From 7924dc6054744885855fbef59ec411f1ee3b2200 Mon Sep 17 00:00:00 2001
From: Peiyong Lin <lpy@google.com>
Date: Thu, 1 Nov 2018 13:47:51 -0700
Subject: [PATCH] [SEPolicy] Configure policy for gpu service.
Historically GPU service lives in SurfaceFlinger as a convenient hack.
Howerver, SurfaceFlinger doesn't need to know about anything specific about GPU
capability, and shouldn't know about anything about GPU. This patch moves GPU
service out of SurfaceFlinger.
GPU service is a service that accesses to GPU driver, queries GPU capabilities
and reports back. Currently we use this information in CTS and some benchmarks.
BUG: 118347356
Test: Build, flash and boot, use `adb shell cmd gpu vkjson` to verify
Change-Id: I007989e0f3f73b5caf80277979986820dd127c32
---
private/adbd.te | 2 ++
private/file_contexts | 1 +
private/gpuservice.te | 31 +++++++++++++++++++++++++++++++
private/service_contexts | 2 +-
private/surfaceflinger.te | 2 --
private/system_server.te | 4 ++++
6 files changed, 39 insertions(+), 3 deletions(-)
create mode 100644 private/gpuservice.te
diff --git a/private/adbd.te b/private/adbd.te
index 7dff8bc86..23f3c92e3 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -98,6 +98,7 @@ allow adbd system_file:file rx_file_perms;
# XXX Run screencap in a separate domain?
binder_use(adbd)
binder_call(adbd, surfaceflinger)
+binder_call(adbd, gpuservice)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
allow adbd ion_device:chr_file rw_file_perms;
@@ -140,6 +141,7 @@ allow adbd sepolicy_file:file r_file_perms;
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
+allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
allow adbd bootchart_data_file:file r_file_perms;
diff --git a/private/file_contexts b/private/file_contexts
index 0f5dad3d4..e5c778481 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -211,6 +211,7 @@
/system/bin/servicemanager u:object_r:servicemanager_exec:s0
/system/bin/hwservicemanager u:object_r:hwservicemanager_exec:s0
/system/bin/surfaceflinger u:object_r:surfaceflinger_exec:s0
+/system/bin/gpuservice u:object_r:gpuservice_exec:s0
/system/bin/bufferhubd u:object_r:bufferhubd_exec:s0
/system/bin/performanced u:object_r:performanced_exec:s0
/system/bin/drmserver u:object_r:drmserver_exec:s0
diff --git a/private/gpuservice.te b/private/gpuservice.te
new file mode 100644
index 000000000..6cbd89c28
--- /dev/null
+++ b/private/gpuservice.te
@@ -0,0 +1,31 @@
+# gpu service
+type gpuservice, domain, coredomain;
+type gpuservice_exec, system_file_type, exec_type, file_type;
+
+init_daemon_domain(gpuservice)
+
+binder_call(gpuservice, adbd)
+binder_call(gpuservice, shell)
+binder_use(gpuservice)
+
+# Access the GPU.
+allow gpuservice gpu_device:chr_file rw_file_perms;
+
+# GPU service will need to load GPU driver, for example Vulkan driver in order
+# to get the capability of the driver.
+allow gpuservice same_process_hal_file:file { open read getattr execute map };
+allow gpuservice ion_device:chr_file r_file_perms;
+get_prop(gpuservice, hwservicemanager_prop)
+hwbinder_use(gpuservice)
+
+# Access /dev/graphics/fb0.
+allow gpuservice graphics_device:dir search;
+allow gpuservice graphics_device:chr_file rw_file_perms;
+
+# Use socket supplied by adbd, for cmd gpu vkjson etc.
+allow gpuservice adbd:unix_stream_socket { read write getattr };
+
+add_service(gpuservice, gpu_service)
+
+# Only uncomment below line when in development
+# userdebug_or_eng(`permissive gpuservice;')
diff --git a/private/service_contexts b/private/service_contexts
index 458c43abe..de1c2e0af 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -62,7 +62,7 @@ font u:object_r:font_service:s0
android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
-gpu u:object_r:gpu_service:s0
+gpuservice u:object_r:gpu_service:s0
hardware u:object_r:hardware_service:s0
hardware_properties u:object_r:hardware_properties_service:s0
hdmi_control u:object_r:hdmi_control_service:s0
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 000ebe1c3..8652ee850 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -75,9 +75,7 @@ r_dir_file(surfaceflinger, dumpstate)
# but seems expected and appropriate for all devices.
allow surfaceflinger tee_device:chr_file rw_file_perms;
-
# media.player service
-add_service(surfaceflinger, gpu_service)
# do not use add_service() as hal_graphics_composer_default may be the
# provider as well
diff --git a/private/system_server.te b/private/system_server.te
index a96b82be6..1edea50aa 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -173,6 +173,8 @@ unix_socket_send(system_server, statsdw, statsd)
# Communicate over a socket created by surfaceflinger.
allow system_server surfaceflinger:unix_stream_socket { read write setopt };
+allow system_server gpuservice:unix_stream_socket { read write setopt };
+
# Communicate over a socket created by webview_zygote.
allow system_server webview_zygote:unix_stream_socket { read write connectto setopt };
@@ -254,6 +256,7 @@ allow system_server {
audioserver
cameraserver
drmserver
+ gpuservice
inputflinger
mediadrmserver
mediaextractor
@@ -651,6 +654,7 @@ allow system_server dumpstate_service:service_manager find;
allow system_server fingerprintd_service:service_manager find;
allow system_server hal_fingerprint_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
+allow system_server gpu_service:service_manager find;
allow system_server incident_service:service_manager find;
allow system_server installd_service:service_manager find;
allow system_server keystore_service:service_manager find;
--
GitLab