• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# gpuservice - server for gpu stats and other gpu related services
2typeattribute gpuservice coredomain;
3typeattribute gpuservice bpfdomain;
4
5type gpuservice_exec, system_file_type, exec_type, file_type;
6
7init_daemon_domain(gpuservice)
8
9binder_call(gpuservice, adbd)
10binder_call(gpuservice, shell)
11binder_call(gpuservice, system_server)
12binder_use(gpuservice)
13
14# Access the GPU.
15allow gpuservice gpu_device:chr_file rw_file_perms;
16
17# GPU service will need to load GPU driver, for example Vulkan driver in order
18# to get the capability of the driver.
19allow gpuservice same_process_hal_file:file { open read getattr execute map };
20allow gpuservice ion_device:chr_file r_file_perms;
21get_prop(gpuservice, hwservicemanager_prop)
22hwbinder_use(gpuservice)
23
24# Access /dev/graphics/fb0.
25allow gpuservice graphics_device:dir search;
26allow gpuservice graphics_device:chr_file rw_file_perms;
27
28# Needed for dumpsys pipes.
29allow gpuservice shell:fifo_file write;
30
31# Needed for perfetto producer.
32perfetto_producer(gpuservice)
33
34# Use socket supplied by adbd, for cmd gpu vkjson etc.
35allow gpuservice adbd:unix_stream_socket { read write getattr };
36
37# Needed for interactive shell
38allow gpuservice devpts:chr_file { read write getattr };
39
40# Needed for dumpstate to dumpsys gpu.
41allow gpuservice dumpstate:fd use;
42allow gpuservice dumpstate:fifo_file write;
43
44# Needed for stats callback registration to statsd.
45allow gpuservice stats_service:service_manager find;
46allow gpuservice statsmanager_service:service_manager find;
47# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
48binder_call(gpuservice, statsd);
49
50# Needed for reading tracepoint ids in order to attach bpf programs.
51allow gpuservice debugfs_tracing:file r_file_perms;
52allow gpuservice self:perf_event { cpu kernel open write };
53neverallow gpuservice self:perf_event ~{ cpu kernel open write };
54
55# Needed for interact with bpf fs.
56# Write is needed to open read/write bpf maps.
57allow gpuservice fs_bpf:file { read write };
58
59# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
60allow gpuservice bpfloader:bpf { map_read map_write prog_run };
61
62add_service(gpuservice, gpu_service)
63
64# Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice.
65set_prop(gpuservice, graphics_config_writable_prop)
66
67neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set;
68
69# Needed for querying permission
70allow gpuservice permission_service:service_manager find;
71
72# Only uncomment below line when in development
73# userdebug_or_eng(`permissive gpuservice;')
74