From 0f1433b2c8edc9b0a981dbe06a1264427df16b2a Mon Sep 17 00:00:00 2001
From: feiyuchen <feiyuchen@google.com>
Date: Fri, 24 Mar 2023 07:06:08 +0000
Subject: [PATCH] Allow EdgeTPU DBA service to access the edgetpu_app_service

EdgeTpu DBA service calls edgetpu_app_service's UserIsAuthorized API in order to know whether its clients are authorized to use priviledge features, see code: https://source.corp.google.com/android-internal/vendor/google/darwinn2/dba/service/edgetpu_device.cpp;l=73;rcl=1c57b54efe12cdb408cb21a992155a04d151e3ce

It looks like the SELinux rule is missing today. Though I'm not sure why DBA service doesn't crash today.


Bug: 237103652
Change-Id: I8c5da7413eb6f9efc527c9f9f1d1242f0cb4dea8
---
 edgetpu/sepolicy/edgetpu_dba_service.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/edgetpu/sepolicy/edgetpu_dba_service.te b/edgetpu/sepolicy/edgetpu_dba_service.te
index ce1f200..3717e20 100644
--- a/edgetpu/sepolicy/edgetpu_dba_service.te
+++ b/edgetpu/sepolicy/edgetpu_dba_service.te
@@ -12,6 +12,10 @@ binder_service(edgetpu_dba_server);
 # EdgeTPU DBA service to register the service to service_manager.
 add_service(edgetpu_dba_server, edgetpu_dba_service);
 
+# Allow EdgeTPU DBA service to access the edgetpu_app_service.
+allow edgetpu_dba_server edgetpu_app_service:service_manager find;
+binder_call(edgetpu_dba_server, edgetpu_app_server);
+
 # Allow EdgeTPU DBA service to look for TPU instance in /dev/edgetpu or /dev/edgetpu-soc.
 allow edgetpu_dba_server edgetpu_device:chr_file rw_file_perms;