# gpuservice - server for gpu stats and other gpu related services typeattribute gpuservice coredomain; typeattribute gpuservice bpfdomain; type gpuservice_exec, system_file_type, exec_type, file_type; init_daemon_domain(gpuservice) binder_call(gpuservice, adbd) binder_call(gpuservice, shell) binder_call(gpuservice, system_server) binder_use(gpuservice) # Access the GPU. allow gpuservice gpu_device:chr_file rw_file_perms; # GPU service will need to load GPU driver, for example Vulkan driver in order # to get the capability of the driver. allow gpuservice same_process_hal_file:file { open read getattr execute map }; allow gpuservice ion_device:chr_file r_file_perms; get_prop(gpuservice, hwservicemanager_prop) hwbinder_use(gpuservice) # Access /dev/graphics/fb0. allow gpuservice graphics_device:dir search; allow gpuservice graphics_device:chr_file rw_file_perms; # Needed for dumpsys pipes. allow gpuservice shell:fifo_file write; # Needed for perfetto producer. perfetto_producer(gpuservice) # Use socket supplied by adbd, for cmd gpu vkjson etc. allow gpuservice adbd:unix_stream_socket { read write getattr }; # Needed for interactive shell allow gpuservice devpts:chr_file { read write getattr }; # Needed for dumpstate to dumpsys gpu. allow gpuservice dumpstate:fd use; allow gpuservice dumpstate:fifo_file write; # Needed for stats callback registration to statsd. allow gpuservice stats_service:service_manager find; allow gpuservice statsmanager_service:service_manager find; # TODO(b/146461633): remove this once native pullers talk to StatsManagerService binder_call(gpuservice, statsd); # Needed for reading tracepoint ids in order to attach bpf programs. allow gpuservice debugfs_tracing:file r_file_perms; allow gpuservice self:perf_event { cpu kernel open write }; neverallow gpuservice self:perf_event ~{ cpu kernel open write }; # Needed for interact with bpf fs. # Write is needed to open read/write bpf maps. allow gpuservice fs_bpf:file { read write }; # Needed for enabling bpf programs and accessing bpf maps (read-only and read/write). allow gpuservice bpfloader:bpf { map_read map_write prog_run }; add_service(gpuservice, gpu_service) # Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice. set_prop(gpuservice, graphics_config_writable_prop) neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set; # Needed for querying permission allow gpuservice permission_service:service_manager find; # Only uncomment below line when in development # userdebug_or_eng(`permissive gpuservice;')