GPU Memory: add sepolicy rules around bpf for gpuservice 1. Allow gpuservice to access tracepoint id 2. Allow gpuservice to access bpf program 3. Allow gpuservice to attach bpf program to tracepoint 4. Allow gpuservice to access bpf filesystem 5. Allow gpuservice to run bpf program and read map through bpfloader 6. Allow gpuservice to check a property to ensure bpf program loaded Bug: 136023082 Test: adb shell dumpsys gpu --gpumem Change-Id: Ic808a7e452b71c54908cdff806f41f51ab66ffd8

commit: 4b63ce9dd0f4401f0a431f022e40835431dd2a79 [log] [tgz]
author: Yiwei Zhang <zzyiwei@google.com> Tue Feb 18 22:58:26 2020 -0800
committer: Yiwei Zhang <zzyiwei@google.com> Wed Jun 03 11:23:16 2020 -0700
tree: 57e41a69084f951dd60f6badfbde622dcac00b6c
parent: 85d87cfa6eb808b424f89f41269a3d63586df707 [diff] [blame]
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 249f3df..b31fe18 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te

@@ -27,8 +27,8 @@
 neverallow domain fs_bpf:file { rename unlink };
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -netd -netutils_wrapper -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -netd -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -gpuservice -netd -system_server } *:bpf { map_read map_write };
 
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
commit	4b63ce9dd0f4401f0a431f022e40835431dd2a79	[log] [tgz]
author	Yiwei Zhang <zzyiwei@google.com>	Tue Feb 18 22:58:26 2020 -0800
committer	Yiwei Zhang <zzyiwei@google.com>	Wed Jun 03 11:23:16 2020 -0700
tree	57e41a69084f951dd60f6badfbde622dcac00b6c
parent	85d87cfa6eb808b424f89f41269a3d63586df707 [diff] [blame]