From 0ea3b6ccd1c7b2b8dd330101f58bd310c56663eb Mon Sep 17 00:00:00 2001
From: feiyuchen <feiyuchen@google.com>
Date: Sun, 5 May 2024 23:09:21 +0000
Subject: [PATCH] Allow edgetpu_tachyon_service to call mlock()

Tachyon AIDL service is the new Darwinn runtime v3. It needs mlock capability to support the GenAI effort, allowing file backed large models to be mlocked, satisfying the memory accounting on Android, similar to what we just did for edgetpu_app_service ag/26481028

Bug: 337949682
Test: On-device tested that tachyon service can now lock large memories.
Change-Id: I02e4d87adf8a459e88e35f7b965d65b2840adce5
---
 edgetpu/sepolicy/edgetpu_tachyon_service.te | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/edgetpu/sepolicy/edgetpu_tachyon_service.te b/edgetpu/sepolicy/edgetpu_tachyon_service.te
index 5ead23b..da34353 100644
--- a/edgetpu/sepolicy/edgetpu_tachyon_service.te
+++ b/edgetpu/sepolicy/edgetpu_tachyon_service.te
@@ -49,3 +49,14 @@ get_prop(edgetpu_tachyon_server, vendor_edgetpu_runtime_prop)
 get_prop(edgetpu_tachyon_server, vendor_hetero_runtime_prop)
 # Allow Tachyon service to read EdgeTPU CPU scheduler properties
 get_prop(edgetpu_tachyon_server, vendor_edgetpu_cpu_scheduler_prop)
+
+# Allow mlock without size restriction
+allow edgetpu_tachyon_server self:capability ipc_lock;
+
+# Need to effectively read file mapped file when mmap + mlocked.
+allow edgetpu_tachyon_server privapp_data_file:file { map read};
+
+# For shell level testing of mlock
+userdebug_or_eng(`
+    allow edgetpu_tachyon_server shell_data_file:file { map read};
+')