summaryrefslogtreecommitdiff
path: root/prebuilts/api/32.0/private/gpuservice.te
diff options
context:
space:
mode:
Diffstat (limited to 'prebuilts/api/32.0/private/gpuservice.te')
-rw-r--r--prebuilts/api/32.0/private/gpuservice.te66
1 files changed, 66 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/private/gpuservice.te b/prebuilts/api/32.0/private/gpuservice.te
new file mode 100644
index 000000000..2e4254ca4
--- /dev/null
+++ b/prebuilts/api/32.0/private/gpuservice.te
@@ -0,0 +1,66 @@
+# gpuservice - server for gpu stats and other gpu related services
+typeattribute gpuservice coredomain;
+type gpuservice_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(gpuservice)
+
+binder_call(gpuservice, adbd)
+binder_call(gpuservice, shell)
+binder_call(gpuservice, system_server)
+binder_use(gpuservice)
+
+# Access the GPU.
+allow gpuservice gpu_device:chr_file rw_file_perms;
+
+# GPU service will need to load GPU driver, for example Vulkan driver in order
+# to get the capability of the driver.
+allow gpuservice same_process_hal_file:file { open read getattr execute map };
+allow gpuservice ion_device:chr_file r_file_perms;
+get_prop(gpuservice, hwservicemanager_prop)
+hwbinder_use(gpuservice)
+
+# Access /dev/graphics/fb0.
+allow gpuservice graphics_device:dir search;
+allow gpuservice graphics_device:chr_file rw_file_perms;
+
+# Needed for dumpsys pipes.
+allow gpuservice shell:fifo_file write;
+
+# Needed for perfetto producer.
+perfetto_producer(gpuservice)
+
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow gpuservice adbd:unix_stream_socket { read write getattr };
+
+# Needed for interactive shell
+allow gpuservice devpts:chr_file { read write getattr };
+
+# Needed for dumpstate to dumpsys gpu.
+allow gpuservice dumpstate:fd use;
+allow gpuservice dumpstate:fifo_file write;
+
+# Needed for stats callback registration to statsd.
+allow gpuservice stats_service:service_manager find;
+allow gpuservice statsmanager_service:service_manager find;
+# TODO(b/146461633): remove this once native pullers talk to StatsManagerService
+binder_call(gpuservice, statsd);
+
+# Needed for reading tracepoint ids in order to attach bpf programs.
+allow gpuservice debugfs_tracing:file r_file_perms;
+allow gpuservice self:perf_event { cpu kernel open write };
+neverallow gpuservice self:perf_event ~{ cpu kernel open write };
+
+# Needed for interact with bpf fs.
+allow gpuservice fs_bpf:dir search;
+allow gpuservice fs_bpf:file read;
+
+# Needed for enable the bpf program and read the map.
+allow gpuservice bpfloader:bpf { map_read prog_run };
+
+# Needed for getting a prop to ensure bpf programs loaded.
+get_prop(gpuservice, bpf_progs_loaded_prop)
+
+add_service(gpuservice, gpu_service)
+
+# Only uncomment below line when in development
+# userdebug_or_eng(`permissive gpuservice;')
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 05:38:07 +0000