tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/gpuservice.te
Yiwei Zhang 4b63ce9dd0 GPU Memory: add sepolicy rules around bpf for gpuservice 
1. Allow gpuservice to access tracepoint id
2. Allow gpuservice to access bpf program
3. Allow gpuservice to attach bpf program to tracepoint
4. Allow gpuservice to access bpf filesystem
5. Allow gpuservice to run bpf program and read map through bpfloader
6. Allow gpuservice to check a property to ensure bpf program loaded

Bug: 136023082
Test: adb shell dumpsys gpu --gpumem
Change-Id: Ic808a7e452b71c54908cdff806f41f51ab66ffd8
2020-06-03 11:23:16 -07:00

63 lines
2.2 KiB
Text
Raw Blame History

# gpuservice - server for gpu stats and other gpu related services
typeattribute gpuservice coredomain;
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)
binder_call(gpuservice, adbd)
binder_call(gpuservice, shell)
binder_call(gpuservice, system_server)
binder_use(gpuservice)
# Access the GPU.
allow gpuservice gpu_device:chr_file rw_file_perms;
# GPU service will need to load GPU driver, for example Vulkan driver in order
# to get the capability of the driver.
allow gpuservice same_process_hal_file:file { open read getattr execute map };
allow gpuservice ion_device:chr_file r_file_perms;
get_prop(gpuservice, hwservicemanager_prop)
hwbinder_use(gpuservice)
# Access /dev/graphics/fb0.
allow gpuservice graphics_device:dir search;
allow gpuservice graphics_device:chr_file rw_file_perms;
# Needed for dumpsys pipes.
allow gpuservice shell:fifo_file write;
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow gpuservice adbd:unix_stream_socket { read write getattr };
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
# Needed for dumpstate to dumpsys gpu.
allow gpuservice dumpstate:fd use;
allow gpuservice dumpstate:fifo_file write;
# Needed for stats callback registration to statsd.
allow gpuservice stats_service:service_manager find;
allow gpuservice statsmanager_service:service_manager find;
# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
binder_call(gpuservice, statsd);
# Needed for reading tracepoint ids in order to attach bpf programs.
allow gpuservice debugfs_tracing:file r_file_perms;
allow gpuservice self:perf_event { cpu kernel open write };
neverallow gpuservice self:perf_event ~{ cpu kernel open write };
# Needed for interact with bpf fs.
allow gpuservice fs_bpf:dir search;
allow gpuservice fs_bpf:file read;
# Needed for enable the bpf program and read the map.
allow gpuservice bpfloader:bpf { map_read prog_run };
# Needed for getting a prop to ensure bpf programs loaded.
get_prop(gpuservice, bpf_progs_loaded_prop)
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
# userdebug_or_eng(`permissive gpuservice;')
Reference in a new issue View git blame Copy permalink