PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add additional sepolicy rules for gpuservice

Browse Source 
Allow gpuservice to access read/write BPF maps.

Bug: b/213577594
Change-Id: I487754c008a53819715a6bfc5da10182d87de413
This commit is contained in:
Paul Thomson 2022-01-17 16:34:03 +00:00
parent 2832f957e7
commit 4c834adc0a
2 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
private/genfs_contexts
View File

@ -262,6 +262,7 @@ genfscon tracefs /events/power/clock_disable/ u:objec
genfscon tracefs /events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon tracefs /events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0
@ -326,6 +327,7 @@ genfscon debugfs /tracing/events/power/clock_disable/
genfscon debugfs /tracing/events/power/clock_set_rate/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/cpu_frequency_limits/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_frequency/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/gpu_work_period/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/power/suspend_resume/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/cpufreq_interactive/ u:object_r:debugfs_tracing:s0
genfscon debugfs /tracing/events/vmscan/mm_vmscan_direct_reclaim_begin/ u:object_r:debugfs_tracing:s0

7
private/gpuservice.te
View File

@ -51,11 +51,12 @@ allow gpuservice self:perf_event { cpu kernel open write };
neverallow gpuservice self:perf_event ~{ cpu kernel open write };
# Needed for interact with bpf fs.
# Write is needed to open read/write bpf maps.
allow gpuservice fs_bpf:dir search;
allow gpuservice fs_bpf:file read;
allow gpuservice fs_bpf:file { read write };
# Needed for enable the bpf program and read the map.
allow gpuservice bpfloader:bpf { map_read prog_run };
# Needed for enabling bpf programs and accessing bpf maps (read-only and read/write).
allow gpuservice bpfloader:bpf { map_read map_write prog_run };
# Needed for getting a prop to ensure bpf programs loaded.
get_prop(gpuservice, bpf_progs_loaded_prop)