New ArmNN AIDL SELinux permissions and settings

Compile ArmNN shim over the support library This change adds the SELinux permissions for the new ArmNN AIDL backend based on a shim over the NNAPI Support Library. Test: Local run of CtsNNAPITestCases Test: Local run of VtsHalNeuralnetworksTargetTest Test: Local run of MLTS Benchmark Bug: 283724775 Change-Id: Ie63c9adebf723c0df22c9533f46ad7475414dd3a
2023-06-28 13:16:14 +00:00 · 2023-06-28 13:16:14 +00:00 · 6deca6aed4
commit 6deca6aed4
parent 2b603ecd6c
7 changed files with 31 additions and 2 deletions
--- a/gpu/gpu.mk
+++ b/gpu/gpu.mk
@ -1,3 +1,4 @@
 BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gpu/sepolicy

 PRODUCT_PACKAGES += gpu_probe
+PRODUCT_PACKAGES += android.hardware.neuralnetworks-shim-service-armnn
--- a/gpu/sepolicy/file_contexts
+++ b/gpu/sepolicy/file_contexts
@ -1 +1,3 @@
-/vendor/bin/gpu_probe           u:object_r:gpu_probe_exec:s0
+/vendor/bin/gpu_probe                                                     u:object_r:gpu_probe_exec:s0
+
+/vendor/bin/hw/android\.hardware\.neuralnetworks-shim-service-armnn       u:object_r:hal_neuralnetworks_armnn_exec:s0
--- a/gpu/sepolicy/hal_neuralnetworks_armnn.te
+++ b/gpu/sepolicy/hal_neuralnetworks_armnn.te
@ -0,0 +1,17 @@
+type hal_neuralnetworks_armnn, domain;
+hal_server_domain(hal_neuralnetworks_armnn, hal_neuralnetworks)
+
+type hal_neuralnetworks_armnn_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_neuralnetworks_armnn)
+
+add_service(hal_neuralnetworks_armnn, armnn_nnapi_service);
+
+allow hal_neuralnetworks_armnn armnn_app_service:service_manager find;
+
+get_prop(hal_neuralnetworks_armnn, hwservicemanager_prop)
+
+allow isolated_app app_data_file:file setattr;
+
+allow hal_neuralnetworks_armnn fwk_stats_service:service_manager find;
+binder_call(hal_neuralnetworks_armnn, system_server);
+binder_use(hal_neuralnetworks_armnn)
--- a/gpu/sepolicy/priv_app.te
+++ b/gpu/sepolicy/priv_app.te
@ -0,0 +1,2 @@
+allow priv_app armnn_app_service:service_manager find;
+allow priv_app armnn_nnapi_service:service_manager find;
--- a/gpu/sepolicy/service.te
+++ b/gpu/sepolicy/service.te
@ -0,0 +1,4 @@
+type armnn_nnapi_service, app_api_service, service_manager_type, isolated_compute_allowed_service;
+type armnn_vendor_service, service_manager_type, hal_service_type;
+type armnn_dba_service, app_api_service, service_manager_type, isolated_compute_allowed_service;
+type armnn_app_service, service_manager_type;
--- a/gpu/sepolicy/service_contexts
+++ b/gpu/sepolicy/service_contexts
@ -0,0 +1,3 @@
+com.google.armnn.IArmnnVendorService/default             u:object_r:armnn_vendor_service:s0
+android.hardware.neuralnetworks.IDevice/google-armnn     u:object_r:armnn_nnapi_service:s0
+com.google.armnn.IArmnnpAppService/default               u:object_r:armnn_app_service:s0