Game Driver: sepolicy update for plumbing GpuStats into GpuService
Allow all the app process with GUI to send GPU health metrics stats to
GpuService during the GraphicsEnvironment setup stage for the process.
Bug: 123529932
Test: Build, flash and boot. No selinux denials.
Change-Id: Ic7687dac3c8a3ea43fa744a6ae8a45716951c4df
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 6c97fe2..6962052 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -48,6 +48,7 @@
flags_health_check_exec
fwk_bufferhub_hwservice
fwk_stats_hwservice
+ gpuservice
gsi_data_file
gsi_metadata_file
gsi_service
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 3d3433e..05f41db 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -45,6 +45,10 @@
allow ephemeral_app drmserver_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
+allow ephemeral_app gpu_service:service_manager find;
+
+# Allow ephemeral apps to interact with gpuservice
+binder_call(ephemeral_app, gpuservice)
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
diff --git a/private/gpuservice.te b/private/gpuservice.te
index c8f3def..ebfff76 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -1,5 +1,5 @@
-# gpu service
-type gpuservice, domain, coredomain;
+# gpuservice - server for gpu stats and other gpu related services
+typeattribute gpuservice coredomain;
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)
diff --git a/private/platform_app.te b/private/platform_app.te
index 7e190c9..da3303b 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -67,6 +67,10 @@
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
+allow platform_app gpu_service:service_manager find;
+
+# Allow platform apps to interact with gpuservice
+binder_call(platform_app, gpuservice)
# Access to /data/preloads
allow platform_app preloads_data_file:file r_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 71e787f..ad39eb1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -47,6 +47,10 @@
allow priv_app recovery_service:service_manager find;
allow priv_app stats_service:service_manager find;
allow priv_app system_api_service:service_manager find;
+allow priv_app gpu_service:service_manager find;
+
+# Allow privileged apps to interact with gpuservice
+binder_call(priv_app, gpuservice)
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
diff --git a/private/system_app.te b/private/system_app.te
index 39af1e6..3f0d335 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -66,6 +66,9 @@
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
+# Allow system apps to interact with gpuservice
+binder_call(system_app, gpuservice)
+
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
allow system_app {
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index f1419b9..c1cd6c7 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -98,6 +98,10 @@
allow untrusted_app_all radio_service:service_manager find;
allow untrusted_app_all app_api_service:service_manager find;
allow untrusted_app_all vr_manager_service:service_manager find;
+allow untrusted_app_all gpu_service:service_manager find;
+
+# Allow untrusted apps to interact with gpuservice
+binder_call(untrusted_app_all, gpuservice)
# Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all
diff --git a/public/gpuservice.te b/public/gpuservice.te
new file mode 100644
index 0000000..c862d0b
--- /dev/null
+++ b/public/gpuservice.te
@@ -0,0 +1,2 @@
+# gpuservice - server for gpu stats and other gpu related services
+type gpuservice, domain;