From 6deca6aed473c4b76eb6bc31cc1cc65ae0bef24c Mon Sep 17 00:00:00 2001
From: Renato Grottesi <otaner@google.com>
Date: Wed, 28 Jun 2023 13:16:14 +0000
Subject: [PATCH] New ArmNN AIDL SELinux permissions and settings

Compile ArmNN shim over the support library

This change adds the SELinux permissions for the new
ArmNN AIDL backend based on a shim over the NNAPI
Support Library.

Test: Local run of CtsNNAPITestCases
Test: Local run of VtsHalNeuralnetworksTargetTest
Test: Local run of MLTS Benchmark
Bug: 283724775
Change-Id: Ie63c9adebf723c0df22c9533f46ad7475414dd3a
---
 edgetpu/sepolicy/hal_neuralnetworks_darwinn.te |  2 +-
 gpu/gpu.mk                                     |  1 +
 gpu/sepolicy/file_contexts                     |  4 +++-
 gpu/sepolicy/hal_neuralnetworks_armnn.te       | 17 +++++++++++++++++
 gpu/sepolicy/priv_app.te                       |  2 ++
 gpu/sepolicy/service.te                        |  4 ++++
 gpu/sepolicy/service_contexts                  |  3 +++
 7 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 gpu/sepolicy/hal_neuralnetworks_armnn.te
 create mode 100644 gpu/sepolicy/priv_app.te
 create mode 100644 gpu/sepolicy/service.te
 create mode 100644 gpu/sepolicy/service_contexts

diff --git a/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te b/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te
index 7d50bfc..f867528 100644
--- a/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te
+++ b/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te
@@ -7,7 +7,7 @@ init_daemon_domain(hal_neuralnetworks_darwinn)
 # The TPU HAL looks for TPU instance in /dev/abrolhos
 allow hal_neuralnetworks_darwinn edgetpu_device:chr_file rw_file_perms;
 
-# Allow DawriNN service to use a client-provided fd residing in /vendor/etc/.
+# Allow DarwiNN service to use a client-provided fd residing in /vendor/etc/.
 allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms;
 
 # Allow DarwiNN service to access data files.
diff --git a/gpu/gpu.mk b/gpu/gpu.mk
index d1c3a6d..67d1263 100644
--- a/gpu/gpu.mk
+++ b/gpu/gpu.mk
@@ -1,3 +1,4 @@
 BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gpu/sepolicy
 
 PRODUCT_PACKAGES += gpu_probe
+PRODUCT_PACKAGES += android.hardware.neuralnetworks-shim-service-armnn
diff --git a/gpu/sepolicy/file_contexts b/gpu/sepolicy/file_contexts
index 3752908..7cadf04 100644
--- a/gpu/sepolicy/file_contexts
+++ b/gpu/sepolicy/file_contexts
@@ -1 +1,3 @@
-/vendor/bin/gpu_probe           u:object_r:gpu_probe_exec:s0
+/vendor/bin/gpu_probe                                                     u:object_r:gpu_probe_exec:s0
+
+/vendor/bin/hw/android\.hardware\.neuralnetworks-shim-service-armnn       u:object_r:hal_neuralnetworks_armnn_exec:s0
diff --git a/gpu/sepolicy/hal_neuralnetworks_armnn.te b/gpu/sepolicy/hal_neuralnetworks_armnn.te
new file mode 100644
index 0000000..62c3257
--- /dev/null
+++ b/gpu/sepolicy/hal_neuralnetworks_armnn.te
@@ -0,0 +1,17 @@
+type hal_neuralnetworks_armnn, domain;
+hal_server_domain(hal_neuralnetworks_armnn, hal_neuralnetworks)
+
+type hal_neuralnetworks_armnn_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_neuralnetworks_armnn)
+
+add_service(hal_neuralnetworks_armnn, armnn_nnapi_service);
+
+allow hal_neuralnetworks_armnn armnn_app_service:service_manager find;
+
+get_prop(hal_neuralnetworks_armnn, hwservicemanager_prop)
+
+allow isolated_app app_data_file:file setattr;
+
+allow hal_neuralnetworks_armnn fwk_stats_service:service_manager find;
+binder_call(hal_neuralnetworks_armnn, system_server);
+binder_use(hal_neuralnetworks_armnn)
diff --git a/gpu/sepolicy/priv_app.te b/gpu/sepolicy/priv_app.te
new file mode 100644
index 0000000..97eec7c
--- /dev/null
+++ b/gpu/sepolicy/priv_app.te
@@ -0,0 +1,2 @@
+allow priv_app armnn_app_service:service_manager find;
+allow priv_app armnn_nnapi_service:service_manager find;
diff --git a/gpu/sepolicy/service.te b/gpu/sepolicy/service.te
new file mode 100644
index 0000000..bf5f3ce
--- /dev/null
+++ b/gpu/sepolicy/service.te
@@ -0,0 +1,4 @@
+type armnn_nnapi_service, app_api_service, service_manager_type, isolated_compute_allowed_service;
+type armnn_vendor_service, service_manager_type, hal_service_type;
+type armnn_dba_service, app_api_service, service_manager_type, isolated_compute_allowed_service;
+type armnn_app_service, service_manager_type;
diff --git a/gpu/sepolicy/service_contexts b/gpu/sepolicy/service_contexts
new file mode 100644
index 0000000..a881130
--- /dev/null
+++ b/gpu/sepolicy/service_contexts
@@ -0,0 +1,3 @@
+com.google.armnn.IArmnnVendorService/default             u:object_r:armnn_vendor_service:s0
+android.hardware.neuralnetworks.IDevice/google-armnn     u:object_r:armnn_nnapi_service:s0
+com.google.armnn.IArmnnpAppService/default               u:object_r:armnn_app_service:s0