diff --git a/private/adbd.te b/private/adbd.te index 7dff8bc86c6df8dc905954d1a2a78290b48dfaf4..23f3c92e35fb17c0a7802c3cb7c7790246ed795d 100644 --- a/private/adbd.te +++ b/private/adbd.te @@ -98,6 +98,7 @@ allow adbd system_file:file rx_file_perms; # XXX Run screencap in a separate domain? binder_use(adbd) binder_call(adbd, surfaceflinger) +binder_call(adbd, gpuservice) # b/13188914 allow adbd gpu_device:chr_file rw_file_perms; allow adbd ion_device:chr_file rw_file_perms; @@ -140,6 +141,7 @@ allow adbd sepolicy_file:file r_file_perms; # Allow pulling config.gz for CTS purposes allow adbd config_gz:file r_file_perms; +allow adbd gpu_service:service_manager find; allow adbd surfaceflinger_service:service_manager find; allow adbd bootchart_data_file:dir search; allow adbd bootchart_data_file:file r_file_perms; diff --git a/private/file_contexts b/private/file_contexts index 0f5dad3d4a6b6a0b53d7ea8706cf882e0e6ea9a1..e5c778481bff05e86154446798ac4289680ca2e4 100644 --- a/private/file_contexts +++ b/private/file_contexts @@ -211,6 +211,7 @@ /system/bin/servicemanager u:object_r:servicemanager_exec:s0 /system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0 /system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0 +/system/bin/gpuservice u:object_r:gpuservice_exec:s0 /system/bin/bufferhubd u:object_r:bufferhubd_exec:s0 /system/bin/performanced u:object_r:performanced_exec:s0 /system/bin/drmserver u:object_r:drmserver_exec:s0 diff --git a/private/gpuservice.te b/private/gpuservice.te new file mode 100644 index 0000000000000000000000000000000000000000..6cbd89c287713c543527697751a9f9d998268462 --- /dev/null +++ b/private/gpuservice.te @@ -0,0 +1,31 @@ +# gpu service +type gpuservice, domain, coredomain; +type gpuservice_exec, system_file_type, exec_type, file_type; + +init_daemon_domain(gpuservice) + +binder_call(gpuservice, adbd) +binder_call(gpuservice, shell) +binder_use(gpuservice) + +# Access the GPU. +allow gpuservice gpu_device:chr_file rw_file_perms; + +# GPU service will need to load GPU driver, for example Vulkan driver in order +# to get the capability of the driver. +allow gpuservice same_process_hal_file:file { open read getattr execute map }; +allow gpuservice ion_device:chr_file r_file_perms; +get_prop(gpuservice, hwservicemanager_prop) +hwbinder_use(gpuservice) + +# Access /dev/graphics/fb0. +allow gpuservice graphics_device:dir search; +allow gpuservice graphics_device:chr_file rw_file_perms; + +# Use socket supplied by adbd, for cmd gpu vkjson etc. +allow gpuservice adbd:unix_stream_socket { read write getattr }; + +add_service(gpuservice, gpu_service) + +# Only uncomment below line when in development +# userdebug_or_eng(`permissive gpuservice;') diff --git a/private/service_contexts b/private/service_contexts index 458c43abea61390fc6ebddb9ffe080b3adad36cd..de1c2e0aff0a14c0f122c8b938a3e121e0b87ce2 100644 --- a/private/service_contexts +++ b/private/service_contexts @@ -62,7 +62,7 @@ font u:object_r:font_service:s0 android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0 gfxinfo u:object_r:gfxinfo_service:s0 graphicsstats u:object_r:graphicsstats_service:s0 -gpu u:object_r:gpu_service:s0 +gpuservice u:object_r:gpu_service:s0 hardware u:object_r:hardware_service:s0 hardware_properties u:object_r:hardware_properties_service:s0 hdmi_control u:object_r:hdmi_control_service:s0 diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te index 000ebe1c3bcffc777db8efae6f1b8756e9b0ec05..8652ee850b669d8b0f46f4c9c3303dc3a99e81c5 100644 --- a/private/surfaceflinger.te +++ b/private/surfaceflinger.te @@ -75,9 +75,7 @@ r_dir_file(surfaceflinger, dumpstate) # but seems expected and appropriate for all devices. allow surfaceflinger tee_device:chr_file rw_file_perms; - # media.player service -add_service(surfaceflinger, gpu_service) # do not use add_service() as hal_graphics_composer_default may be the # provider as well diff --git a/private/system_server.te b/private/system_server.te index a96b82be61a64da5fa30879f79d239aac5be3bd4..1edea50aabf045a8d5b0f4b8c0a970302e56b210 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -173,6 +173,8 @@ unix_socket_send(system_server, statsdw, statsd) # Communicate over a socket created by surfaceflinger. allow system_server surfaceflinger:unix_stream_socket { read write setopt }; +allow system_server gpuservice:unix_stream_socket { read write setopt }; + # Communicate over a socket created by webview_zygote. allow system_server webview_zygote:unix_stream_socket { read write connectto setopt }; @@ -254,6 +256,7 @@ allow system_server { audioserver cameraserver drmserver + gpuservice inputflinger mediadrmserver mediaextractor @@ -651,6 +654,7 @@ allow system_server dumpstate_service:service_manager find; allow system_server fingerprintd_service:service_manager find; allow system_server hal_fingerprint_service:service_manager find; allow system_server gatekeeper_service:service_manager find; +allow system_server gpu_service:service_manager find; allow system_server incident_service:service_manager find; allow system_server installd_service:service_manager find; allow system_server keystore_service:service_manager find;