platform_system_sepolicy/public/hal_graphics_composer.te
Jason Macnak 4ddaa3f080 Adds GPU sepolicy to support devices with DRM gralloc/rendering
... such as Cuttlefish (Cloud Android virtual device) which has a
DRM virtio-gpu based gralloc and (sometimes) DRM virtio-gpu based
rendering (when forwarding rendering commands to the host machine
with Mesa3D in the guest and virglrenderer on the host).

After this change is submitted, changes such as aosp/1997572 can
be submitted to removed sepolicy that is currently duplicated
across device/google/cuttlefish and device/linaro/dragonboard as
well.

Adds a sysfs_gpu type (existing replicated sysfs_gpu definitions
across several devices are removed in the attached topic). The
uses of `sysfs_gpu:file` comes from Mesa using libdrm's
`drmGetDevices2()` which calls into `drmParsePciDeviceInfo()` to
get vendor id, device id, version etc.

Ignore-AOSP-First: must be submitted in internal as a topic first to
                   avoid having duplicate definitions of sysfs_gpu
                   in projects that are only available in internal

Bug: b/161819018
Test: launch_cvd
Test: launch_cvd --gpu_mode=gfxstream
Change-Id: I4f7d4b0fb90bfeef72f94396ff0c5fe44d53510c
2022-04-18 12:54:47 -07:00

42 lines
1.8 KiB
Text

type hal_graphics_composer_server_tmpfs, file_type;
attribute hal_graphics_composer_client_tmpfs;
expandattribute hal_graphics_composer_client_tmpfs true;
# HwBinder IPC from client to server, and callbacks
binder_call(hal_graphics_composer_client, hal_graphics_composer_server)
binder_call(hal_graphics_composer_server, hal_graphics_composer_client)
allow hal_graphics_composer_client hal_graphics_composer_server_tmpfs:file { getattr map read write };
allow hal_graphics_composer_server hal_graphics_composer_client_tmpfs:file { getattr map read write };
hal_attribute_hwservice(hal_graphics_composer, hal_graphics_composer_hwservice)
# Coordinate with hal_graphics_mapper
allow hal_graphics_composer_server hal_graphics_mapper_hwservice:hwservice_manager find;
# GPU device access
allow hal_graphics_composer gpu_device:chr_file rw_file_perms;
allow hal_graphics_composer gpu_device:dir r_dir_perms;
allow hal_graphics_composer ion_device:chr_file r_file_perms;
allow hal_graphics_composer dmabuf_system_heap_device:chr_file r_file_perms;
allow hal_graphics_composer hal_graphics_allocator:fd use;
# Access /dev/graphics/fb0.
allow hal_graphics_composer graphics_device:dir search;
allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
# Fences
allow hal_graphics_composer system_server:fd use;
allow hal_graphics_composer bootanim:fd use;
allow hal_graphics_composer appdomain:fd use;
# allow self to set SCHED_FIFO
allow hal_graphics_composer self:global_capability_class_set sys_nice;
# allow surfaceflinger to use a pipe for dumpsys output
allow hal_graphics_composer_server hal_graphics_composer_client:fifo_file write;
binder_call(hal_graphics_composer_client, servicemanager)
binder_call(hal_graphics_composer_server, servicemanager)
hal_attribute_service(hal_graphics_composer, hal_graphics_composer_service)