service:service_manager find;
 allow untrusted_app_all radio_service:service_manager find;
 allow untrusted_app_all app_api_service:service_manager find;
 allow untrusted_app_all vr_manager_service:service_manager find;
+allow untrusted_app_all gpu_service:service_manager find;
+
+# Allow untrusted apps to interact with gpuservice
+binder_call(untrusted_app_all, gpuservice)
 
 # Allow GMS core to access perfprofd output, which is stored
 # in /data/misc/perfprofd/. GMS core will need to list all

public/gpuservice.te

@@ -0,0 +1,2 @@
+# gpuservice - server for gpu stats and other gpu related services
+type gpuservice, domain;