Restrict ioctl access for appdomain to gpu_device

Add a list of Mali-specific ioctls (ioctl_defines). Define categories for these ioctls (ioctl_macros). This list was gathered by the ARM GPU team. All defined ioctls are granted access. Deprecated ioctls and ioctls intended for GPU development are logged to estimate the impact of their removal. During testing, no logging was observed during the launch of the top 100 apps. It is unlikely that such logging would spam the device's log. Bug: 384720119 Test: Csuite test of top 100 apps Flag: EXEMPT uses build system flag: RELEASE_PIXEL_MALI_SEPOLICY_ENABLED Change-Id: I49f7ffade42e1039e13601a81d814d33dfbc3e5a
2024-11-07 18:25:07 +00:00 · 2024-11-07 18:25:07 +00:00 · b2f00a1549
commit b2f00a1549
parent d077655445
3 changed files with 166 additions and 0 deletions
--- a/vendor/gpu.te
+++ b/vendor/gpu.te
@ -0,0 +1,10 @@
+# Policy to enable only production gpu ioctls.
+is_flag_enabled(RELEASE_PIXEL_MALI_SEPOLICY_ENABLED, `
+  # Allow gpu ioctls used in production.
+  allowxperm appdomain gpu_device:chr_file ioctl { unpriv_gpu_ioctls instrumentation_gpu_ioctls };
+  # Audit gpu ioctl commands which have been deprecated,
+  # or are intended for development of the GPU.
+  auditallow appdomain gpu_device:chr_file ioctl;
+  allowxperm appdomain gpu_device:chr_file ioctl { debug_gpu_ioctls deprecated_gpu_ioctls };
+  auditallowxperm appdomain gpu_device:chr_file ioctl { debug_gpu_ioctls deprecated_gpu_ioctls };
+')
--- a/vendor/ioctl_defines
+++ b/vendor/ioctl_defines
@ -0,0 +1,73 @@
+define(`KBASE_IOCTL_VERSION_CHECK_JM', `0x8000')
+define(`KBASE_IOCTL_SET_FLAGS', `0x8001')
+define(`KBASE_IOCTL_JOB_SUBMIT', `0x8002')
+define(`KBASE_IOCTL_GET_GPUPROPS', `0x8003')
+define(`KBASE_IOCTL_POST_TERM', `0x8004')
+define(`KBASE_IOCTL_MEM_ALLOC', `0x8005')
+define(`KBASE_IOCTL_MEM_QUERY', `0x8006')
+define(`KBASE_IOCTL_MEM_FREE', `0x8007')
+define(`KBASE_IOCTL_HWCNT_READER_SETUP', `0x8008')
+define(`KBASE_IOCTL_DISJOINT_QUERY', `0x800c')
+define(`KBASE_IOCTL_GET_DDK_VERSION', `0x800d')
+define(`KBASE_IOCTL_MEM_JIT_INIT', `0x800e')
+define(`KBASE_IOCTL_MEM_SYNC', `0x800f')
+define(`KBASE_IOCTL_MEM_FIND_CPU_OFFSET', `0x8010')
+define(`KBASE_IOCTL_GET_CONTEXT_ID', `0x8011')
+define(`KBASE_IOCTL_TLSTREAM_ACQUIRE', `0x8012')
+define(`KBASE_IOCTL_TLSTREAM_FLUSH', `0x8013')
+define(`KBASE_IOCTL_MEM_COMMIT', `0x8014')
+define(`KBASE_IOCTL_MEM_ALIAS', `0x8015')
+define(`KBASE_IOCTL_MEM_IMPORT', `0x8016')
+define(`KBASE_IOCTL_MEM_FLAGS_CHANGE', `0x8017')
+define(`KBASE_IOCTL_STREAM_CREATE', `0x8018')
+define(`KBASE_IOCTL_FENCE_VALIDATE', `0x8019')
+define(`KBASE_IOCTL_MEM_PROFILE_ADD', `0x801b')
+define(`KBASE_IOCTL_SOFT_EVENT_UPDATE', `0x801c')
+define(`KBASE_IOCTL_STICKY_RESOURCE_MAP', `0x801d')
+define(`KBASE_IOCTL_STICKY_RESOURCE_UNMAP', `0x801e')
+define(`KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET', `0x801f')
+define(`KBASE_IOCTL_HWCNT_SET', `0x8020')
+define(`KBASE_IOCTL_CINSTR_GWT_START', `0x8021')
+define(`KBASE_IOCTL_CINSTR_GWT_STOP', `0x8022')
+define(`KBASE_IOCTL_CINSTR_GWT_DUMP', `0x8023')
+define(`KBASE_IOCTL_CS_QUEUE_REGISTER', `0x8024')
+define(`KBASE_IOCTL_CS_QUEUE_KICK', `0x8025')
+define(`KBASE_IOCTL_MEM_EXEC_INIT', `0x8026')
+define(`KBASE_IOCTL_CS_QUEUE_BIND', `0x8027')
+define(`KBASE_IOCTL_CS_QUEUE_REGISTER_EX', `0x8028')
+define(`KBASE_IOCTL_CS_QUEUE_TERMINATE', `0x8029')
+define(`KBASE_IOCTL_CS_QUEUE_GROUP_CREATE_1_6', `0x802a')
+define(`KBASE_IOCTL_CS_QUEUE_GROUP_TERMINATE', `0x802b')
+define(`KBASE_IOCTL_CS_EVENT_SIGNAL', `0x802c')
+define(`KBASE_IOCTL_KCPU_QUEUE_CREATE', `0x802d')
+define(`KBASE_IOCTL_KCPU_QUEUE_DELETE', `0x802e')
+define(`KBASE_IOCTL_KCPU_QUEUE_ENQUEUE', `0x802f')
+define(`KBASE_IOCTL_CS_TILER_HEAP_INIT', `0x8030')
+define(`KBASE_IOCTL_CS_TILER_HEAP_TERM', `0x8031')
+define(`KBASE_IOCTL_GET_CPU_GPU_TIMEINFO', `0x8032')
+define(`KBASE_IOCTL_CS_GET_GLB_IFACE', `0x8033')
+define(`KBASE_IOCTL_VERSION_CHECK_CSF', `0x8034')
+define(`KBASE_IOCTL_CS_CPU_QUEUE_DUMP', `0x8035')
+define(`KBASE_IOCTL_CONTEXT_PRIORITY_CHECK', `0x8036')
+define(`KBASE_IOCTL_SET_LIMITED_CORE_COUNT', `0x8037')
+define(`KBASE_IOCTL_KINSTR_PRFCNT_ENUM_INFO', `0x8038')
+define(`KBASE_IOCTL_KINSTR_PRFCNT_SETUP', `0x8039')
+define(`KBASE_IOCTL_CS_QUEUE_GROUP_CREATE', `0x803a')
+define(`KBASE_IOCTL_MEM_ALLOC_EX', `0x803b')
+define(`KBASE_IOCTL_READ_USER_PAGE', `0x803c')
+define(`KBASE_IOCTL_QUEUE_GROUP_CLEAR_FAULTS', `0x803d')
+define(`KBASE_IOCTL_APC_REQUEST', `0x8042')
+define(`KBASE_IOCTL_BUFFER_LIVENESS_UPDATE', `0x8043')
+define(`KBASE_HWCNT_READER_GET_HWVER', `0xBE00')
+define(`KBASE_HWCNT_READER_GET_BUFFER_SIZE', `0xBE01')
+define(`KBASE_HWCNT_READER_DUMP', `0xBE10')
+define(`KBASE_HWCNT_READER_CLEAR', `0xBE11')
+define(`KBASE_HWCNT_READER_GET_BUFFER', `0xBE20')
+define(`KBASE_HWCNT_READER_PUT_BUFFER', `0xBE21')
+define(`KBASE_HWCNT_READER_SET_INTERVAL', `0xBE30')
+define(`KBASE_HWCNT_READER_ENABLE_EVENT', `0xBE40')
+define(`KBASE_HWCNT_READER_DISABLE_EVENT', `0xBE41')
+define(`KBASE_HWCNT_READER_GET_API_VERSION', `0xBEFF')
+define(`KBASE_IOCTL_KINSTR_PRFCNT_CMD', `0xBF00')
+define(`KBASE_IOCTL_KINSTR_PRFCNT_GET_SAMPLE', `0xBF01')
+define(`KBASE_IOCTL_KINSTR_PRFCNT_PUT_SAMPLE', `0xBF10')
--- a/vendor/ioctl_macros
+++ b/vendor/ioctl_macros
@ -0,0 +1,83 @@
+define(`unpriv_gpu_ioctls', `{
+  KBASE_IOCTL_VERSION_CHECK_JM
+  KBASE_IOCTL_SET_FLAGS
+  KBASE_IOCTL_JOB_SUBMIT
+  KBASE_IOCTL_GET_GPUPROPS
+  KBASE_IOCTL_POST_TERM
+  KBASE_IOCTL_MEM_ALLOC
+  KBASE_IOCTL_MEM_QUERY
+  KBASE_IOCTL_MEM_FREE
+  KBASE_IOCTL_DISJOINT_QUERY
+  KBASE_IOCTL_GET_DDK_VERSION
+  KBASE_IOCTL_MEM_JIT_INIT
+  KBASE_IOCTL_MEM_SYNC
+  KBASE_IOCTL_MEM_FIND_CPU_OFFSET
+  KBASE_IOCTL_GET_CONTEXT_ID
+  KBASE_IOCTL_MEM_COMMIT
+  KBASE_IOCTL_MEM_ALIAS
+  KBASE_IOCTL_MEM_IMPORT
+  KBASE_IOCTL_MEM_FLAGS_CHANGE
+  KBASE_IOCTL_STREAM_CREATE
+  KBASE_IOCTL_FENCE_VALIDATE
+  KBASE_IOCTL_MEM_PROFILE_ADD
+  KBASE_IOCTL_SOFT_EVENT_UPDATE
+  KBASE_IOCTL_STICKY_RESOURCE_MAP
+  KBASE_IOCTL_STICKY_RESOURCE_UNMAP
+  KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET
+  KBASE_IOCTL_CS_QUEUE_REGISTER
+  KBASE_IOCTL_CS_QUEUE_KICK
+  KBASE_IOCTL_MEM_EXEC_INIT
+  KBASE_IOCTL_CS_QUEUE_BIND
+  KBASE_IOCTL_CS_QUEUE_REGISTER_EX
+  KBASE_IOCTL_CS_QUEUE_TERMINATE
+  KBASE_IOCTL_CS_QUEUE_GROUP_TERMINATE
+  KBASE_IOCTL_CS_EVENT_SIGNAL
+  KBASE_IOCTL_KCPU_QUEUE_CREATE
+  KBASE_IOCTL_KCPU_QUEUE_DELETE
+  KBASE_IOCTL_KCPU_QUEUE_ENQUEUE
+  KBASE_IOCTL_CS_TILER_HEAP_INIT
+  KBASE_IOCTL_CS_TILER_HEAP_TERM
+  KBASE_IOCTL_GET_CPU_GPU_TIMEINFO
+  KBASE_IOCTL_CS_GET_GLB_IFACE
+  KBASE_IOCTL_VERSION_CHECK_CSF
+  KBASE_IOCTL_CS_CPU_QUEUE_DUMP
+  KBASE_IOCTL_CONTEXT_PRIORITY_CHECK
+  KBASE_IOCTL_SET_LIMITED_CORE_COUNT
+  KBASE_IOCTL_CS_QUEUE_GROUP_CREATE
+  KBASE_IOCTL_MEM_ALLOC_EX
+  KBASE_IOCTL_READ_USER_PAGE
+  KBASE_IOCTL_QUEUE_GROUP_CLEAR_FAULTS
+  KBASE_IOCTL_APC_REQUEST
+  KBASE_IOCTL_BUFFER_LIVENESS_UPDATE
+}')
+
+define(`instrumentation_gpu_ioctls', `{
+  KBASE_IOCTL_KINSTR_PRFCNT_ENUM_INFO
+  KBASE_IOCTL_KINSTR_PRFCNT_SETUP
+  KBASE_IOCTL_TLSTREAM_ACQUIRE
+  KBASE_IOCTL_TLSTREAM_FLUSH
+  KBASE_IOCTL_KINSTR_PRFCNT_CMD
+  KBASE_IOCTL_KINSTR_PRFCNT_GET_SAMPLE
+  KBASE_IOCTL_KINSTR_PRFCNT_PUT_SAMPLE
+}')
+
+define(`debug_gpu_ioctls', `{
+  KBASE_IOCTL_HWCNT_SET
+  KBASE_IOCTL_CINSTR_GWT_START
+  KBASE_IOCTL_CINSTR_GWT_STOP
+  KBASE_IOCTL_CINSTR_GWT_DUMP
+}')
+
+define(`deprecated_gpu_ioctls', `{
+  KBASE_HWCNT_READER_GET_HWVER
+  KBASE_HWCNT_READER_GET_BUFFER_SIZE
+  KBASE_HWCNT_READER_DUMP
+  KBASE_HWCNT_READER_CLEAR
+  KBASE_HWCNT_READER_GET_BUFFER
+  KBASE_HWCNT_READER_PUT_BUFFER
+  KBASE_HWCNT_READER_SET_INTERVAL
+  KBASE_HWCNT_READER_ENABLE_EVENT
+  KBASE_HWCNT_READER_DISABLE_EVENT
+  KBASE_HWCNT_READER_GET_API_VERSION
+  KBASE_IOCTL_CS_QUEUE_GROUP_CREATE_1_6
+}')