platform_system_sepolicy/private/gpuservice.te
Maciej Żenczykowski 60f4a34544 refactor: get_prop(bpfdomain, bpf_progs_loaded_prop)
Based on:
  cs/p:aosp-master -file:prebuilts/ get_prop.*bpf_progs_loaded_prop

Test: TreeHugger
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Change-Id: If07026b1ea5753a82401a62349c494b4cbf699b6
2023-01-06 10:09:33 +00:00

65 lines
2.2 KiB
Text

# gpuservice - server for gpu stats and other gpu related services
typeattribute gpuservice coredomain;
typeattribute gpuservice bpfdomain;
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)
binder_call(gpuservice, adbd)
binder_call(gpuservice, shell)
binder_call(gpuservice, system_server)
binder_use(gpuservice)
# Access the GPU.
allow gpuservice gpu_device:chr_file rw_file_perms;
# GPU service will need to load GPU driver, for example Vulkan driver in order
# to get the capability of the driver.
allow gpuservice same_process_hal_file:file { open read getattr execute map };
allow gpuservice ion_device:chr_file r_file_perms;
get_prop(gpuservice, hwservicemanager_prop)
hwbinder_use(gpuservice)
# Access /dev/graphics/fb0.
allow gpuservice graphics_device:dir search;
allow gpuservice graphics_device:chr_file rw_file_perms;
# Needed for dumpsys pipes.
allow gpuservice shell:fifo_file write;
# Needed for perfetto producer.
perfetto_producer(gpuservice)
# Use socket supplied by adbd, for cmd gpu vkjson etc.
allow gpuservice adbd:unix_stream_socket { read write getattr };
# Needed for interactive shell
allow gpuservice devpts:chr_file { read write getattr };
# Needed for dumpstate to dumpsys gpu.
allow gpuservice dumpstate:fd use;
allow gpuservice dumpstate:fifo_file write;
# Needed for stats callback registration to statsd.
allow gpuservice stats_service:service_manager find;
allow gpuservice statsmanager_service:service_manager find;
# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
binder_call(gpuservice, statsd);
# Needed for reading tracepoint ids in order to attach bpf programs.
allow gpuservice debugfs_tracing:file r_file_perms;
allow gpuservice self:perf_event { cpu kernel open write };
neverallow gpuservice self:perf_event ~{ cpu kernel open write };
# Needed for interact with bpf fs.
# Write is needed to open read/write bpf maps.
allow gpuservice fs_bpf:file { read write };
# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
allow gpuservice bpfloader:bpf { map_read map_write prog_run };
add_service(gpuservice, gpu_service)
# Only uncomment below line when in development
# userdebug_or_eng(`permissive gpuservice;')