Merge "Renamed edgetpu_service to edgetpu_app_service." into sc-dev

tracking_denials/edgetpu_server.te

@@ -1,10 +0,0 @@
-# b/183055762
-dontaudit edgetpu_server tmpfs:file { read write };
-dontaudit edgetpu_server tmpfs:file { map };
-dontaudit edgetpu_server tmpfs:file { getattr };
-dontaudit edgetpu_server tmpfs:file { read write };
-dontaudit edgetpu_server tmpfs:file { map };
-dontaudit edgetpu_server tmpfs:file { getattr };
-# b/183935416
-dontaudit edgetpu_server proc_version:file { read };
-dontaudit edgetpu_server proc_version:file { read };

whitechapel/vendor/google/edgetpu_app_service.te

@@ -0,0 +1,41 @@
+# EdgeTPU app server process which runs the EdgeTPU binder service.
+type edgetpu_app_server, coredomain, domain;
+type edgetpu_app_server_exec, exec_type, system_file_type, file_type;
+init_daemon_domain(edgetpu_app_server)
+
+# The server will use binder calls.
+binder_use(edgetpu_app_server);
+
+# The server will serve a binder service.
+binder_service(edgetpu_app_server);
+
+# EdgeTPU binder service type declaration.
+type edgetpu_app_service, service_manager_type;
+
+# EdgeTPU server to register the service to service_manager.
+add_service(edgetpu_app_server, edgetpu_app_service);
+
+# EdgeTPU service needs to access /dev/abrolhos.
+allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms;
+allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms;
+allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms;
+
+# Applications are not allowed to open the EdgeTPU device directly.
+neverallow appdomain edgetpu_device:chr_file { open };
+
+# Allow EdgeTPU service to access the Package Manager service.
+allow edgetpu_app_server package_native_service:service_manager find;
+binder_call(edgetpu_app_server, system_server);
+
+# Allow EdgeTPU service to read EdgeTPU service related system properties.
+get_prop(edgetpu_app_server, vendor_edgetpu_service_prop);
+
+# Allow EdgeTPU service to generate Perfetto traces.
+perfetto_producer(edgetpu_app_server);
+
+# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service.
+allow edgetpu_app_server edgetpu_vendor_service:service_manager find;
+binder_call(edgetpu_app_server, edgetpu_vendor_server);
+
+# Allow EdgeTPU service to log to stats service. (metrics)
+allow edgetpu_app_server fwk_stats_service:service_manager find;

whitechapel/vendor/google/edgetpu_service.te

@@ -1,41 +0,0 @@
-# EdgeTPU server process which runs the EdgeTPU binder service.
-type edgetpu_server, coredomain, domain;
-type edgetpu_server_exec, exec_type, system_file_type, file_type;
-init_daemon_domain(edgetpu_server)
-
-# The server will use binder calls.
-binder_use(edgetpu_server);
-
-# The server will serve a binder service.
-binder_service(edgetpu_server);
-
-# EdgeTPU binder service type declaration.
-type edgetpu_service, service_manager_type;
-
-# EdgeTPU server to register the service to service_manager.
-add_service(edgetpu_server, edgetpu_service);
-
-# EdgeTPU service needs to access /dev/abrolhos.
-allow edgetpu_server edgetpu_device:chr_file rw_file_perms;
-allow edgetpu_server sysfs_edgetpu:dir r_dir_perms;
-allow edgetpu_server sysfs_edgetpu:file rw_file_perms;
-
-# Applications are not allowed to open the EdgeTPU device directly.
-neverallow appdomain edgetpu_device:chr_file { open };
-
-# Allow EdgeTPU service to access the Package Manager service.
-allow edgetpu_server package_native_service:service_manager find;
-binder_call(edgetpu_server, system_server);
-
-# Allow EdgeTPU service to read EdgeTPU service related system properties.
-get_prop(edgetpu_server, vendor_edgetpu_service_prop);
-
-# Allow EdgeTPU service to generate Perfetto traces.
-perfetto_producer(edgetpu_server);
-
-# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service.
-allow edgetpu_server edgetpu_vendor_service:service_manager find;
-binder_call(edgetpu_server, edgetpu_vendor_server);
-
-# Allow EdgeTPU service to log to stats service. (metrics)
-allow edgetpu_server fwk_stats_service:service_manager find;

whitechapel/vendor/google/file_contexts

@@ -371,8 +371,8 @@
 /vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
 
 # EdgeTPU service binaries and libraries
-/system_ext/bin/hw/vendor\.google\.edgetpu@1\.0-service u:object_r:edgetpu_server_exec:s0
+/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
 
 # EdgeTPU vendor service

whitechapel/vendor/google/priv_app.te

@@ -1,5 +1,5 @@
 # Allows privileged applications to discover the EdgeTPU service.
-allow priv_app edgetpu_service:service_manager find;
+allow priv_app edgetpu_app_service:service_manager find;
 
 # Allows privileged applications to discover the NNAPI TPU service.
 allow priv_app edgetpu_nnapi_service:service_manager find;

whitechapel/vendor/google/service_contexts

@@ -1,5 +1,5 @@
 # EdgeTPU service
-com.google.edgetpu.IEdgeTpuService/default                 u:object_r:edgetpu_service:s0
+com.google.edgetpu.IEdgeTpuAppService/default              u:object_r:edgetpu_app_service:s0
 com.google.edgetpu.IEdgeTpuVendorService/default           u:object_r:edgetpu_vendor_service:s0
 
 # TPU NNAPI Service

whitechapel/vendor/google/untrusted_app_all.te

@@ -1,5 +1,5 @@
 # Allows applications to discover the EdgeTPU service.
-allow untrusted_app_all edgetpu_service:service_manager find;
+allow untrusted_app_all edgetpu_app_service:service_manager find;
 
 # Allows applications to access the EdgeTPU device, except open, which is guarded
 # by the EdgeTPU service.