213e1d8ea0
Transfers access permissions into the system policy which would otherwise be setup on a per-device basis in exactly the same recurring way. For surfacefliner it avoids errors when it (via its dependent graphics libraries) tries to allocate memory from the protected heap, e.g. when operating on a Vulkan device with protected memory support. Bug: 235618476 Change-Id: I7f9a176c067ead2f3bd38b8c34fc55fa39d87655
23 lines
1.1 KiB
Text
23 lines
1.1 KiB
Text
# HwBinder IPC from client to server
|
|
binder_call(hal_graphics_allocator_client, hal_graphics_allocator_server)
|
|
|
|
hal_attribute_hwservice(hal_graphics_allocator, hal_graphics_allocator_hwservice)
|
|
allow hal_graphics_allocator_client hal_graphics_mapper_hwservice:hwservice_manager find;
|
|
allow hal_graphics_allocator_client same_process_hal_file:file { execute read open getattr map };
|
|
|
|
# GPU device access
|
|
allow hal_graphics_allocator gpu_device:chr_file rw_file_perms;
|
|
allow hal_graphics_allocator gpu_device:dir r_dir_perms;
|
|
allow hal_graphics_allocator ion_device:chr_file r_file_perms;
|
|
allow hal_graphics_allocator dmabuf_system_heap_device:chr_file r_file_perms;
|
|
|
|
# Access the secure heap
|
|
allow hal_graphics_allocator dmabuf_system_secure_heap_device:chr_file r_file_perms;
|
|
|
|
# allow to run with real-time scheduling policy
|
|
allow hal_graphics_allocator self:global_capability_class_set sys_nice;
|
|
|
|
# IAllocator stable-aidl
|
|
hal_attribute_service(hal_graphics_allocator, hal_graphics_allocator_service)
|
|
binder_call(hal_graphics_allocator_server, servicemanager)
|
|
binder_call(hal_graphics_allocator_client, servicemanager)
|