platform_system_sepolicy/private/gpuservice.te
Yiwei Zhang 544d6b34ec Game Driver: sepolicy update for plumbing GpuStats into GpuService
Allow all the app process with GUI to send GPU health metrics stats to
GpuService during the GraphicsEnvironment setup stage for the process.

Bug: 123529932
Test: Build, flash and boot. No selinux denials.
Change-Id: Ic7687dac3c8a3ea43fa744a6ae8a45716951c4df
2019-02-08 18:15:17 -08:00

37 lines
1.2 KiB
Text

# gpuservice - server for gpu stats and other gpu related services
typeattribute gpuservice coredomain;
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)
binder_call(gpuservice, adbd)
binder_call(gpuservice, shell)
binder_use(gpuservice)
# Access the GPU.
allow gpuservice gpu_device:chr_file rw_file_perms;
# GPU service will need to load GPU driver, for example Vulkan driver in order
# to get the capability of the driver.
allow gpuservice same_process_hal_file:file { open read getattr execute map };
allow gpuservice ion_device:chr_file r_file_perms;
get_prop(gpuservice, hwservicemanager_prop)
hwbinder_use(gpuservice)
# Access /dev/graphics/fb0.
allow gpuservice graphics_device:dir search;
allow gpuservice graphics_device:chr_file rw_file_perms;
# Needed for dumpsys pipes.
allow gpuservice shell:fifo_file write;
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow gpuservice adbd:unix_stream_socket { read write getattr };
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
# userdebug_or_eng(`permissive gpuservice;')