| Yiwei Zhang | 544d6b3 | 2019-02-07 15:00:55 -0800 | [diff] [blame] | 1 | # gpuservice - server for gpu stats and other gpu related services |
| 2 | typeattribute gpuservice coredomain; |
| Steven Moreland | 6598175 | 2022-02-10 00:32:44 +0000 | [diff] [blame] | 3 | typeattribute gpuservice bpfdomain; |
| 4 | |
| Peiyong Lin | 7924dc6 | 2018-11-01 13:47:51 -0700 | [diff] [blame] | 5 | type gpuservice_exec, system_file_type, exec_type, file_type; |
| 6 | |
| 7 | init_daemon_domain(gpuservice) |
| 8 | |
| 9 | binder_call(gpuservice, adbd) |
| 10 | binder_call(gpuservice, shell) |
| Jeffrey Huang | b481e32 | 2020-02-06 11:54:33 -0800 | [diff] [blame] | 11 | binder_call(gpuservice, system_server) |
| Peiyong Lin | 7924dc6 | 2018-11-01 13:47:51 -0700 | [diff] [blame] | 12 | binder_use(gpuservice) |
| 13 | |
| 14 | # Access the GPU. |
| 15 | allow gpuservice gpu_device:chr_file rw_file_perms; |
| 16 | |
| 17 | # GPU service will need to load GPU driver, for example Vulkan driver in order |
| 18 | # to get the capability of the driver. |
| 19 | allow gpuservice same_process_hal_file:file { open read getattr execute map }; |
| 20 | allow gpuservice ion_device:chr_file r_file_perms; |
| 21 | get_prop(gpuservice, hwservicemanager_prop) |
| 22 | hwbinder_use(gpuservice) |
| 23 | |
| 24 | # Access /dev/graphics/fb0. |
| 25 | allow gpuservice graphics_device:dir search; |
| 26 | allow gpuservice graphics_device:chr_file rw_file_perms; |
| 27 | |
| Trevor David Black | 4105da2 | 2024-02-15 22:10:39 +0000 | [diff] [blame^] | 28 | # Allow shell access |
| 29 | allow gpuservice adbd:fd use; |
| 30 | allow gpuservice adbd:unix_stream_socket { getattr read write }; |
| 31 | allow gpuservice shell:fifo_file { getattr read write }; |
| Yiwei Zhang | ff0f79c | 2018-11-27 15:21:43 -0800 | [diff] [blame] | 32 | |
| Adithya Srinivasan | 82911e9 | 2020-06-19 11:02:28 -0700 | [diff] [blame] | 33 | # Needed for perfetto producer. |
| 34 | perfetto_producer(gpuservice) |
| 35 | |
| Yiwei Zhang | 6e8191e | 2019-01-23 14:28:56 -0800 | [diff] [blame] | 36 | # Needed for interactive shell |
| 37 | allow gpuservice devpts:chr_file { read write getattr }; |
| 38 | |
| Yiwei Zhang | 0051c93 | 2019-05-09 23:15:49 -0700 | [diff] [blame] | 39 | # Needed for dumpstate to dumpsys gpu. |
| 40 | allow gpuservice dumpstate:fd use; |
| 41 | allow gpuservice dumpstate:fifo_file write; |
| 42 | |
| Yiwei Zhang | dbbe3bd | 2020-02-04 15:55:59 -0800 | [diff] [blame] | 43 | # Needed for stats callback registration to statsd. |
| 44 | allow gpuservice stats_service:service_manager find; |
| Jeffrey Huang | b481e32 | 2020-02-06 11:54:33 -0800 | [diff] [blame] | 45 | allow gpuservice statsmanager_service:service_manager find; |
| 46 | # TODO(b/146461633): remove this once native pullers talk to StatsManagerService |
| Yiwei Zhang | dbbe3bd | 2020-02-04 15:55:59 -0800 | [diff] [blame] | 47 | binder_call(gpuservice, statsd); |
| 48 | |
| Yiwei Zhang | 4b63ce9 | 2020-02-18 22:58:26 -0800 | [diff] [blame] | 49 | # Needed for reading tracepoint ids in order to attach bpf programs. |
| 50 | allow gpuservice debugfs_tracing:file r_file_perms; |
| 51 | allow gpuservice self:perf_event { cpu kernel open write }; |
| 52 | neverallow gpuservice self:perf_event ~{ cpu kernel open write }; |
| 53 | |
| 54 | # Needed for interact with bpf fs. |
| Paul Thomson | 4c834ad | 2022-01-17 16:34:03 +0000 | [diff] [blame] | 55 | # Write is needed to open read/write bpf maps. |
| Paul Thomson | 4c834ad | 2022-01-17 16:34:03 +0000 | [diff] [blame] | 56 | allow gpuservice fs_bpf:file { read write }; |
| Yiwei Zhang | 4b63ce9 | 2020-02-18 22:58:26 -0800 | [diff] [blame] | 57 | |
| Paul Thomson | 4c834ad | 2022-01-17 16:34:03 +0000 | [diff] [blame] | 58 | # Needed for enabling bpf programs and accessing bpf maps (read-only and read/write). |
| 59 | allow gpuservice bpfloader:bpf { map_read map_write prog_run }; |
| Yiwei Zhang | 4b63ce9 | 2020-02-18 22:58:26 -0800 | [diff] [blame] | 60 | |
| Peiyong Lin | 7924dc6 | 2018-11-01 13:47:51 -0700 | [diff] [blame] | 61 | add_service(gpuservice, gpu_service) |
| 62 | |
| Yuxin Hu | 889dd07 | 2023-04-09 00:15:43 +0000 | [diff] [blame] | 63 | # Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice. |
| 64 | set_prop(gpuservice, graphics_config_writable_prop) |
| 65 | |
| Peiyong Lin | 54229d8 | 2023-05-03 17:12:39 +0000 | [diff] [blame] | 66 | neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set; |
| 67 | |
| Yuxin Hu | fce99d9 | 2023-04-17 04:12:43 +0000 | [diff] [blame] | 68 | # Needed for querying permission |
| 69 | allow gpuservice permission_service:service_manager find; |
| 70 | |
| Peiyong Lin | 7924dc6 | 2018-11-01 13:47:51 -0700 | [diff] [blame] | 71 | # Only uncomment below line when in development |
| 72 | # userdebug_or_eng(`permissive gpuservice;') |