1# gpuservice - server for gpu stats and other gpu related services 2typeattribute gpuservice coredomain; 3typeattribute gpuservice bpfdomain; 4 5type gpuservice_exec, system_file_type, exec_type, file_type; 6 7init_daemon_domain(gpuservice) 8 9binder_call(gpuservice, adbd) 10binder_call(gpuservice, shell) 11binder_call(gpuservice, system_server) 12binder_use(gpuservice) 13 14# Access the GPU. 15allow gpuservice gpu_device:chr_file rw_file_perms; 16 17# GPU service will need to load GPU driver, for example Vulkan driver in order 18# to get the capability of the driver. 19allow gpuservice same_process_hal_file:file { open read getattr execute map }; 20allow gpuservice ion_device:chr_file r_file_perms; 21get_prop(gpuservice, hwservicemanager_prop) 22hwbinder_use(gpuservice) 23 24# Access /dev/graphics/fb0. 25allow gpuservice graphics_device:dir search; 26allow gpuservice graphics_device:chr_file rw_file_perms; 27 28# Allow shell access 29allow gpuservice adbd:fd use; 30allow gpuservice adbd:unix_stream_socket { getattr read write }; 31allow gpuservice shell:fifo_file { getattr read write }; 32 33# Needed for perfetto producer. 34perfetto_producer(gpuservice) 35 36# Needed for interactive shell 37allow gpuservice devpts:chr_file { read write getattr }; 38 39# Needed for dumpstate to dumpsys gpu. 40allow gpuservice dumpstate:fd use; 41allow gpuservice dumpstate:fifo_file write; 42 43# Needed for stats callback registration to statsd. 44allow gpuservice stats_service:service_manager find; 45allow gpuservice statsmanager_service:service_manager find; 46# TODO(b/146461633): remove this once native pullers talk to StatsManagerService 47binder_call(gpuservice, statsd); 48 49# Needed for reading tracepoint ids in order to attach bpf programs. 50allow gpuservice debugfs_tracing:file r_file_perms; 51allow gpuservice self:perf_event { cpu kernel open write }; 52neverallow gpuservice self:perf_event ~{ cpu kernel open write }; 53 54# Needed for interact with bpf fs. 55# Write is needed to open read/write bpf maps. 56allow gpuservice fs_bpf:file { read write }; 57 58# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write). 59allow gpuservice bpfloader:bpf { map_read map_write prog_run }; 60 61add_service(gpuservice, gpu_service) 62 63# Needed for enabling write access to persist.graphics.egl from developer option switch UI, through gpuservice. 64set_prop(gpuservice, graphics_config_writable_prop) 65 66neverallow { domain -init -vendor_init -gpuservice } graphics_config_writable_prop:property_service set; 67 68# Needed for querying permission 69allow gpuservice permission_service:service_manager find; 70 71# Only uncomment below line when in development 72# userdebug_or_eng(`permissive gpuservice;') 73