diff --git a/edgetpu/sepolicy/file_contexts b/edgetpu/sepolicy/file_contexts index 06f0a89..6190fcf 100644 --- a/edgetpu/sepolicy/file_contexts +++ b/edgetpu/sepolicy/file_contexts @@ -17,6 +17,8 @@ # EdgeTPU runtime libraries /vendor/lib64/com\.google\.edgetpu_app_service-V[1-4]-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0 +# EdgeTPU Tachyon libraries +/vendor/lib64/libedgetpu_tachyon\.google\.so u:object_r:same_process_hal_file:s0 # EdgeTPU data files /data/vendor/hal_neuralnetworks_darwinn(/.*)? u:object_r:hal_neuralnetworks_darwinn_data_file:s0 @@ -27,3 +29,6 @@ # Tachyon service /vendor/bin/hw/com\.google\.edgetpu.tachyon-service u:object_r:edgetpu_tachyon_server_exec:s0 + +# libfmq.so is dynamically loaded by the Tachyon client-side library libedgetpu_tachyon.google.so +/vendor/lib64/libfmq\.so u:object_r:same_process_hal_file:s0 diff --git a/edgetpu/sepolicy/priv_app.te b/edgetpu/sepolicy/priv_app.te index a9b49c3..579cc61 100644 --- a/edgetpu/sepolicy/priv_app.te +++ b/edgetpu/sepolicy/priv_app.te @@ -7,3 +7,6 @@ allow priv_app edgetpu_nnapi_service:service_manager find; # Allows privileged applications to access the EdgeTPU device, except open, # which is guarded by the EdgeTPU service. allow priv_app edgetpu_device:chr_file { getattr read write ioctl map }; + +# Allows EdgeTPU Tachyon service to call the app. +binder_call(edgetpu_tachyon_server, priv_app); diff --git a/edgetpu/sepolicy/untrusted_app_all.te b/edgetpu/sepolicy/untrusted_app_all.te index 9abec61..3c92900 100644 --- a/edgetpu/sepolicy/untrusted_app_all.te +++ b/edgetpu/sepolicy/untrusted_app_all.te @@ -5,3 +5,5 @@ allow untrusted_app_all edgetpu_app_service:service_manager find; # by the EdgeTPU service. allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }; +# Allows EdgeTPU Tachyon service to call the app. +binder_call(edgetpu_tachyon_server, untrusted_app_all);