| # gpu service |
| type gpuservice, domain, coredomain; |
| type gpuservice_exec, system_file_type, exec_type, file_type; |
| |
| init_daemon_domain(gpuservice) |
| |
| binder_call(gpuservice, adbd) |
| binder_call(gpuservice, shell) |
| binder_use(gpuservice) |
| |
| # Access the GPU. |
| allow gpuservice gpu_device:chr_file rw_file_perms; |
| |
| # GPU service will need to load GPU driver, for example Vulkan driver in order |
| # to get the capability of the driver. |
| allow gpuservice same_process_hal_file:file { open read getattr execute map }; |
| allow gpuservice ion_device:chr_file r_file_perms; |
| get_prop(gpuservice, hwservicemanager_prop) |
| hwbinder_use(gpuservice) |
| |
| # Access /dev/graphics/fb0. |
| allow gpuservice graphics_device:dir search; |
| allow gpuservice graphics_device:chr_file rw_file_perms; |
| |
| # Needed for dumpsys pipes. |
| allow gpuservice shell:fifo_file write; |
| |
| # Use socket supplied by adbd, for cmd gpu vkjson etc. |
| allow gpuservice adbd:unix_stream_socket { read write getattr }; |
| |
| # Needed for interactive shell |
| allow gpuservice devpts:chr_file { read write getattr }; |
| |
| add_service(gpuservice, gpu_service) |
| |
| # Only uncomment below line when in development |
| # userdebug_or_eng(`permissive gpuservice;') |