From 12b799b125d51b3fb6163b2cc9fa3e283fc422c6 Mon Sep 17 00:00:00 2001 From: feiyuchen Date: Tue, 7 May 2024 19:12:30 +0000 Subject: [PATCH 1/2] Add SELinux policy for apps to use Tachyon lib Bug: 339133130 Test: Verified apps can now open Tachyon client lib Change-Id: I8ca9f08517ae8fc1deb5f97ce2823cd5eb5fafb6 --- edgetpu/sepolicy/file_contexts | 5 +++++ edgetpu/sepolicy/priv_app.te | 3 +++ edgetpu/sepolicy/untrusted_app_all.te | 2 ++ 3 files changed, 10 insertions(+) diff --git a/edgetpu/sepolicy/file_contexts b/edgetpu/sepolicy/file_contexts index 06f0a89..6190fcf 100644 --- a/edgetpu/sepolicy/file_contexts +++ b/edgetpu/sepolicy/file_contexts @@ -17,6 +17,8 @@ # EdgeTPU runtime libraries /vendor/lib64/com\.google\.edgetpu_app_service-V[1-4]-ndk\.so u:object_r:same_process_hal_file:s0 /vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0 +# EdgeTPU Tachyon libraries +/vendor/lib64/libedgetpu_tachyon\.google\.so u:object_r:same_process_hal_file:s0 # EdgeTPU data files /data/vendor/hal_neuralnetworks_darwinn(/.*)? u:object_r:hal_neuralnetworks_darwinn_data_file:s0 @@ -27,3 +29,6 @@ # Tachyon service /vendor/bin/hw/com\.google\.edgetpu.tachyon-service u:object_r:edgetpu_tachyon_server_exec:s0 + +# libfmq.so is dynamically loaded by the Tachyon client-side library libedgetpu_tachyon.google.so +/vendor/lib64/libfmq\.so u:object_r:same_process_hal_file:s0 diff --git a/edgetpu/sepolicy/priv_app.te b/edgetpu/sepolicy/priv_app.te index a9b49c3..579cc61 100644 --- a/edgetpu/sepolicy/priv_app.te +++ b/edgetpu/sepolicy/priv_app.te @@ -7,3 +7,6 @@ allow priv_app edgetpu_nnapi_service:service_manager find; # Allows privileged applications to access the EdgeTPU device, except open, # which is guarded by the EdgeTPU service. allow priv_app edgetpu_device:chr_file { getattr read write ioctl map }; + +# Allows EdgeTPU Tachyon service to call the app. +binder_call(edgetpu_tachyon_server, priv_app); diff --git a/edgetpu/sepolicy/untrusted_app_all.te b/edgetpu/sepolicy/untrusted_app_all.te index 9abec61..3c92900 100644 --- a/edgetpu/sepolicy/untrusted_app_all.te +++ b/edgetpu/sepolicy/untrusted_app_all.te @@ -5,3 +5,5 @@ allow untrusted_app_all edgetpu_app_service:service_manager find; # by the EdgeTPU service. allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }; +# Allows EdgeTPU Tachyon service to call the app. +binder_call(edgetpu_tachyon_server, untrusted_app_all); From 11eb02562d7e89037c67f5a22a142b110b303a30 Mon Sep 17 00:00:00 2001 From: Juan Yescas Date: Thu, 9 May 2024 03:40:17 +0000 Subject: [PATCH 2/2] Revert "Add a different implementation of insmod.sh" This reverts commit 60cc378f185e75899c62dc97c7fc3a55856525eb. Reason for revert: thermal-service.pixel native crash many times Bug: 339337171 Change-Id: Ibd228ea6a0950c2ff8449f7fd55a405fe9a0a99f --- insmod/16k/Android.bp | 14 ---- insmod/16k/insmod.sh | 119 -------------------------------- insmod/4k/Android.bp | 13 ---- insmod/4k/init.module.rc | 10 --- insmod/4k/insmod.sh | 102 --------------------------- insmod/Android.bp | 7 ++ insmod/{16k => }/init.module.rc | 0 insmod/insmod.mk | 6 -- 8 files changed, 7 insertions(+), 264 deletions(-) delete mode 100644 insmod/16k/Android.bp delete mode 100644 insmod/16k/insmod.sh delete mode 100644 insmod/4k/Android.bp delete mode 100644 insmod/4k/init.module.rc delete mode 100644 insmod/4k/insmod.sh rename insmod/{16k => }/init.module.rc (100%) diff --git a/insmod/16k/Android.bp b/insmod/16k/Android.bp deleted file mode 100644 index 975c5dc..0000000 --- a/insmod/16k/Android.bp +++ /dev/null @@ -1,14 +0,0 @@ - -soong_namespace { -} - -package { - default_applicable_licenses: ["Android-Apache-2.0"], -} - -sh_binary { - name: "insmod.sh", - src: "insmod.sh", - init_rc: ["init.module.rc"], - vendor: true, -} diff --git a/insmod/16k/insmod.sh b/insmod/16k/insmod.sh deleted file mode 100644 index 8ec8199..0000000 --- a/insmod/16k/insmod.sh +++ /dev/null @@ -1,119 +0,0 @@ -#!/vendor/bin/sh - -############################################################# -### init.insmod.cfg format: ### -### ----------------------------------------------------- ### -### [insmod|setprop|enable/moprobe|wait] [path|prop name] ### -### ... ### -############################################################# - -modules_dir= -system_modules_dir= -vendor_modules_dir= - - -pagesize=$(getconf PAGESIZE) -# bootoption=$(getprop ro.product.build.16k_page.enabled) -# We do not need to check ro.product.build.16k_page.enabled , because this -# version of insmod.sh will only be used if PRODUCT_16K_DEVELOPER_OPTION -# is set to true - -if [ "$pagesize" != "4096" ] ; then - echo "Device has page size $pagesize , skip loading modules from vendor_dlkm/system_dlkm because all modules are stored on vendor_boot" - setprop vendor.common.modules.ready 1 - setprop vendor.device.modules.ready 1 - setprop vendor.all.modules.ready 1 - setprop vendor.all.devices.ready 1 - return 0 -fi - - -for dir in system vendor; do - for f in /${dir}/lib/modules/*/modules.dep /${dir}/lib/modules/modules.dep; do - if [[ -f "$f" ]]; then - if [[ "${dir}" == "system" ]]; then - system_modules_dir="$(dirname "$f")" - else - vendor_modules_dir="$(dirname "$f")" - modules_dir=${vendor_modules_dir} - fi - break - fi - done -done - -if [[ -z "${system_modules_dir}" ]]; then - echo "Unable to locate system kernel modules directory" 2>&1 -fi - -if [[ -z "${vendor_modules_dir}" ]]; then - echo "Unable to locate vendor kernel modules directory" 2>&1 - exit 1 -fi - -# imitates wait_for_file() in init -wait_for_file() -{ - filename="${1}" - timeout="${2:-5}" - - expiry=$(($(date "+%s")+timeout)) - while [[ ! -e "${filename}" ]] && [[ "$(date "+%s")" -le "${expiry}" ]] - do - sleep 0.01 - done -} - -if [ $# -eq 1 ]; then - cfg_file=$1 -else - # Set property even if there is no insmod config - # to unblock early-boot trigger - setprop vendor.common.modules.ready 1 - setprop vendor.device.modules.ready 1 - setprop vendor.all.modules.ready 1 - setprop vendor.all.devices.ready 1 - exit 1 -fi - -if [ -f $cfg_file ]; then - while IFS="|" read -r action arg - do - case $action in - "insmod") insmod $arg ;; - "setprop") setprop $arg 1 ;; - "enable") echo 1 > $arg ;; - "condinsmod") - prop=$(echo $arg | cut -d '|' -f 1) - module1=$(echo $arg | cut -d '|' -f 2) - module2=$(echo $arg | cut -d '|' -f 3) - value=$(getprop $prop) - if [[ ${value} == "true" ]]; then - insmod ${vendor_modules_dir}/${module1} - else - insmod ${vendor_modules_dir}/${module2} - fi - ;; - "modprobe") - case ${arg} in - "system -b *" | "system -b") - modules_dir=${system_modules_dir} - arg="-b --all=${system_modules_dir}/modules.load" ;; - "system *" | "system") - modules_dir=${system_modules_dir} - arg="--all=${system_modules_dir}/modules.load" ;; - "-b *" | "-b" | "vendor -b *" | "vendor -b") - modules_dir=${vendor_modules_dir} - arg="-b --all=${vendor_modules_dir}/modules.load" ;; - "*" | "" | "vendor *" | "vendor") - modules_dir=${vendor_modules_dir} - arg="--all=${vendor_modules_dir}/modules.load" ;; - esac - if [[ -d "${modules_dir}" ]]; then - modprobe -a -d "${modules_dir}" $arg - fi - ;; - "wait") wait_for_file $arg ;; - esac - done < $cfg_file -fi diff --git a/insmod/4k/Android.bp b/insmod/4k/Android.bp deleted file mode 100644 index ddfec40..0000000 --- a/insmod/4k/Android.bp +++ /dev/null @@ -1,13 +0,0 @@ - -soong_namespace { -} -package { - default_applicable_licenses: ["Android-Apache-2.0"], -} - -sh_binary { - name: "insmod.sh", - src: "insmod.sh", - init_rc: ["init.module.rc"], - vendor: true, -} diff --git a/insmod/4k/init.module.rc b/insmod/4k/init.module.rc deleted file mode 100644 index de23b5b..0000000 --- a/insmod/4k/init.module.rc +++ /dev/null @@ -1,10 +0,0 @@ -on init - # Loading common kernel modules in background - start insmod_sh - -service insmod_sh /vendor/bin/insmod.sh /vendor/etc/init.common.cfg - class main - user root - group root system - disabled - oneshot diff --git a/insmod/4k/insmod.sh b/insmod/4k/insmod.sh deleted file mode 100644 index 8cac37e..0000000 --- a/insmod/4k/insmod.sh +++ /dev/null @@ -1,102 +0,0 @@ -#!/vendor/bin/sh - -############################################################# -### init.insmod.cfg format: ### -### ----------------------------------------------------- ### -### [insmod|setprop|enable/moprobe|wait] [path|prop name] ### -### ... ### -############################################################# - -modules_dir= -system_modules_dir= -vendor_modules_dir= - -for dir in system vendor; do - for f in /${dir}/lib/modules/*/modules.dep /${dir}/lib/modules/modules.dep; do - if [[ -f "$f" ]]; then - if [[ "${dir}" == "system" ]]; then - system_modules_dir="$(dirname "$f")" - else - vendor_modules_dir="$(dirname "$f")" - modules_dir=${vendor_modules_dir} - fi - break - fi - done -done - -if [[ -z "${system_modules_dir}" ]]; then - echo "Unable to locate system kernel modules directory" 2>&1 -fi - -if [[ -z "${vendor_modules_dir}" ]]; then - echo "Unable to locate vendor kernel modules directory" 2>&1 - exit 1 -fi - -# imitates wait_for_file() in init -wait_for_file() -{ - filename="${1}" - timeout="${2:-5}" - - expiry=$(($(date "+%s")+timeout)) - while [[ ! -e "${filename}" ]] && [[ "$(date "+%s")" -le "${expiry}" ]] - do - sleep 0.01 - done -} - -if [ $# -eq 1 ]; then - cfg_file=$1 -else - # Set property even if there is no insmod config - # to unblock early-boot trigger - setprop vendor.common.modules.ready - setprop vendor.device.modules.ready - setprop vendor.all.modules.ready - setprop vendor.all.devices.ready - exit 1 -fi - -if [ -f $cfg_file ]; then - while IFS="|" read -r action arg - do - case $action in - "insmod") insmod $arg ;; - "setprop") setprop $arg 1 ;; - "enable") echo 1 > $arg ;; - "condinsmod") - prop=$(echo $arg | cut -d '|' -f 1) - module1=$(echo $arg | cut -d '|' -f 2) - module2=$(echo $arg | cut -d '|' -f 3) - value=$(getprop $prop) - if [[ ${value} == "true" ]]; then - insmod ${vendor_modules_dir}/${module1} - else - insmod ${vendor_modules_dir}/${module2} - fi - ;; - "modprobe") - case ${arg} in - "system -b *" | "system -b") - modules_dir=${system_modules_dir} - arg="-b --all=${system_modules_dir}/modules.load" ;; - "system *" | "system") - modules_dir=${system_modules_dir} - arg="--all=${system_modules_dir}/modules.load" ;; - "-b *" | "-b" | "vendor -b *" | "vendor -b") - modules_dir=${vendor_modules_dir} - arg="-b --all=${vendor_modules_dir}/modules.load" ;; - "*" | "" | "vendor *" | "vendor") - modules_dir=${vendor_modules_dir} - arg="--all=${vendor_modules_dir}/modules.load" ;; - esac - if [[ -d "${modules_dir}" ]]; then - modprobe -a -d "${modules_dir}" $arg - fi - ;; - "wait") wait_for_file $arg ;; - esac - done < $cfg_file -fi diff --git a/insmod/Android.bp b/insmod/Android.bp index 143e777..eed35ec 100644 --- a/insmod/Android.bp +++ b/insmod/Android.bp @@ -2,6 +2,13 @@ package { default_applicable_licenses: ["Android-Apache-2.0"], } +sh_binary { + name: "insmod.sh", + src: "insmod.sh", + init_rc: ["init.module.rc"], + vendor: true, +} + prebuilt_etc { name: "init.common.cfg", src: "init.common.cfg", diff --git a/insmod/16k/init.module.rc b/insmod/init.module.rc similarity index 100% rename from insmod/16k/init.module.rc rename to insmod/init.module.rc diff --git a/insmod/insmod.mk b/insmod/insmod.mk index 0d8da9e..aa2261a 100644 --- a/insmod/insmod.mk +++ b/insmod/insmod.mk @@ -1,9 +1,3 @@ -ifeq (true,$(PRODUCT_16K_DEVELOPER_OPTION)) -PRODUCT_SOONG_NAMESPACES += device/google/gs-common/insmod/16k -else -PRODUCT_SOONG_NAMESPACES += device/google/gs-common/insmod/4k -endif - BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/insmod/sepolicy PRODUCT_PACKAGES += \ insmod.sh \