| # gpuservice - server for gpu stats and other gpu related services |
| typeattribute gpuservice coredomain; |
| typeattribute gpuservice bpfdomain; |
| |
| type gpuservice_exec, system_file_type, exec_type, file_type; |
| |
| init_daemon_domain(gpuservice) |
| |
| binder_call(gpuservice, adbd) |
| binder_call(gpuservice, shell) |
| binder_call(gpuservice, system_server) |
| binder_use(gpuservice) |
| |
| # Access the GPU. |
| allow gpuservice gpu_device:chr_file rw_file_perms; |
| |
| # GPU service will need to load GPU driver, for example Vulkan driver in order |
| # to get the capability of the driver. |
| allow gpuservice same_process_hal_file:file { open read getattr execute map }; |
| allow gpuservice ion_device:chr_file r_file_perms; |
| get_prop(gpuservice, hwservicemanager_prop) |
| hwbinder_use(gpuservice) |
| |
| # Access /dev/graphics/fb0. |
| allow gpuservice graphics_device:dir search; |
| allow gpuservice graphics_device:chr_file rw_file_perms; |
| |
| # Allow shell access |
| allow gpuservice adbd:fd use; |
| allow gpuservice adbd:unix_stream_socket { getattr read write }; |
| allow gpuservice shell:fifo_file { getattr read write }; |
| |
| # Needed for perfetto producer. |
| perfetto_producer(gpuservice) |
| |
| # Needed for interactive shell |
| allow gpuservice devpts:chr_file { read write getattr }; |
| |
| # Needed for dumpstate to dumpsys gpu. |
| allow gpuservice dumpstate:fd use; |
| allow gpuservice dumpstate:fifo_file write; |
| |
| # Needed for stats callback registration to statsd. |
| allow gpuservice stats_service:service_manager find; |
| allow gpuservice statsmanager_service:service_manager find; |
| # TODO(b/146461633): remove this once native pullers talk to StatsManagerService |
| binder_call(gpuservice, statsd); |
| |
| # Needed for reading tracepoint ids in order to attach bpf programs. |
| allow gpuservice debugfs_tracing:file r_file_perms; |
| allow gpuservice self:perf_event { cpu kernel open write }; |
| neverallow gpuservice self:perf_event ~{ cpu kernel open write }; |
| |
| # Needed for interact with bpf fs. |
| # Write is needed to open read/write bpf maps. |
| allow gpuservice fs_bpf:file { read write }; |
| |
| # Needed for enabling bpf programs and accessing bpf maps (read-only and read/write). |
| allow gpuservice bpfloader:bpf { map_read map_write prog_run }; |
| |
| add_service(gpuservice, gpu_service) |
| |
| # Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice. |
| set_prop(gpuservice, graphics_config_writable_prop) |
| |
| neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set; |
| |
| # Needed for querying permission |
| allow gpuservice permission_service:service_manager find; |
| |
| # Only uncomment below line when in development |
| # userdebug_or_eng(`permissive gpuservice;') |