1# gpuservice - server for gpu stats and other gpu related services 2typeattribute gpuservice coredomain; 3typeattribute gpuservice bpfdomain; 4 5type gpuservice_exec, system_file_type, exec_type, file_type; 6 7init_daemon_domain(gpuservice) 8 9binder_call(gpuservice, adbd) 10binder_call(gpuservice, shell) 11binder_call(gpuservice, system_server) 12binder_use(gpuservice) 13 14# Access the GPU. 15allow gpuservice gpu_device:chr_file rw_file_perms; 16 17# GPU service will need to load GPU driver, for example Vulkan driver in order 18# to get the capability of the driver. 19allow gpuservice same_process_hal_file:file { open read getattr execute map }; 20allow gpuservice ion_device:chr_file r_file_perms; 21get_prop(gpuservice, hwservicemanager_prop) 22hwbinder_use(gpuservice) 23 24# Access /dev/graphics/fb0. 25allow gpuservice graphics_device:dir search; 26allow gpuservice graphics_device:chr_file rw_file_perms; 27 28# Needed for dumpsys pipes. 29allow gpuservice shell:fifo_file write; 30 31# Needed for perfetto producer. 32perfetto_producer(gpuservice) 33 34# Use socket supplied by adbd, for cmd gpu vkjson etc. 35allow gpuservice adbd:unix_stream_socket { read write getattr }; 36 37# Needed for interactive shell 38allow gpuservice devpts:chr_file { read write getattr }; 39 40# Needed for dumpstate to dumpsys gpu. 41allow gpuservice dumpstate:fd use; 42allow gpuservice dumpstate:fifo_file write; 43 44# Needed for stats callback registration to statsd. 45allow gpuservice stats_service:service_manager find; 46allow gpuservice statsmanager_service:service_manager find; 47# TODO(b/146461633): remove this once native pullers talk to StatsManagerService 48binder_call(gpuservice, statsd); 49 50# Needed for reading tracepoint ids in order to attach bpf programs. 51allow gpuservice debugfs_tracing:file r_file_perms; 52allow gpuservice self:perf_event { cpu kernel open write }; 53neverallow gpuservice self:perf_event ~{ cpu kernel open write }; 54 55# Needed for interact with bpf fs. 56# Write is needed to open read/write bpf maps. 57allow gpuservice fs_bpf:file { read write }; 58 59# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write). 60allow gpuservice bpfloader:bpf { map_read map_write prog_run }; 61 62add_service(gpuservice, gpu_service) 63 64# Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice. 65set_prop(gpuservice, graphics_config_writable_prop) 66 67neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set; 68 69# Needed for querying permission 70allow gpuservice permission_service:service_manager find; 71 72# Only uncomment below line when in development 73# userdebug_or_eng(`permissive gpuservice;') 74