From 148a9232e146baf50fc4e23540b0d5f6a12f2c69 Mon Sep 17 00:00:00 2001 From: Kevin DuBois Date: Wed, 22 Mar 2023 22:03:49 +0000 Subject: [PATCH] gpu: add SELinux policies for GPU probe. Adds SELinux policies for gpu_probe service. These allow us to upload events to Perfetto. gpu_probe is an untrusted producer in Perfetto model, in same manner as traced_probes. Bug: 267669418 Test: see events produced when designating perfetto config. Change-Id: Id122870b14000288fc3c26aa3c49348a8f7322df --- gpu/gpu.mk | 3 +++ gpu/sepolicy/file_contexts | 1 + gpu/sepolicy/gpu_probe.te | 8 ++++++++ 3 files changed, 12 insertions(+) create mode 100644 gpu/gpu.mk create mode 100644 gpu/sepolicy/file_contexts create mode 100644 gpu/sepolicy/gpu_probe.te diff --git a/gpu/gpu.mk b/gpu/gpu.mk new file mode 100644 index 0000000..d1c3a6d --- /dev/null +++ b/gpu/gpu.mk @@ -0,0 +1,3 @@ +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gpu/sepolicy + +PRODUCT_PACKAGES += gpu_probe diff --git a/gpu/sepolicy/file_contexts b/gpu/sepolicy/file_contexts new file mode 100644 index 0000000..3752908 --- /dev/null +++ b/gpu/sepolicy/file_contexts @@ -0,0 +1 @@ +/vendor/bin/gpu_probe u:object_r:gpu_probe_exec:s0 diff --git a/gpu/sepolicy/gpu_probe.te b/gpu/sepolicy/gpu_probe.te new file mode 100644 index 0000000..d8ffb78 --- /dev/null +++ b/gpu/sepolicy/gpu_probe.te @@ -0,0 +1,8 @@ +# gpu_probe +type gpu_probe_exec, exec_type, vendor_file_type, file_type; +type gpu_probe, domain; + +init_daemon_domain(gpu_probe) +allow gpu_probe gpu_device:chr_file rw_file_perms; + +perfetto_producer(gpu_probe)