Merge "Add persistent property for SurfaceFlinger color mode."
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 6c97fe2..6962052 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -48,6 +48,7 @@
flags_health_check_exec
fwk_bufferhub_hwservice
fwk_stats_hwservice
+ gpuservice
gsi_data_file
gsi_metadata_file
gsi_service
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index 3d3433e..05f41db 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -45,6 +45,10 @@
allow ephemeral_app drmserver_service:service_manager find;
allow ephemeral_app radio_service:service_manager find;
allow ephemeral_app ephemeral_app_api_service:service_manager find;
+allow ephemeral_app gpu_service:service_manager find;
+
+# Allow ephemeral apps to interact with gpuservice
+binder_call(ephemeral_app, gpuservice)
# Write app-specific trace data to the Perfetto traced damon. This requires
# connecting to its producer socket and obtaining a (per-process) tmpfs fd.
diff --git a/private/gpuservice.te b/private/gpuservice.te
index c8f3def..ebfff76 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -1,5 +1,5 @@
-# gpu service
-type gpuservice, domain, coredomain;
+# gpuservice - server for gpu stats and other gpu related services
+typeattribute gpuservice coredomain;
type gpuservice_exec, system_file_type, exec_type, file_type;
init_daemon_domain(gpuservice)
diff --git a/private/platform_app.te b/private/platform_app.te
index 7e190c9..bbba1d9 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -67,6 +67,14 @@
allow platform_app app_api_service:service_manager find;
allow platform_app system_api_service:service_manager find;
allow platform_app vr_manager_service:service_manager find;
+allow platform_app gpu_service:service_manager find;
+allow platform_app stats_service:service_manager find;
+
+# Allow platform apps to interact with gpuservice
+binder_call(platform_app, gpuservice)
+
+# Allow platform apps to log via statsd.
+allow platform_app statsd:binder call;
# Access to /data/preloads
allow platform_app preloads_data_file:file r_file_perms;
diff --git a/private/priv_app.te b/private/priv_app.te
index 71e787f..ad39eb1 100644
--- a/private/priv_app.te
+++ b/private/priv_app.te
@@ -47,6 +47,10 @@
allow priv_app recovery_service:service_manager find;
allow priv_app stats_service:service_manager find;
allow priv_app system_api_service:service_manager find;
+allow priv_app gpu_service:service_manager find;
+
+# Allow privileged apps to interact with gpuservice
+binder_call(priv_app, gpuservice)
# Write to /cache.
allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
diff --git a/private/stats.te b/private/stats.te
index 2c7199d..81ec1cf 100644
--- a/private/stats.te
+++ b/private/stats.te
@@ -41,6 +41,7 @@
domain
-dumpstate
-incidentd
+ -platform_app
-priv_app
-shell
-stats
diff --git a/private/system_app.te b/private/system_app.te
index 39af1e6..3f0d335 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -66,6 +66,9 @@
# Allow system apps to interact with incidentd
binder_call(system_app, incidentd)
+# Allow system apps to interact with gpuservice
+binder_call(system_app, gpuservice)
+
allow system_app servicemanager:service_manager list;
# TODO: scope this down? Too broad?
allow system_app {
diff --git a/private/untrusted_app_all.te b/private/untrusted_app_all.te
index f1419b9..c1cd6c7 100644
--- a/private/untrusted_app_all.te
+++ b/private/untrusted_app_all.te
@@ -98,6 +98,10 @@
allow untrusted_app_all radio_service:service_manager find;
allow untrusted_app_all app_api_service:service_manager find;
allow untrusted_app_all vr_manager_service:service_manager find;
+allow untrusted_app_all gpu_service:service_manager find;
+
+# Allow untrusted apps to interact with gpuservice
+binder_call(untrusted_app_all, gpuservice)
# Allow GMS core to access perfprofd output, which is stored
# in /data/misc/perfprofd/. GMS core will need to list all
diff --git a/public/gpuservice.te b/public/gpuservice.te
new file mode 100644
index 0000000..c862d0b
--- /dev/null
+++ b/public/gpuservice.te
@@ -0,0 +1,2 @@
+# gpuservice - server for gpu stats and other gpu related services
+type gpuservice, domain;