Adds GPU sepolicy to support devices with DRM gralloc/rendering

... such as Cuttlefish (Cloud Android virtual device) which has a DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based rendering (when forwarding rendering commands to the host machine with Mesa3D in the guest and virglrenderer on the host). After this change is submitted, changes such as aosp/1997572 can be submitted to removed sepolicy that is currently duplicated across device/google/cuttlefish and device/linaro/dragonboard as well. Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions across several devices are removed in the attached topic). The uses of `sysfs_gpu:file` comes from Mesa using libdrm's `drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to get vendor id, device id, version etc. Bug: b/161819018 Test: launch_cvd Test: launch_cvd --gpu_mode=gfxstream Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c Merged-In: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
2022-02-24 18:32:16 +00:00 · 2022-02-24 18:32:16 +00:00 · a93398051c
commit a93398051c
parent 47bddcd065
19 changed files with 33 additions and 2 deletions
--- a/private/adbd.te
+++ b/private/adbd.te
@ -129,6 +129,7 @@ binder_call(adbd, surfaceflinger)
 binder_call(adbd, gpuservice)
 # b/13188914
 allow adbd gpu_device:chr_file rw_file_perms;
 allow adbd gpu_device:dir r_dir_perms;
 allow adbd ion_device:chr_file rw_file_perms;
 r_dir_file(adbd, system_file)
--- a/private/app.te
+++ b/private/app.te
@ -302,6 +302,9 @@ userdebug_or_eng(`
 # Grant GPU access to all processes started by Zygote.
 # They need that to render the standard UI.
 allow { appdomain -isolated_app } gpu_device:chr_file rw_file_perms;
 allow { appdomain -isolated_app } gpu_device:dir r_dir_perms;
 allow { appdomain -isolated_app } sysfs_gpu:file r_file_perms;
 # Use the Binder.
 binder_use(appdomain)
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@ -36,6 +36,9 @@ allow bluetooth efs_file:dir search;
 # allow Bluetooth to access uhid device for HID profile
 allow bluetooth uhid_device:chr_file rw_file_perms;
 allow bluetooth gpu_device:chr_file rw_file_perms;
 allow bluetooth gpu_device:dir r_dir_perms;
 # proc access.
 allow bluetooth proc_bluetooth_writable:file rw_file_perms;
--- a/private/cameraserver.te
+++ b/private/cameraserver.te
@ -4,3 +4,6 @@ typeattribute cameraserver camera_service_server;
 init_daemon_domain(cameraserver)
 tmpfs_domain(cameraserver)
 allow cameraserver gpu_device:chr_file rw_file_perms;
 allow cameraserver gpu_device:dir r_dir_perms;
--- a/private/compat/32.0/32.0.ignore.cil
+++ b/private/compat/32.0/32.0.ignore.cil
@ -65,6 +65,7 @@
    smart_idle_maint_enabled_prop
    snapuserd_proxy_socket
    sysfs_fs_fuse_bpf
    sysfs_gpu
    sysfs_lru_gen_enabled
    system_dlkm_file
    tare_service
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@ -123,6 +123,7 @@ genfscon sysfs /devices/cs_etm                    u:object_r:sysfs_devices_cs_et
 genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
 genfscon sysfs /class/android_usb                 u:object_r:sysfs_android_usb:s0
 genfscon sysfs /class/extcon                      u:object_r:sysfs_extcon:s0
 genfscon sysfs /class/gpu                         u:object_r:sysfs_gpu:s0
 genfscon sysfs /class/leds                        u:object_r:sysfs_leds:s0
 genfscon sysfs /class/net                         u:object_r:sysfs_net:s0
 genfscon sysfs /class/rfkill/rfkill0/state        u:object_r:sysfs_bluetooth_writable:s0
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@ -59,7 +59,8 @@ get_prop(mediaprovider_app, storage_config_prop)
 get_prop(mediaprovider_app, drm_service_config_prop)
-allow mediaprovider_app gpu_device:dir search;
+allow mediaprovider_app gpu_device:chr_file rw_file_perms;
 allow mediaprovider_app gpu_device:dir r_dir_perms;
 dontaudit mediaprovider_app sysfs_vendor_sched:dir search;
 dontaudit mediaprovider_app sysfs_vendor_sched:file w_file_perms;
--- a/private/mediatranscoding.te
+++ b/private/mediatranscoding.te
@ -42,7 +42,8 @@ unix_socket_send(mediatranscoding, statsdw, statsd)
 # Allow mediatranscoding to access the DMA-BUF system heap
 allow mediatranscoding dmabuf_system_heap_device:chr_file r_file_perms;
-allow mediatranscoding gpu_device:dir search;
+allow mediatranscoding gpu_device:chr_file rw_file_perms;
 allow mediatranscoding gpu_device:dir r_dir_perms;
 # Allow mediatranscoding service to access media-related system properties
 get_prop(mediatranscoding, media_config_prop)
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@ -38,6 +38,8 @@ r_dir_file(surfaceflinger, appdomain)
 # Access the GPU.
 allow surfaceflinger gpu_device:chr_file rw_file_perms;
 allow surfaceflinger gpu_device:dir r_dir_perms;
 allow surfaceflinger sysfs_gpu:file r_file_perms;
 # Access /dev/graphics/fb0.
 allow surfaceflinger graphics_device:dir search;
--- a/private/system_server.te
+++ b/private/system_server.te
@ -451,6 +451,8 @@ allow system_server sysfs_usb:file w_file_perms;
 allow system_server device:dir r_dir_perms;
 allow system_server mdns_socket:sock_file rw_file_perms;
 allow system_server gpu_device:chr_file rw_file_perms;
 allow system_server gpu_device:dir r_dir_perms;
 allow system_server sysfs_gpu:file r_file_perms;
 allow system_server input_device:dir r_dir_perms;
 allow system_server input_device:chr_file rw_file_perms;
 allow system_server tty_device:chr_file rw_file_perms;
--- a/public/bootanim.te
+++ b/public/bootanim.te
@ -13,6 +13,8 @@ binder_call(bootanim, audioserver)
 hwbinder_use(bootanim)
 allow bootanim gpu_device:chr_file rw_file_perms;
 allow bootanim gpu_device:dir r_dir_perms;
 allow bootanim sysfs_gpu:file r_file_perms;
 # /oem access
 allow bootanim oemfs:dir search;
--- a/public/dumpstate.te
+++ b/public/dumpstate.te
@ -188,6 +188,7 @@ allow dumpstate nfc_logs_data_file:file r_file_perms;
 # Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
 allow dumpstate gpu_device:chr_file rw_file_perms;
 allow dumpstate gpu_device:dir r_dir_perms;
 # logd access
 read_logd(dumpstate)
--- a/public/file.te
+++ b/public/file.te
@ -106,6 +106,7 @@ type sysfs_ipv4, fs_type, sysfs_type;
 type sysfs_kernel_notes, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_leds, fs_type, sysfs_type;
 type sysfs_loop, fs_type, sysfs_type;
 type sysfs_gpu, fs_type, sysfs_type;
 type sysfs_hwrandom, fs_type, sysfs_type;
 type sysfs_nfc_power_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wake_lock, fs_type, sysfs_type;
--- a/public/hal_graphics_allocator.te
+++ b/public/hal_graphics_allocator.te
@ -7,6 +7,7 @@ allow hal_graphics_allocator_client same_process_hal_file:file { execute read op
 # GPU device access
 allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
 allow hal_graphics_allocator gpu_device:dir r_dir_perms;
 allow hal_graphics_allocator ion_device:chr_file r_file_perms;
 allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
--- a/public/hal_graphics_composer.te
+++ b/public/hal_graphics_composer.te
@ -15,6 +15,7 @@ allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manag
 # GPU device access
 allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
 allow hal_graphics_composer gpu_device:dir r_dir_perms;
 allow hal_graphics_composer ion_device:chr_file r_file_perms;
 allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
 allow hal_graphics_composer hal_graphics_allocator:fd use;
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@ -33,6 +33,7 @@ allow mediaserver media_data_file:file create_file_perms;
 allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
 allow mediaserver { sdcard_type fuse }:file write;
 allow mediaserver gpu_device:chr_file rw_file_perms;
 allow mediaserver gpu_device:dir r_dir_perms;
 allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;
--- a/public/mediaswcodec.te
+++ b/public/mediaswcodec.te
@ -25,3 +25,5 @@ neverallow mediaswcodec domain:{ tcp_socket udp_socket rawip_socket } *;
 allow mediaswcodec dmabuf_system_heap_device:chr_file r_file_perms;
 allow mediaswcodec dmabuf_system_secure_heap_device:chr_file r_file_perms;
 allow mediaswcodec gpu_device:chr_file rw_file_perms;
 allow mediaswcodec gpu_device:dir r_dir_perms;
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@ -9,3 +9,6 @@ allow hal_camera_default fwk_sensor_hwservice:hwservice_manager find;
 # For collecting bugreports.
 allow hal_camera_default dumpstate:fd use;
 allow hal_camera_default dumpstate:fifo_file write;
 allow hal_camera_default gpu_device:chr_file rw_file_perms;
 allow hal_camera_default gpu_device:dir r_dir_perms;
--- a/vendor/mediacodec.te
+++ b/vendor/mediacodec.te
@ -17,6 +17,7 @@ hal_client_domain(mediacodec, hal_allocator)
 hal_client_domain(mediacodec, hal_graphics_allocator)
 allow mediacodec gpu_device:chr_file rw_file_perms;
 allow mediacodec gpu_device:dir r_dir_perms;
 allow mediacodec ion_device:chr_file rw_file_perms;
 allow mediacodec dmabuf_system_heap_device:chr_file r_file_perms;
 allow mediacodec video_device:chr_file rw_file_perms;