Adds GPU sepolicy to support devices with DRM gralloc/rendering
... such as Cuttlefish (Cloud Android virtual device) which has a DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based rendering (when forwarding rendering commands to the host machine with Mesa3D in the guest and virglrenderer on the host). After this change is submitted, changes such as aosp/1997572 can be submitted to removed sepolicy that is currently duplicated across device/google/cuttlefish and device/linaro/dragonboard as well. Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions across several devices are removed in the attached topic). The uses of `sysfs_gpu:file` comes from Mesa using libdrm's `drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to get vendor id, device id, version etc. Bug: b/161819018 Test: launch_cvd Test: launch_cvd --gpu_mode=gfxstream Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
This commit is contained in:
parent
47bddcd065
commit
a93398051c
19 changed files with 33 additions and 2 deletions
|
@ -129,6 +129,7 @@ binder_call(adbd, surfaceflinger)
|
|||
binder_call(adbd, gpuservice)
|
||||
# b/13188914
|
||||
allow adbd gpu_device:chr_file rw_file_perms;
|
||||
allow adbd gpu_device:dir r_dir_perms;
|
||||
allow adbd ion_device:chr_file rw_file_perms;
|
||||
r_dir_file(adbd, system_file)
|
||||
|
||||
|
|
|
@ -302,6 +302,9 @@ userdebug_or_eng(`
|
|||
# Grant GPU access to all processes started by Zygote.
|
||||
# They need that to render the standard UI.
|
||||
allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
|
||||
allow { appdomain -isolated_app } gpu_device:dir r_dir_perms;
|
||||
allow { appdomain -isolated_app } sysfs_gpu:file r_file_perms;
|
||||
|
||||
|
||||
# Use the Binder.
|
||||
binder_use(appdomain)
|
||||
|
|
|
@ -36,6 +36,9 @@ allow bluetooth efs_file:dir search;
|
|||
# allow Bluetooth to access uhid device for HID profile
|
||||
allow bluetooth uhid_device:chr_file rw_file_perms;
|
||||
|
||||
allow bluetooth gpu_device:chr_file rw_file_perms;
|
||||
allow bluetooth gpu_device:dir r_dir_perms;
|
||||
|
||||
# proc access.
|
||||
allow bluetooth proc_bluetooth_writable:file rw_file_perms;
|
||||
|
||||
|
|
|
@ -4,3 +4,6 @@ typeattribute cameraserver camera_service_server;
|
|||
|
||||
init_daemon_domain(cameraserver)
|
||||
tmpfs_domain(cameraserver)
|
||||
|
||||
allow cameraserver gpu_device:chr_file rw_file_perms;
|
||||
allow cameraserver gpu_device:dir r_dir_perms;
|
||||
|
|
|
@ -65,6 +65,7 @@
|
|||
smart_idle_maint_enabled_prop
|
||||
snapuserd_proxy_socket
|
||||
sysfs_fs_fuse_bpf
|
||||
sysfs_gpu
|
||||
sysfs_lru_gen_enabled
|
||||
system_dlkm_file
|
||||
tare_service
|
||||
|
|
|
@ -123,6 +123,7 @@ genfscon sysfs /devices/cs_etm u:object_r:sysfs_devices_cs_et
|
|||
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
|
||||
genfscon sysfs /class/android_usb u:object_r:sysfs_android_usb:s0
|
||||
genfscon sysfs /class/extcon u:object_r:sysfs_extcon:s0
|
||||
genfscon sysfs /class/gpu u:object_r:sysfs_gpu:s0
|
||||
genfscon sysfs /class/leds u:object_r:sysfs_leds:s0
|
||||
genfscon sysfs /class/net u:object_r:sysfs_net:s0
|
||||
genfscon sysfs /class/rfkill/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
|
||||
|
|
|
@ -59,7 +59,8 @@ get_prop(mediaprovider_app, storage_config_prop)
|
|||
|
||||
get_prop(mediaprovider_app, drm_service_config_prop)
|
||||
|
||||
allow mediaprovider_app gpu_device:dir search;
|
||||
allow mediaprovider_app gpu_device:chr_file rw_file_perms;
|
||||
allow mediaprovider_app gpu_device:dir r_dir_perms;
|
||||
|
||||
dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
|
||||
dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
|
||||
|
|
|
@ -42,7 +42,8 @@ unix_socket_send(mediatranscoding, statsdw, statsd)
|
|||
# Allow mediatranscoding to access the DMA-BUF system heap
|
||||
allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms;
|
||||
|
||||
allow mediatranscoding gpu_device:dir search;
|
||||
allow mediatranscoding gpu_device:chr_file rw_file_perms;
|
||||
allow mediatranscoding gpu_device:dir r_dir_perms;
|
||||
|
||||
# Allow mediatranscoding service to access media-related system properties
|
||||
get_prop(mediatranscoding, media_config_prop)
|
||||
|
|
|
@ -38,6 +38,8 @@ r_dir_file(surfaceflinger, appdomain)
|
|||
|
||||
# Access the GPU.
|
||||
allow surfaceflinger gpu_device:chr_file rw_file_perms;
|
||||
allow surfaceflinger gpu_device:dir r_dir_perms;
|
||||
allow surfaceflinger sysfs_gpu:file r_file_perms;
|
||||
|
||||
# Access /dev/graphics/fb0.
|
||||
allow surfaceflinger graphics_device:dir search;
|
||||
|
|
|
@ -451,6 +451,8 @@ allow system_server sysfs_usb:file w_file_perms;
|
|||
allow system_server device:dir r_dir_perms;
|
||||
allow system_server mdns_socket:sock_file rw_file_perms;
|
||||
allow system_server gpu_device:chr_file rw_file_perms;
|
||||
allow system_server gpu_device:dir r_dir_perms;
|
||||
allow system_server sysfs_gpu:file r_file_perms;
|
||||
allow system_server input_device:dir r_dir_perms;
|
||||
allow system_server input_device:chr_file rw_file_perms;
|
||||
allow system_server tty_device:chr_file rw_file_perms;
|
||||
|
|
|
@ -13,6 +13,8 @@ binder_call(bootanim, audioserver)
|
|||
hwbinder_use(bootanim)
|
||||
|
||||
allow bootanim gpu_device:chr_file rw_file_perms;
|
||||
allow bootanim gpu_device:dir r_dir_perms;
|
||||
allow bootanim sysfs_gpu:file r_file_perms;
|
||||
|
||||
# /oem access
|
||||
allow bootanim oemfs:dir search;
|
||||
|
|
|
@ -188,6 +188,7 @@ allow dumpstate nfc_logs_data_file:file r_file_perms;
|
|||
|
||||
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
|
||||
allow dumpstate gpu_device:chr_file rw_file_perms;
|
||||
allow dumpstate gpu_device:dir r_dir_perms;
|
||||
|
||||
# logd access
|
||||
read_logd(dumpstate)
|
||||
|
|
|
@ -106,6 +106,7 @@ type sysfs_ipv4, fs_type, sysfs_type;
|
|||
type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
|
||||
type sysfs_leds, fs_type, sysfs_type;
|
||||
type sysfs_loop, fs_type, sysfs_type;
|
||||
type sysfs_gpu, fs_type, sysfs_type;
|
||||
type sysfs_hwrandom, fs_type, sysfs_type;
|
||||
type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
|
||||
type sysfs_wake_lock, fs_type, sysfs_type;
|
||||
|
|
|
@ -7,6 +7,7 @@ allow hal_graphics_allocator_client same_process_hal_file:file { execute read op
|
|||
|
||||
# GPU device access
|
||||
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
|
||||
allow hal_graphics_allocator gpu_device:dir r_dir_perms;
|
||||
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
|
||||
allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
|
||||
|
||||
|
|
|
@ -15,6 +15,7 @@ allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manag
|
|||
|
||||
# GPU device access
|
||||
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
|
||||
allow hal_graphics_composer gpu_device:dir r_dir_perms;
|
||||
allow hal_graphics_composer ion_device:chr_file r_file_perms;
|
||||
allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
|
||||
allow hal_graphics_composer hal_graphics_allocator:fd use;
|
||||
|
|
|
@ -33,6 +33,7 @@ allow mediaserver media_data_file:file create_file_perms;
|
|||
allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
|
||||
allow mediaserver { sdcard_type fuse }:file write;
|
||||
allow mediaserver gpu_device:chr_file rw_file_perms;
|
||||
allow mediaserver gpu_device:dir r_dir_perms;
|
||||
allow mediaserver video_device:dir r_dir_perms;
|
||||
allow mediaserver video_device:chr_file rw_file_perms;
|
||||
|
||||
|
|
|
@ -25,3 +25,5 @@ neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
|
|||
|
||||
allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
|
||||
allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
|
||||
allow mediaswcodec gpu_device:chr_file rw_file_perms;
|
||||
allow mediaswcodec gpu_device:dir r_dir_perms;
|
||||
|
|
3
vendor/hal_camera_default.te
vendored
3
vendor/hal_camera_default.te
vendored
|
@ -9,3 +9,6 @@ allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
|
|||
# For collecting bugreports.
|
||||
allow hal_camera_default dumpstate:fd use;
|
||||
allow hal_camera_default dumpstate:fifo_file write;
|
||||
|
||||
allow hal_camera_default gpu_device:chr_file rw_file_perms;
|
||||
allow hal_camera_default gpu_device:dir r_dir_perms;
|
||||
|
|
1
vendor/mediacodec.te
vendored
1
vendor/mediacodec.te
vendored
|
@ -17,6 +17,7 @@ hal_client_domain(mediacodec, hal_allocator)
|
|||
hal_client_domain(mediacodec, hal_graphics_allocator)
|
||||
|
||||
allow mediacodec gpu_device:chr_file rw_file_perms;
|
||||
allow mediacodec gpu_device:dir r_dir_perms;
|
||||
allow mediacodec ion_device:chr_file rw_file_perms;
|
||||
allow mediacodec dmabuf_system_heap_device:chr_file r_file_perms;
|
||||
allow mediacodec video_device:chr_file rw_file_perms;
|
||||
|
|
Loading…
Reference in a new issue