From e7ed46c52cbbc6ddc482dfd2b8009a1c03544733 Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Wed, 9 Jun 2021 10:37:14 +0800 Subject: [PATCH] organize EdgeTPU modules and sepolicy Bug: 190331327 Bug: 190331548 Bug: 189895600 Bug: 190331108 Bug: 182524105 Bug: 183935302 Test: build ROM and check if the modules and sepolicy are still there Change-Id: I40391a239a16c4fe79d58fab209dcbd1a8f25ede --- edgetpu/device.te | 2 ++ .../google => edgetpu}/edgetpu_app_service.te | 3 --- .../google => edgetpu}/edgetpu_logging.te | 0 .../edgetpu_vendor_service.te | 0 edgetpu/file.te | 9 +++++++ edgetpu/file_contexts | 25 +++++++++++++++++++ edgetpu/genfs_contexts | 4 +++ .../hal_neuralnetworks_darwinn.te | 0 .../vendor/google => edgetpu}/priv_app.te | 0 edgetpu/property.te | 4 +++ edgetpu/property_contexts | 3 +++ edgetpu/service.te | 5 ++++ edgetpu/service_contexts | 7 ++++++ edgetpu/untrusted_app_all.te | 7 ++++++ edgetpu/vendor_init.te | 1 + .../hal_neuralnetworks_darwinn.te | 14 ----------- whitechapel/vendor/google/device.te | 3 --- whitechapel/vendor/google/file.te | 9 ------- whitechapel/vendor/google/file_contexts | 25 ------------------- whitechapel/vendor/google/genfs_contexts | 4 --- whitechapel/vendor/google/property.te | 4 --- whitechapel/vendor/google/property_contexts | 3 --- whitechapel/vendor/google/service.te | 2 -- whitechapel/vendor/google/service_contexts | 7 ------ .../vendor/google/untrusted_app_all.te | 7 ------ whitechapel/vendor/google/vendor_init.te | 1 - 26 files changed, 67 insertions(+), 82 deletions(-) create mode 100644 edgetpu/device.te rename {whitechapel/vendor/google => edgetpu}/edgetpu_app_service.te (94%) rename {whitechapel/vendor/google => edgetpu}/edgetpu_logging.te (100%) rename {whitechapel/vendor/google => edgetpu}/edgetpu_vendor_service.te (100%) create mode 100644 edgetpu/file.te create mode 100644 edgetpu/file_contexts create mode 100644 edgetpu/genfs_contexts rename {whitechapel/vendor/google => edgetpu}/hal_neuralnetworks_darwinn.te (100%) rename {whitechapel/vendor/google => edgetpu}/priv_app.te (100%) create mode 100644 edgetpu/property.te create mode 100644 edgetpu/property_contexts create mode 100644 edgetpu/service.te create mode 100644 edgetpu/service_contexts create mode 100644 edgetpu/untrusted_app_all.te create mode 100644 edgetpu/vendor_init.te delete mode 100644 tracking_denials/hal_neuralnetworks_darwinn.te diff --git a/edgetpu/device.te b/edgetpu/device.te new file mode 100644 index 00000000..9296ba50 --- /dev/null +++ b/edgetpu/device.te @@ -0,0 +1,2 @@ +# EdgeTPU device (DarwiNN) +type edgetpu_device, dev_type, mlstrustedobject; diff --git a/whitechapel/vendor/google/edgetpu_app_service.te b/edgetpu/edgetpu_app_service.te similarity index 94% rename from whitechapel/vendor/google/edgetpu_app_service.te rename to edgetpu/edgetpu_app_service.te index ffecdd1f..58ce2464 100644 --- a/whitechapel/vendor/google/edgetpu_app_service.te +++ b/edgetpu/edgetpu_app_service.te @@ -9,9 +9,6 @@ binder_use(edgetpu_app_server); # The server will serve a binder service. binder_service(edgetpu_app_server); -# EdgeTPU binder service type declaration. -type edgetpu_app_service, service_manager_type; - # EdgeTPU server to register the service to service_manager. add_service(edgetpu_app_server, edgetpu_app_service); diff --git a/whitechapel/vendor/google/edgetpu_logging.te b/edgetpu/edgetpu_logging.te similarity index 100% rename from whitechapel/vendor/google/edgetpu_logging.te rename to edgetpu/edgetpu_logging.te diff --git a/whitechapel/vendor/google/edgetpu_vendor_service.te b/edgetpu/edgetpu_vendor_service.te similarity index 100% rename from whitechapel/vendor/google/edgetpu_vendor_service.te rename to edgetpu/edgetpu_vendor_service.te diff --git a/edgetpu/file.te b/edgetpu/file.te new file mode 100644 index 00000000..2482dbf3 --- /dev/null +++ b/edgetpu/file.te @@ -0,0 +1,9 @@ +# EdgeTPU sysfs +type sysfs_edgetpu, sysfs_type, fs_type; + +# EdgeTPU hal data file +type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type; + +# EdgeTPU vendor service data file +type edgetpu_vendor_service_data_file, file_type, data_file_type; + diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts new file mode 100644 index 00000000..e0439c40 --- /dev/null +++ b/edgetpu/file_contexts @@ -0,0 +1,25 @@ +# EdgeTPU logging service +/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0 + +# EdgeTPU device (DarwiNN) +/dev/abrolhos u:object_r:edgetpu_device:s0 + +# EdgeTPU service binaries and libraries +/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0 +/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0 + +# EdgeTPU vendor service +/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0 +/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 + +# EdgeTPU runtime libraries +/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0 + +# EdgeTPU data files +/data/vendor/edgetpu(/.*)? u:object_r:edgetpu_vendor_service_data_file:s0 +/data/vendor/hal_neuralnetworks_darwinn(/.*)? u:object_r:hal_neuralnetworks_darwinn_data_file:s0 + +# NeuralNetworks file contexts +/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0 + diff --git a/edgetpu/genfs_contexts b/edgetpu/genfs_contexts new file mode 100644 index 00000000..345d2990 --- /dev/null +++ b/edgetpu/genfs_contexts @@ -0,0 +1,4 @@ +# EdgeTPU +genfscon sysfs /devices/platform/1ce00000.abrolhos u:object_r:sysfs_edgetpu:s0 +genfscon sysfs /devices/platform/abrolhos u:object_r:sysfs_edgetpu:s0 + diff --git a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te b/edgetpu/hal_neuralnetworks_darwinn.te similarity index 100% rename from whitechapel/vendor/google/hal_neuralnetworks_darwinn.te rename to edgetpu/hal_neuralnetworks_darwinn.te diff --git a/whitechapel/vendor/google/priv_app.te b/edgetpu/priv_app.te similarity index 100% rename from whitechapel/vendor/google/priv_app.te rename to edgetpu/priv_app.te diff --git a/edgetpu/property.te b/edgetpu/property.te new file mode 100644 index 00000000..ed93d448 --- /dev/null +++ b/edgetpu/property.te @@ -0,0 +1,4 @@ +# EdgeTPU service requires system public properties +# since it lives under /system_ext/. +system_public_prop(vendor_edgetpu_service_prop) + diff --git a/edgetpu/property_contexts b/edgetpu/property_contexts new file mode 100644 index 00000000..130cfefe --- /dev/null +++ b/edgetpu/property_contexts @@ -0,0 +1,3 @@ +# for EdgeTPU +vendor.edgetpu.service. u:object_r:vendor_edgetpu_service_prop:s0 + diff --git a/edgetpu/service.te b/edgetpu/service.te new file mode 100644 index 00000000..46bee033 --- /dev/null +++ b/edgetpu/service.te @@ -0,0 +1,5 @@ +# EdgeTPU binder service type declaration. +type edgetpu_app_service, service_manager_type; + +type edgetpu_vendor_service, service_manager_type, vendor_service; +type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service; diff --git a/edgetpu/service_contexts b/edgetpu/service_contexts new file mode 100644 index 00000000..76fe43da --- /dev/null +++ b/edgetpu/service_contexts @@ -0,0 +1,7 @@ +# EdgeTPU service +com.google.edgetpu.IEdgeTpuAppService/default u:object_r:edgetpu_app_service:s0 +com.google.edgetpu.IEdgeTpuVendorService/default u:object_r:edgetpu_vendor_service:s0 + +# TPU NNAPI Service +android.hardware.neuralnetworks.IDevice/google-edgetpu u:object_r:edgetpu_nnapi_service:s0 + diff --git a/edgetpu/untrusted_app_all.te b/edgetpu/untrusted_app_all.te new file mode 100644 index 00000000..9abec616 --- /dev/null +++ b/edgetpu/untrusted_app_all.te @@ -0,0 +1,7 @@ +# Allows applications to discover the EdgeTPU service. +allow untrusted_app_all edgetpu_app_service:service_manager find; + +# Allows applications to access the EdgeTPU device, except open, which is guarded +# by the EdgeTPU service. +allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }; + diff --git a/edgetpu/vendor_init.te b/edgetpu/vendor_init.te new file mode 100644 index 00000000..aec79583 --- /dev/null +++ b/edgetpu/vendor_init.te @@ -0,0 +1 @@ +set_prop(vendor_init, vendor_edgetpu_service_prop) diff --git a/tracking_denials/hal_neuralnetworks_darwinn.te b/tracking_denials/hal_neuralnetworks_darwinn.te deleted file mode 100644 index 54fa8a2f..00000000 --- a/tracking_denials/hal_neuralnetworks_darwinn.te +++ /dev/null @@ -1,14 +0,0 @@ -# b/182524105 -dontaudit hal_neuralnetworks_darwinn tmpfs:file { open }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { write }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { map }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { write }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { open }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { map }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -# b/183935302 -dontaudit hal_neuralnetworks_darwinn proc_version:file { read }; -dontaudit hal_neuralnetworks_darwinn proc_version:file { read }; diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index 63bd3191..68a73c6f 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -21,9 +21,6 @@ type tui_device, dev_type; # usbpd type logbuffer_device, dev_type; -# EdgeTPU device (DarwiNN) -type edgetpu_device, dev_type, mlstrustedobject; - #cpuctl type cpuctl_device, dev_type; diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 412f03d0..3518beaa 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -133,15 +133,6 @@ type persist_camera_file, file_type; type vendor_camera_tuning_file, vendor_file_type, file_type; type vendor_camera_data_file, file_type, data_file_type; -# EdgeTPU hal data file -type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type; - -# EdgeTPU vendor service data file -type edgetpu_vendor_service_data_file, file_type, data_file_type; - -# EdgeTPU sysfs -type sysfs_edgetpu, sysfs_type, fs_type; - # Vendor sched files type sysfs_vendor_sched, sysfs_type, fs_type; userdebug_or_eng(` diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 45d9d762..d04d3abe 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -344,9 +344,6 @@ # AoC file contexts. /vendor/bin/aocd u:object_r:aocd_exec:s0 -# NeuralNetworks file contexts -/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0 - # GRIL /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 @@ -363,28 +360,6 @@ # Citadel StrongBox /dev/gsc0 u:object_r:citadel_device:s0 -# EdgeTPU device (DarwiNN) -/dev/abrolhos u:object_r:edgetpu_device:s0 - -# EdgeTPU logging service -/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0 - -# EdgeTPU service binaries and libraries -/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0 -/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU vendor service -/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0 -/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU runtime libraries -/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU data files -/data/vendor/edgetpu(/.*)? u:object_r:edgetpu_vendor_service_data_file:s0 -/data/vendor/hal_neuralnetworks_darwinn(/.*)? u:object_r:hal_neuralnetworks_darwinn_data_file:s0 - # Tetheroffload Service /dev/dit2 u:object_r:vendor_toe_device:s0 /vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service u:object_r:hal_tetheroffload_default_exec:s0 diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 3a31a33a..f384ae6a 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -109,10 +109,6 @@ genfscon proc /fts/driver_test genfscon proc /fts_ext/driver_test u:object_r:proc_touch:s0 genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 -# EdgeTPU -genfscon sysfs /devices/platform/1ce00000.abrolhos u:object_r:sysfs_edgetpu:s0 -genfscon sysfs /devices/platform/abrolhos u:object_r:sysfs_edgetpu:s0 - # Vendor sched files genfscon sysfs /kernel/vendor_sched u:object_r:sysfs_vendor_sched:s0 genfscon proc /vendor_sched u:object_r:proc_vendor_sched:s0 diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te index f540c88a..9454c2eb 100644 --- a/whitechapel/vendor/google/property.te +++ b/whitechapel/vendor/google/property.te @@ -27,10 +27,6 @@ vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_gps_prop) -# EdgeTPU service requires system public properties -# since it lives under /system_ext/. -system_public_prop(vendor_edgetpu_service_prop) - # Battery defender vendor_internal_prop(vendor_battery_defender_prop) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index 61497257..94d4065f 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -90,9 +90,6 @@ vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for gps vendor.gps u:object_r:vendor_gps_prop:s0 -# for EdgeTPU -vendor.edgetpu.service. u:object_r:vendor_edgetpu_service_prop:s0 - # SecureElement persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te index c47e63f9..99e99483 100644 --- a/whitechapel/vendor/google/service.te +++ b/whitechapel/vendor/google/service.te @@ -2,5 +2,3 @@ type hal_pixel_display_service, service_manager_type, vendor_service; type uwb_vendor_service, service_manager_type, vendor_service; type touch_context_service, service_manager_type, vendor_service; type hal_uwb_service, service_manager_type, vendor_service; -type edgetpu_vendor_service, service_manager_type, vendor_service; -type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service; diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index 4e005ec4..687f8cc8 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -1,10 +1,3 @@ -# EdgeTPU service -com.google.edgetpu.IEdgeTpuAppService/default u:object_r:edgetpu_app_service:s0 -com.google.edgetpu.IEdgeTpuVendorService/default u:object_r:edgetpu_vendor_service:s0 - -# TPU NNAPI Service -android.hardware.neuralnetworks.IDevice/google-edgetpu u:object_r:edgetpu_nnapi_service:s0 - com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te index cd7fb41a..a4d8beb8 100644 --- a/whitechapel/vendor/google/untrusted_app_all.te +++ b/whitechapel/vendor/google/untrusted_app_all.te @@ -1,10 +1,3 @@ -# Allows applications to discover the EdgeTPU service. -allow untrusted_app_all edgetpu_app_service:service_manager find; - -# Allows applications to access the EdgeTPU device, except open, which is guarded -# by the EdgeTPU service. -allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }; - # Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap # for secure video playback allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms; diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te index 5a86aded..8e3e369c 100644 --- a/whitechapel/vendor/google/vendor_init.te +++ b/whitechapel/vendor/google/vendor_init.te @@ -10,7 +10,6 @@ set_prop(vendor_init, vendor_rcs_prop) set_prop(vendor_init, vendor_ssrdump_prop) set_prop(vendor_init, vendor_ro_config_default_prop) get_prop(vendor_init, vendor_touchpanel_prop) -set_prop(vendor_init, vendor_edgetpu_service_prop) set_prop(vendor_init, vendor_tcpdump_log_prop) set_prop(vendor_init, vendor_thermal_prop)