From 84b32a700f578e8a59def6b24745070e261bdde4 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 8 Nov 2022 13:15:28 +0800 Subject: [PATCH] move edgetpu to gs-common Bug: 258114806 Test: build pass Change-Id: Ie576f6511dc60db59bc44567ff0a929506224203 --- edgetpu/device.te | 2 - edgetpu/edgetpu_app_service.te | 38 ------------- edgetpu/edgetpu_logging.te | 15 ------ edgetpu/edgetpu_vendor_service.te | 31 ----------- edgetpu/file.te | 9 ---- edgetpu/file_contexts | 30 ----------- edgetpu/genfs_contexts | 4 -- edgetpu/hal_neuralnetworks_darwinn.te | 53 ------------------- edgetpu/priv_app.te | 15 ------ edgetpu/property.te | 4 -- edgetpu/property_contexts | 3 -- edgetpu/service.te | 6 --- edgetpu/service_contexts | 9 ---- edgetpu/untrusted_app_all.te | 7 --- edgetpu/vendor_init.te | 1 - .../vendor/google}/edgetpu_dba_service.te | 0 whitechapel/vendor/google/file_contexts | 7 +++ whitechapel/vendor/google/genfs_contexts | 4 ++ whitechapel/vendor/google/priv_app.te | 5 ++ whitechapel/vendor/google/service.te | 1 + whitechapel/vendor/google/service_contexts | 3 ++ 21 files changed, 20 insertions(+), 227 deletions(-) delete mode 100644 edgetpu/device.te delete mode 100644 edgetpu/edgetpu_app_service.te delete mode 100644 edgetpu/edgetpu_logging.te delete mode 100644 edgetpu/edgetpu_vendor_service.te delete mode 100644 edgetpu/file.te delete mode 100644 edgetpu/file_contexts delete mode 100644 edgetpu/genfs_contexts delete mode 100644 edgetpu/hal_neuralnetworks_darwinn.te delete mode 100644 edgetpu/priv_app.te delete mode 100644 edgetpu/property.te delete mode 100644 edgetpu/property_contexts delete mode 100644 edgetpu/service.te delete mode 100644 edgetpu/service_contexts delete mode 100644 edgetpu/untrusted_app_all.te delete mode 100644 edgetpu/vendor_init.te rename {edgetpu => whitechapel/vendor/google}/edgetpu_dba_service.te (100%) create mode 100644 whitechapel/vendor/google/priv_app.te diff --git a/edgetpu/device.te b/edgetpu/device.te deleted file mode 100644 index 9296ba50..00000000 --- a/edgetpu/device.te +++ /dev/null @@ -1,2 +0,0 @@ -# EdgeTPU device (DarwiNN) -type edgetpu_device, dev_type, mlstrustedobject; diff --git a/edgetpu/edgetpu_app_service.te b/edgetpu/edgetpu_app_service.te deleted file mode 100644 index 58ce2464..00000000 --- a/edgetpu/edgetpu_app_service.te +++ /dev/null @@ -1,38 +0,0 @@ -# EdgeTPU app server process which runs the EdgeTPU binder service. -type edgetpu_app_server, coredomain, domain; -type edgetpu_app_server_exec, exec_type, system_file_type, file_type; -init_daemon_domain(edgetpu_app_server) - -# The server will use binder calls. -binder_use(edgetpu_app_server); - -# The server will serve a binder service. -binder_service(edgetpu_app_server); - -# EdgeTPU server to register the service to service_manager. -add_service(edgetpu_app_server, edgetpu_app_service); - -# EdgeTPU service needs to access /dev/abrolhos. -allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms; -allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms; -allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms; - -# Applications are not allowed to open the EdgeTPU device directly. -neverallow appdomain edgetpu_device:chr_file { open }; - -# Allow EdgeTPU service to access the Package Manager service. -allow edgetpu_app_server package_native_service:service_manager find; -binder_call(edgetpu_app_server, system_server); - -# Allow EdgeTPU service to read EdgeTPU service related system properties. -get_prop(edgetpu_app_server, vendor_edgetpu_service_prop); - -# Allow EdgeTPU service to generate Perfetto traces. -perfetto_producer(edgetpu_app_server); - -# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service. -allow edgetpu_app_server edgetpu_vendor_service:service_manager find; -binder_call(edgetpu_app_server, edgetpu_vendor_server); - -# Allow EdgeTPU service to log to stats service. (metrics) -allow edgetpu_app_server fwk_stats_service:service_manager find; diff --git a/edgetpu/edgetpu_logging.te b/edgetpu/edgetpu_logging.te deleted file mode 100644 index 8c2f0dc7..00000000 --- a/edgetpu/edgetpu_logging.te +++ /dev/null @@ -1,15 +0,0 @@ -type edgetpu_logging, domain; -type edgetpu_logging_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(edgetpu_logging) - -# The logging service accesses /dev/abrolhos -allow edgetpu_logging edgetpu_device:chr_file rw_file_perms; - -# Allows the logging service to access /sys/class/edgetpu -allow edgetpu_logging sysfs_edgetpu:dir search; -allow edgetpu_logging sysfs_edgetpu:file rw_file_perms; - -# Allow TPU logging service to log to stats service. (metrics) -allow edgetpu_logging fwk_stats_service:service_manager find; -binder_call(edgetpu_logging, system_server); -binder_use(edgetpu_logging) diff --git a/edgetpu/edgetpu_vendor_service.te b/edgetpu/edgetpu_vendor_service.te deleted file mode 100644 index 10605107..00000000 --- a/edgetpu/edgetpu_vendor_service.te +++ /dev/null @@ -1,31 +0,0 @@ -# EdgeTPU vendor service. -type edgetpu_vendor_server, domain; -type edgetpu_vendor_server_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(edgetpu_vendor_server) - -# The vendor service will use binder calls. -binder_use(edgetpu_vendor_server); - -# The vendor service will serve a binder service. -binder_service(edgetpu_vendor_server); - -# EdgeTPU vendor service to register the service to service_manager. -add_service(edgetpu_vendor_server, edgetpu_vendor_service); - -# Allow communications between other vendor services. -allow edgetpu_vendor_server vndbinder_device:chr_file { read write open ioctl map }; - -# Allow EdgeTPU vendor service to access its data files. -allow edgetpu_vendor_server edgetpu_vendor_service_data_file:file create_file_perms; -allow edgetpu_vendor_server edgetpu_vendor_service_data_file:dir create_dir_perms; - -# Allow EdgeTPU vendor service to access Android shared memory allocated -# by the camera hal for on-device compilation. -allow edgetpu_vendor_server hal_camera_default:fd use; - -# Allow EdgeTPU vendor service to read the kernel version. -# This is done inside the InitGoogle. -allow edgetpu_vendor_server proc_version:file r_file_perms; - -# Allow EdgeTPU vendor service to read the overcommit_memory info. -allow edgetpu_vendor_server proc_overcommit_memory:file r_file_perms; diff --git a/edgetpu/file.te b/edgetpu/file.te deleted file mode 100644 index 2482dbf3..00000000 --- a/edgetpu/file.te +++ /dev/null @@ -1,9 +0,0 @@ -# EdgeTPU sysfs -type sysfs_edgetpu, sysfs_type, fs_type; - -# EdgeTPU hal data file -type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type; - -# EdgeTPU vendor service data file -type edgetpu_vendor_service_data_file, file_type, data_file_type; - diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts deleted file mode 100644 index 62002307..00000000 --- a/edgetpu/file_contexts +++ /dev/null @@ -1,30 +0,0 @@ -# EdgeTPU logging service -/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0 - -# EdgeTPU device (DarwiNN) -/dev/abrolhos u:object_r:edgetpu_device:s0 - -# EdgeTPU service binaries and libraries -/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0 -/vendor/lib64/com\.google\.edgetpu_app_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU vendor service -/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0 -/vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU runtime libraries -/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU data files -/data/vendor/edgetpu(/.*)? u:object_r:edgetpu_vendor_service_data_file:s0 -/data/vendor/hal_neuralnetworks_darwinn(/.*)? u:object_r:hal_neuralnetworks_darwinn_data_file:s0 - -# NeuralNetworks file contexts -/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0 - -# EdgeTPU metrics logging service. -/vendor/lib64/libmetrics_logger\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU DBA service -/vendor/bin/hw/com\.google\.edgetpu.dba-service u:object_r:edgetpu_dba_server_exec:s0 diff --git a/edgetpu/genfs_contexts b/edgetpu/genfs_contexts deleted file mode 100644 index 345d2990..00000000 --- a/edgetpu/genfs_contexts +++ /dev/null @@ -1,4 +0,0 @@ -# EdgeTPU -genfscon sysfs /devices/platform/1ce00000.abrolhos u:object_r:sysfs_edgetpu:s0 -genfscon sysfs /devices/platform/abrolhos u:object_r:sysfs_edgetpu:s0 - diff --git a/edgetpu/hal_neuralnetworks_darwinn.te b/edgetpu/hal_neuralnetworks_darwinn.te deleted file mode 100644 index f301a729..00000000 --- a/edgetpu/hal_neuralnetworks_darwinn.te +++ /dev/null @@ -1,53 +0,0 @@ -type hal_neuralnetworks_darwinn, domain; -hal_server_domain(hal_neuralnetworks_darwinn, hal_neuralnetworks) - -type hal_neuralnetworks_darwinn_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_neuralnetworks_darwinn) - -# The TPU HAL looks for TPU instance in /dev/abrolhos -allow hal_neuralnetworks_darwinn edgetpu_device:chr_file rw_file_perms; - -# Allow DawriNN service to use a client-provided fd residing in /vendor/etc/. -allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms; - -# Allow DarwiNN service to access data files. -allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:file create_file_perms; -allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir_perms; - -# Allow DarwiNN service to access unix sockets for IPC. -allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:sock_file { create unlink rw_file_perms }; - -# Register to hwbinder service. -# add_hwservice() is granted by hal_server_domain + hal_neuralnetworks.te -hwbinder_use(hal_neuralnetworks_darwinn) -get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop) - -# Allow TPU HAL to read the kernel version. -# This is done inside the InitGoogle. -allow hal_neuralnetworks_darwinn proc_version:file r_file_perms; - -# Allow TPU NNAPI HAL to log to stats service. (metrics) -allow hal_neuralnetworks_darwinn fwk_stats_service:service_manager find; -binder_call(hal_neuralnetworks_darwinn, system_server); -binder_use(hal_neuralnetworks_darwinn) - -# Allow TPU NNAPI HAL to request power hints from the Power Service -hal_client_domain(hal_neuralnetworks_darwinn, hal_power) - -# TPU NNAPI to register the service to service_manager. -add_service(hal_neuralnetworks_darwinn, edgetpu_nnapi_service); - -# Allow TPU NNAPI HAL to read the overcommit_memory info. -allow hal_neuralnetworks_darwinn proc_overcommit_memory:file r_file_perms; - -# Allows the logging service to access /sys/class/edgetpu -allow hal_neuralnetworks_darwinn sysfs_edgetpu:dir r_dir_perms; -allow hal_neuralnetworks_darwinn sysfs_edgetpu:file r_file_perms; - -# Allows the NNAPI HAL to access the edgetpu_app_service -allow hal_neuralnetworks_darwinn edgetpu_app_service:service_manager find; -binder_call(hal_neuralnetworks_darwinn, edgetpu_app_server); - -# Allow NNAPI HAL to send trace packets to Perfetto with SELinux enabled -# under userdebug builds. -userdebug_or_eng(`perfetto_producer(hal_neuralnetworks_darwinn)') diff --git a/edgetpu/priv_app.te b/edgetpu/priv_app.te deleted file mode 100644 index 63f76b8a..00000000 --- a/edgetpu/priv_app.te +++ /dev/null @@ -1,15 +0,0 @@ -# Allows privileged applications to discover the EdgeTPU service. -allow priv_app edgetpu_app_service:service_manager find; - -# Allows privileged applications to discover the NNAPI TPU service. -allow priv_app edgetpu_nnapi_service:service_manager find; - -# Allows privileged applications to access the EdgeTPU device, except open, -# which is guarded by the EdgeTPU service. -allow priv_app edgetpu_device:chr_file { getattr read write ioctl map }; - -# Allows privileged applications to access the PowerHAL. -hal_client_domain(priv_app, hal_power) - -# Allows privileged applications to discover the EdgeTPU DBA service. -allow priv_app edgetpu_dba_service:service_manager find; diff --git a/edgetpu/property.te b/edgetpu/property.te deleted file mode 100644 index ed93d448..00000000 --- a/edgetpu/property.te +++ /dev/null @@ -1,4 +0,0 @@ -# EdgeTPU service requires system public properties -# since it lives under /system_ext/. -system_public_prop(vendor_edgetpu_service_prop) - diff --git a/edgetpu/property_contexts b/edgetpu/property_contexts deleted file mode 100644 index 130cfefe..00000000 --- a/edgetpu/property_contexts +++ /dev/null @@ -1,3 +0,0 @@ -# for EdgeTPU -vendor.edgetpu.service. u:object_r:vendor_edgetpu_service_prop:s0 - diff --git a/edgetpu/service.te b/edgetpu/service.te deleted file mode 100644 index 08658685..00000000 --- a/edgetpu/service.te +++ /dev/null @@ -1,6 +0,0 @@ -# EdgeTPU binder service type declaration. -type edgetpu_app_service, service_manager_type; - -type edgetpu_vendor_service, service_manager_type, hal_service_type; -type edgetpu_nnapi_service, app_api_service, service_manager_type; -type edgetpu_dba_service, app_api_service, service_manager_type; diff --git a/edgetpu/service_contexts b/edgetpu/service_contexts deleted file mode 100644 index 23a0fab8..00000000 --- a/edgetpu/service_contexts +++ /dev/null @@ -1,9 +0,0 @@ -# EdgeTPU service -com.google.edgetpu.IEdgeTpuAppService/default u:object_r:edgetpu_app_service:s0 -com.google.edgetpu.IEdgeTpuVendorService/default u:object_r:edgetpu_vendor_service:s0 - -# TPU NNAPI Service -android.hardware.neuralnetworks.IDevice/google-edgetpu u:object_r:edgetpu_nnapi_service:s0 - -# EdgeTPU DBA Service -com.google.edgetpu.dba.IDevice/default u:object_r:edgetpu_dba_service:s0 diff --git a/edgetpu/untrusted_app_all.te b/edgetpu/untrusted_app_all.te deleted file mode 100644 index 9abec616..00000000 --- a/edgetpu/untrusted_app_all.te +++ /dev/null @@ -1,7 +0,0 @@ -# Allows applications to discover the EdgeTPU service. -allow untrusted_app_all edgetpu_app_service:service_manager find; - -# Allows applications to access the EdgeTPU device, except open, which is guarded -# by the EdgeTPU service. -allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }; - diff --git a/edgetpu/vendor_init.te b/edgetpu/vendor_init.te deleted file mode 100644 index aec79583..00000000 --- a/edgetpu/vendor_init.te +++ /dev/null @@ -1 +0,0 @@ -set_prop(vendor_init, vendor_edgetpu_service_prop) diff --git a/edgetpu/edgetpu_dba_service.te b/whitechapel/vendor/google/edgetpu_dba_service.te similarity index 100% rename from edgetpu/edgetpu_dba_service.te rename to whitechapel/vendor/google/edgetpu_dba_service.te diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 5a9738a0..ca85bf7f 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -27,6 +27,10 @@ /(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate-service\.gs101 u:object_r:hal_dumpstate_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101 u:object_r:hal_power_stats_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service\.pixel u:object_r:hal_memtrack_default_exec:s0 + +# EdgeTPU DBA service +/vendor/bin/hw/com\.google\.edgetpu.dba-service u:object_r:edgetpu_dba_server_exec:s0 + # Wireless charger HAL /(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor u:object_r:hal_wlc_exec:s0 @@ -113,6 +117,9 @@ /dev/umts_dm0 u:object_r:radio_device:s0 /dev/umts_router u:object_r:radio_device:s0 +# EdgeTPU device (DarwiNN) +/dev/abrolhos u:object_r:edgetpu_device:s0 + # OEM IPC device /dev/oem_ipc[0-7] u:object_r:radio_device:s0 diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 12571aa4..ad4b887b 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -17,6 +17,10 @@ genfscon sysfs /devices/platform/19000000.aoc/control/memory_exception u:ob genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_a32 u:object_r:sysfs_aoc_dumpstate:s0 genfscon sysfs /devices/platform/19000000.aoc/control/memory_votes_ff1 u:object_r:sysfs_aoc_dumpstate:s0 +# EdgeTPU +genfscon sysfs /devices/platform/1ce00000.abrolhos u:object_r:sysfs_edgetpu:s0 +genfscon sysfs /devices/platform/abrolhos u:object_r:sysfs_edgetpu:s0 + # WiFi genfscon sysfs /wifi u:object_r:sysfs_wifi:s0 # Battery diff --git a/whitechapel/vendor/google/priv_app.te b/whitechapel/vendor/google/priv_app.te new file mode 100644 index 00000000..9d2aa14d --- /dev/null +++ b/whitechapel/vendor/google/priv_app.te @@ -0,0 +1,5 @@ +# Allows privileged applications to access the PowerHAL. +hal_client_domain(priv_app, hal_power) + +# Allows privileged applications to discover the EdgeTPU DBA service. +allow priv_app edgetpu_dba_service:service_manager find; diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te index b87c99e1..7d105d49 100644 --- a/whitechapel/vendor/google/service.te +++ b/whitechapel/vendor/google/service.te @@ -1,2 +1,3 @@ type hal_pixel_display_service, service_manager_type, hal_service_type; type hal_uwb_vendor_service, service_manager_type, hal_service_type; +type edgetpu_dba_service, app_api_service, service_manager_type; diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index 25108867..d00c633e 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -1,3 +1,6 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 android.hardware.drm.IDrmFactory/widevine u:object_r:hal_drm_service:s0 + +# EdgeTPU DBA Service +com.google.edgetpu.dba.IDevice/default u:object_r:edgetpu_dba_service:s0