diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil index 308d4c699..19a5b8910 100644 --- a/private/compat/28.0/28.0.ignore.cil +++ b/private/compat/28.0/28.0.ignore.cil @@ -49,6 +49,7 @@ fwk_bufferhub_hwservice fwk_camera_hwservice fwk_stats_hwservice + gpuservice gsi_data_file gsi_metadata_file gsi_service diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te index 3d3433ed2..05f41db68 100644 --- a/private/ephemeral_app.te +++ b/private/ephemeral_app.te @@ -45,6 +45,10 @@ allow ephemeral_app mediadrmserver_service:service_manager find; allow ephemeral_app drmserver_service:service_manager find; allow ephemeral_app radio_service:service_manager find; allow ephemeral_app ephemeral_app_api_service:service_manager find; +allow ephemeral_app gpu_service:service_manager find; + +# Allow ephemeral apps to interact with gpuservice +binder_call(ephemeral_app, gpuservice) # Write app-specific trace data to the Perfetto traced damon. This requires # connecting to its producer socket and obtaining a (per-process) tmpfs fd. diff --git a/private/gpuservice.te b/private/gpuservice.te index c8f3defd3..ebfff7685 100644 --- a/private/gpuservice.te +++ b/private/gpuservice.te @@ -1,5 +1,5 @@ -# gpu service -type gpuservice, domain, coredomain; +# gpuservice - server for gpu stats and other gpu related services +typeattribute gpuservice coredomain; type gpuservice_exec, system_file_type, exec_type, file_type; init_daemon_domain(gpuservice) diff --git a/private/platform_app.te b/private/platform_app.te index 7e190c9a4..da3303bf4 100644 --- a/private/platform_app.te +++ b/private/platform_app.te @@ -67,6 +67,10 @@ allow platform_app timezone_service:service_manager find; allow platform_app app_api_service:service_manager find; allow platform_app system_api_service:service_manager find; allow platform_app vr_manager_service:service_manager find; +allow platform_app gpu_service:service_manager find; + +# Allow platform apps to interact with gpuservice +binder_call(platform_app, gpuservice) # Access to /data/preloads allow platform_app preloads_data_file:file r_file_perms; diff --git a/private/priv_app.te b/private/priv_app.te index 71e787f94..ad39eb16b 100644 --- a/private/priv_app.te +++ b/private/priv_app.te @@ -47,6 +47,10 @@ allow priv_app radio_service:service_manager find; allow priv_app recovery_service:service_manager find; allow priv_app stats_service:service_manager find; allow priv_app system_api_service:service_manager find; +allow priv_app gpu_service:service_manager find; + +# Allow privileged apps to interact with gpuservice +binder_call(priv_app, gpuservice) # Write to /cache. allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms; diff --git a/private/system_app.te b/private/system_app.te index 39af1e635..3f0d33508 100644 --- a/private/system_app.te +++ b/private/system_app.te @@ -66,6 +66,9 @@ binder_call(system_app, statsd) # Allow system apps to interact with incidentd binder_call(system_app, incidentd) +# Allow system apps to interact with gpuservice +binder_call(system_app, gpuservice) + allow system_app servicemanager:service_manager list; # TODO: scope this down? Too broad? allow system_app { diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te index f1419b9f5..c1cd6c756 100644 --- a/private/untrusted_app_all.te +++ b/private/untrusted_app_all.te @@ -98,6 +98,10 @@ allow untrusted_app_all nfc_service:service_manager find; allow untrusted_app_all radio_service:service_manager find; allow untrusted_app_all app_api_service:service_manager find; allow untrusted_app_all vr_manager_service:service_manager find; +allow untrusted_app_all gpu_service:service_manager find; + +# Allow untrusted apps to interact with gpuservice +binder_call(untrusted_app_all, gpuservice) # Allow GMS core to access perfprofd output, which is stored # in /data/misc/perfprofd/. GMS core will need to list all diff --git a/public/gpuservice.te b/public/gpuservice.te new file mode 100644 index 000000000..c862d0b7f --- /dev/null +++ b/public/gpuservice.te @@ -0,0 +1,2 @@ +# gpuservice - server for gpu stats and other gpu related services +type gpuservice, domain;