From b2f00a1549322c7c4f521a41d9d7f70ca367c0de Mon Sep 17 00:00:00 2001 From: Liz Prucka Date: Thu, 7 Nov 2024 18:25:07 +0000 Subject: [PATCH] Restrict ioctl access for appdomain to gpu_device Add a list of Mali-specific ioctls (ioctl_defines). Define categories for these ioctls (ioctl_macros). This list was gathered by the ARM GPU team. All defined ioctls are granted access. Deprecated ioctls and ioctls intended for GPU development are logged to estimate the impact of their removal. During testing, no logging was observed during the launch of the top 100 apps. It is unlikely that such logging would spam the device's log. Bug: 384720119 Test: Csuite test of top 100 apps Flag: EXEMPT uses build system flag: RELEASE_PIXEL_MALI_SEPOLICY_ENABLED Change-Id: I49f7ffade42e1039e13601a81d814d33dfbc3e5a --- vendor/gpu.te | 10 ++++++ vendor/ioctl_defines | 73 ++++++++++++++++++++++++++++++++++++++ vendor/ioctl_macros | 83 ++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 166 insertions(+) create mode 100644 vendor/gpu.te create mode 100644 vendor/ioctl_defines create mode 100644 vendor/ioctl_macros diff --git a/vendor/gpu.te b/vendor/gpu.te new file mode 100644 index 00000000..24e901d0 --- /dev/null +++ b/vendor/gpu.te @@ -0,0 +1,10 @@ +# Policy to enable only production gpu ioctls. +is_flag_enabled(RELEASE_PIXEL_MALI_SEPOLICY_ENABLED, ` + # Allow gpu ioctls used in production. + allowxperm appdomain gpu_device:chr_file ioctl { unpriv_gpu_ioctls instrumentation_gpu_ioctls }; + # Audit gpu ioctl commands which have been deprecated, + # or are intended for development of the GPU. + auditallow appdomain gpu_device:chr_file ioctl; + allowxperm appdomain gpu_device:chr_file ioctl { debug_gpu_ioctls deprecated_gpu_ioctls }; + auditallowxperm appdomain gpu_device:chr_file ioctl { debug_gpu_ioctls deprecated_gpu_ioctls }; +') diff --git a/vendor/ioctl_defines b/vendor/ioctl_defines new file mode 100644 index 00000000..4bf35075 --- /dev/null +++ b/vendor/ioctl_defines @@ -0,0 +1,73 @@ +define(`KBASE_IOCTL_VERSION_CHECK_JM', `0x8000') +define(`KBASE_IOCTL_SET_FLAGS', `0x8001') +define(`KBASE_IOCTL_JOB_SUBMIT', `0x8002') +define(`KBASE_IOCTL_GET_GPUPROPS', `0x8003') +define(`KBASE_IOCTL_POST_TERM', `0x8004') +define(`KBASE_IOCTL_MEM_ALLOC', `0x8005') +define(`KBASE_IOCTL_MEM_QUERY', `0x8006') +define(`KBASE_IOCTL_MEM_FREE', `0x8007') +define(`KBASE_IOCTL_HWCNT_READER_SETUP', `0x8008') +define(`KBASE_IOCTL_DISJOINT_QUERY', `0x800c') +define(`KBASE_IOCTL_GET_DDK_VERSION', `0x800d') +define(`KBASE_IOCTL_MEM_JIT_INIT', `0x800e') +define(`KBASE_IOCTL_MEM_SYNC', `0x800f') +define(`KBASE_IOCTL_MEM_FIND_CPU_OFFSET', `0x8010') +define(`KBASE_IOCTL_GET_CONTEXT_ID', `0x8011') +define(`KBASE_IOCTL_TLSTREAM_ACQUIRE', `0x8012') +define(`KBASE_IOCTL_TLSTREAM_FLUSH', `0x8013') +define(`KBASE_IOCTL_MEM_COMMIT', `0x8014') +define(`KBASE_IOCTL_MEM_ALIAS', `0x8015') +define(`KBASE_IOCTL_MEM_IMPORT', `0x8016') +define(`KBASE_IOCTL_MEM_FLAGS_CHANGE', `0x8017') +define(`KBASE_IOCTL_STREAM_CREATE', `0x8018') +define(`KBASE_IOCTL_FENCE_VALIDATE', `0x8019') +define(`KBASE_IOCTL_MEM_PROFILE_ADD', `0x801b') +define(`KBASE_IOCTL_SOFT_EVENT_UPDATE', `0x801c') +define(`KBASE_IOCTL_STICKY_RESOURCE_MAP', `0x801d') +define(`KBASE_IOCTL_STICKY_RESOURCE_UNMAP', `0x801e') +define(`KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET', `0x801f') +define(`KBASE_IOCTL_HWCNT_SET', `0x8020') +define(`KBASE_IOCTL_CINSTR_GWT_START', `0x8021') +define(`KBASE_IOCTL_CINSTR_GWT_STOP', `0x8022') +define(`KBASE_IOCTL_CINSTR_GWT_DUMP', `0x8023') +define(`KBASE_IOCTL_CS_QUEUE_REGISTER', `0x8024') +define(`KBASE_IOCTL_CS_QUEUE_KICK', `0x8025') +define(`KBASE_IOCTL_MEM_EXEC_INIT', `0x8026') +define(`KBASE_IOCTL_CS_QUEUE_BIND', `0x8027') +define(`KBASE_IOCTL_CS_QUEUE_REGISTER_EX', `0x8028') +define(`KBASE_IOCTL_CS_QUEUE_TERMINATE', `0x8029') +define(`KBASE_IOCTL_CS_QUEUE_GROUP_CREATE_1_6', `0x802a') +define(`KBASE_IOCTL_CS_QUEUE_GROUP_TERMINATE', `0x802b') +define(`KBASE_IOCTL_CS_EVENT_SIGNAL', `0x802c') +define(`KBASE_IOCTL_KCPU_QUEUE_CREATE', `0x802d') +define(`KBASE_IOCTL_KCPU_QUEUE_DELETE', `0x802e') +define(`KBASE_IOCTL_KCPU_QUEUE_ENQUEUE', `0x802f') +define(`KBASE_IOCTL_CS_TILER_HEAP_INIT', `0x8030') +define(`KBASE_IOCTL_CS_TILER_HEAP_TERM', `0x8031') +define(`KBASE_IOCTL_GET_CPU_GPU_TIMEINFO', `0x8032') +define(`KBASE_IOCTL_CS_GET_GLB_IFACE', `0x8033') +define(`KBASE_IOCTL_VERSION_CHECK_CSF', `0x8034') +define(`KBASE_IOCTL_CS_CPU_QUEUE_DUMP', `0x8035') +define(`KBASE_IOCTL_CONTEXT_PRIORITY_CHECK', `0x8036') +define(`KBASE_IOCTL_SET_LIMITED_CORE_COUNT', `0x8037') +define(`KBASE_IOCTL_KINSTR_PRFCNT_ENUM_INFO', `0x8038') +define(`KBASE_IOCTL_KINSTR_PRFCNT_SETUP', `0x8039') +define(`KBASE_IOCTL_CS_QUEUE_GROUP_CREATE', `0x803a') +define(`KBASE_IOCTL_MEM_ALLOC_EX', `0x803b') +define(`KBASE_IOCTL_READ_USER_PAGE', `0x803c') +define(`KBASE_IOCTL_QUEUE_GROUP_CLEAR_FAULTS', `0x803d') +define(`KBASE_IOCTL_APC_REQUEST', `0x8042') +define(`KBASE_IOCTL_BUFFER_LIVENESS_UPDATE', `0x8043') +define(`KBASE_HWCNT_READER_GET_HWVER', `0xBE00') +define(`KBASE_HWCNT_READER_GET_BUFFER_SIZE', `0xBE01') +define(`KBASE_HWCNT_READER_DUMP', `0xBE10') +define(`KBASE_HWCNT_READER_CLEAR', `0xBE11') +define(`KBASE_HWCNT_READER_GET_BUFFER', `0xBE20') +define(`KBASE_HWCNT_READER_PUT_BUFFER', `0xBE21') +define(`KBASE_HWCNT_READER_SET_INTERVAL', `0xBE30') +define(`KBASE_HWCNT_READER_ENABLE_EVENT', `0xBE40') +define(`KBASE_HWCNT_READER_DISABLE_EVENT', `0xBE41') +define(`KBASE_HWCNT_READER_GET_API_VERSION', `0xBEFF') +define(`KBASE_IOCTL_KINSTR_PRFCNT_CMD', `0xBF00') +define(`KBASE_IOCTL_KINSTR_PRFCNT_GET_SAMPLE', `0xBF01') +define(`KBASE_IOCTL_KINSTR_PRFCNT_PUT_SAMPLE', `0xBF10') diff --git a/vendor/ioctl_macros b/vendor/ioctl_macros new file mode 100644 index 00000000..3874e049 --- /dev/null +++ b/vendor/ioctl_macros @@ -0,0 +1,83 @@ +define(`unpriv_gpu_ioctls', `{ + KBASE_IOCTL_VERSION_CHECK_JM + KBASE_IOCTL_SET_FLAGS + KBASE_IOCTL_JOB_SUBMIT + KBASE_IOCTL_GET_GPUPROPS + KBASE_IOCTL_POST_TERM + KBASE_IOCTL_MEM_ALLOC + KBASE_IOCTL_MEM_QUERY + KBASE_IOCTL_MEM_FREE + KBASE_IOCTL_DISJOINT_QUERY + KBASE_IOCTL_GET_DDK_VERSION + KBASE_IOCTL_MEM_JIT_INIT + KBASE_IOCTL_MEM_SYNC + KBASE_IOCTL_MEM_FIND_CPU_OFFSET + KBASE_IOCTL_GET_CONTEXT_ID + KBASE_IOCTL_MEM_COMMIT + KBASE_IOCTL_MEM_ALIAS + KBASE_IOCTL_MEM_IMPORT + KBASE_IOCTL_MEM_FLAGS_CHANGE + KBASE_IOCTL_STREAM_CREATE + KBASE_IOCTL_FENCE_VALIDATE + KBASE_IOCTL_MEM_PROFILE_ADD + KBASE_IOCTL_SOFT_EVENT_UPDATE + KBASE_IOCTL_STICKY_RESOURCE_MAP + KBASE_IOCTL_STICKY_RESOURCE_UNMAP + KBASE_IOCTL_MEM_FIND_GPU_START_AND_OFFSET + KBASE_IOCTL_CS_QUEUE_REGISTER + KBASE_IOCTL_CS_QUEUE_KICK + KBASE_IOCTL_MEM_EXEC_INIT + KBASE_IOCTL_CS_QUEUE_BIND + KBASE_IOCTL_CS_QUEUE_REGISTER_EX + KBASE_IOCTL_CS_QUEUE_TERMINATE + KBASE_IOCTL_CS_QUEUE_GROUP_TERMINATE + KBASE_IOCTL_CS_EVENT_SIGNAL + KBASE_IOCTL_KCPU_QUEUE_CREATE + KBASE_IOCTL_KCPU_QUEUE_DELETE + KBASE_IOCTL_KCPU_QUEUE_ENQUEUE + KBASE_IOCTL_CS_TILER_HEAP_INIT + KBASE_IOCTL_CS_TILER_HEAP_TERM + KBASE_IOCTL_GET_CPU_GPU_TIMEINFO + KBASE_IOCTL_CS_GET_GLB_IFACE + KBASE_IOCTL_VERSION_CHECK_CSF + KBASE_IOCTL_CS_CPU_QUEUE_DUMP + KBASE_IOCTL_CONTEXT_PRIORITY_CHECK + KBASE_IOCTL_SET_LIMITED_CORE_COUNT + KBASE_IOCTL_CS_QUEUE_GROUP_CREATE + KBASE_IOCTL_MEM_ALLOC_EX + KBASE_IOCTL_READ_USER_PAGE + KBASE_IOCTL_QUEUE_GROUP_CLEAR_FAULTS + KBASE_IOCTL_APC_REQUEST + KBASE_IOCTL_BUFFER_LIVENESS_UPDATE +}') + +define(`instrumentation_gpu_ioctls', `{ + KBASE_IOCTL_KINSTR_PRFCNT_ENUM_INFO + KBASE_IOCTL_KINSTR_PRFCNT_SETUP + KBASE_IOCTL_TLSTREAM_ACQUIRE + KBASE_IOCTL_TLSTREAM_FLUSH + KBASE_IOCTL_KINSTR_PRFCNT_CMD + KBASE_IOCTL_KINSTR_PRFCNT_GET_SAMPLE + KBASE_IOCTL_KINSTR_PRFCNT_PUT_SAMPLE +}') + +define(`debug_gpu_ioctls', `{ + KBASE_IOCTL_HWCNT_SET + KBASE_IOCTL_CINSTR_GWT_START + KBASE_IOCTL_CINSTR_GWT_STOP + KBASE_IOCTL_CINSTR_GWT_DUMP +}') + +define(`deprecated_gpu_ioctls', `{ + KBASE_HWCNT_READER_GET_HWVER + KBASE_HWCNT_READER_GET_BUFFER_SIZE + KBASE_HWCNT_READER_DUMP + KBASE_HWCNT_READER_CLEAR + KBASE_HWCNT_READER_GET_BUFFER + KBASE_HWCNT_READER_PUT_BUFFER + KBASE_HWCNT_READER_SET_INTERVAL + KBASE_HWCNT_READER_ENABLE_EVENT + KBASE_HWCNT_READER_DISABLE_EVENT + KBASE_HWCNT_READER_GET_API_VERSION + KBASE_IOCTL_CS_QUEUE_GROUP_CREATE_1_6 +}')