Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 4b63ce9dd0f4401f0a431f022e40835431dd2a79^! / . / private / gpuservice.te
commit4b63ce9dd0f4401f0a431f022e40835431dd2a79[log] [tgz]
authorYiwei Zhang <zzyiwei@google.com>Tue Feb 18 22:58:26 2020 -0800
committerYiwei Zhang <zzyiwei@google.com>Wed Jun 03 11:23:16 2020 -0700
tree57e41a69084f951dd60f6badfbde622dcac00b6c
parent85d87cfa6eb808b424f89f41269a3d63586df707 [diff] [blame]
GPU Memory: add sepolicy rules around bpf for gpuservice

1. Allow gpuservice to access tracepoint id
2. Allow gpuservice to access bpf program
3. Allow gpuservice to attach bpf program to tracepoint
4. Allow gpuservice to access bpf filesystem
5. Allow gpuservice to run bpf program and read map through bpfloader
6. Allow gpuservice to check a property to ensure bpf program loaded

Bug: 136023082
Test: adb shell dumpsys gpu --gpumem
Change-Id: Ic808a7e452b71c54908cdff806f41f51ab66ffd8

diff --git a/private/gpuservice.te b/private/gpuservice.te
index a4d84ea..31ad788 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te

@@ -42,6 +42,21 @@
 # TODO(b/146461633): remove this once native pullers talk to StatsManagerService
 binder_call(gpuservice, statsd);
 
+# Needed for reading tracepoint ids in order to attach bpf programs.
+allow gpuservice debugfs_tracing:file r_file_perms;
+allow gpuservice self:perf_event { cpu kernel open write };
+neverallow gpuservice self:perf_event ~{ cpu kernel open write };
+
+# Needed for interact with bpf fs.
+allow gpuservice fs_bpf:dir search;
+allow gpuservice fs_bpf:file read;
+
+# Needed for enable the bpf program and read the map.
+allow gpuservice bpfloader:bpf { map_read prog_run };
+
+# Needed for getting a prop to ensure bpf programs loaded.
+get_prop(gpuservice, bpf_progs_loaded_prop)
+
 add_service(gpuservice, gpu_service)
 
 # Only uncomment below line when in development