From 25b66183cf2bdae1cb07a12ebc70c3ad3a1e1ebe Mon Sep 17 00:00:00 2001 From: Dinesh Yadav Date: Fri, 24 Jan 2025 07:00:51 +0000 Subject: [PATCH] Allow tachyon service to make binder calls to gca This permission is needed for tachyon service to call callbacks shared by clients of gxp/edgetpu device for tensor G5. As tachyon is present in pixel 6 where google_camera_app is not defined, I need to assign it here. AVC Error seen when tachyon tries accessing GCA: 01-22 11:40:03.212 6987 6987 W com.google.edge: type=1400 audit(0.0:17): avc: denied { call } for scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:google_camera_app:s0:c145,c256,c512,c768 tclass=binder permissive=0 01-23 07:12:26.424 4166 4166 W com.google.edge: type=1400 audit(0.0:254): avc: denied { call } for scontext=u:r:edgetpu_tachyon_server:s0 tcontext=u:r:debug_camera_app:s0:c67,c257,c512,c768 tclass=binder permissive=0 Bug:391537620 Flag: EXEMPT updates device sepolicy only Change-Id: I9dd78bd941b0de9057606409fd18632cc76f56b0 --- gcam_app/sepolicy/vendor/debug_camera_app.te | 3 +++ gcam_app/sepolicy/vendor/google_camera_app.te | 2 ++ 2 files changed, 5 insertions(+) diff --git a/gcam_app/sepolicy/vendor/debug_camera_app.te b/gcam_app/sepolicy/vendor/debug_camera_app.te index 8cac086..61029b6 100644 --- a/gcam_app/sepolicy/vendor/debug_camera_app.te +++ b/gcam_app/sepolicy/vendor/debug_camera_app.te @@ -12,5 +12,8 @@ userdebug_or_eng(` # Allows GCA_Eng & GCA-Next to access the hw_jpeg /dev/video12. # allow debug_camera_app hw_jpg_device:chr_file rw_file_perms; + + # Allows tachyon_service to communicate with GCA-Eng via binder. + binder_call(edgetpu_tachyon_server, debug_camera_app); ') diff --git a/gcam_app/sepolicy/vendor/google_camera_app.te b/gcam_app/sepolicy/vendor/google_camera_app.te index a1c3ddb..67287b6 100644 --- a/gcam_app/sepolicy/vendor/google_camera_app.te +++ b/gcam_app/sepolicy/vendor/google_camera_app.te @@ -11,3 +11,5 @@ allow google_camera_app edgetpu_device:chr_file { read write ioctl }; # Allows GCA to access the hw_jpeg /dev/video12. #allow google_camera_app hw_jpg_device:chr_file rw_file_perms; +# Allows tachyon service to communicate with google_camera_app via binder. +binder_call(edgetpu_tachyon_server, google_camera_app);