From 86aa1562026aa3e7030d26ef474fb5122b3dbd7a Mon Sep 17 00:00:00 2001 From: Yu-Chi Cheng Date: Tue, 16 Mar 2021 11:53:12 -0700 Subject: [PATCH] Allowed Camera hal to access EdgeTPU service for on-device compilation. Camera hal DarwiNN pipelines are switching to use the on-device compilation, which achieves by talking to the EdgeTPU service. This change added the required selinux policies to allow accessing the service, as well as allowing file descriptors to be shared between them for passing the compilation info around. Bug: 182423730 Bug: 182706078 Test: verified on Oriole running camera. Change-Id: I5d3bc84fd54d4618f505f37d9773894261061d7f --- tracking_denials/edgetpu_server.te | 9 --------- whitechapel/vendor/google/edgetpu_service.te | 4 ++++ whitechapel/vendor/google/hal_camera_default.te | 7 +++++++ 3 files changed, 11 insertions(+), 9 deletions(-) delete mode 100644 tracking_denials/edgetpu_server.te diff --git a/tracking_denials/edgetpu_server.te b/tracking_denials/edgetpu_server.te deleted file mode 100644 index 61a19774..00000000 --- a/tracking_denials/edgetpu_server.te +++ /dev/null @@ -1,9 +0,0 @@ -# b/182706078 -dontaudit edgetpu_server tmpfs:file { getattr }; -dontaudit edgetpu_server tmpfs:file { getattr }; -dontaudit edgetpu_server tmpfs:file { map }; -dontaudit edgetpu_server tmpfs:file { read write }; -dontaudit edgetpu_server hal_camera_default:fd { use }; -dontaudit edgetpu_server hal_camera_default:fd { use }; -dontaudit edgetpu_server tmpfs:file { read write }; -dontaudit edgetpu_server tmpfs:file { map }; diff --git a/whitechapel/vendor/google/edgetpu_service.te b/whitechapel/vendor/google/edgetpu_service.te index b6789cff..a30400ad 100644 --- a/whitechapel/vendor/google/edgetpu_service.te +++ b/whitechapel/vendor/google/edgetpu_service.te @@ -30,3 +30,7 @@ allow edgetpu_server edgetpu_service_data_file:dir rw_dir_perms; # Allow EdgeTPU service to access the Package Manager service. allow edgetpu_server package_native_service:service_manager find; binder_call(edgetpu_server, system_server); + +# Allow EdgeTPU service to access Android shared memory allocated +# by the camera hal for on-device compilation. +allow edgetpu_server hal_camera_default:fd use; diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te index 0de87854..9938de38 100644 --- a/whitechapel/vendor/google/hal_camera_default.te +++ b/whitechapel/vendor/google/hal_camera_default.te @@ -13,6 +13,13 @@ allow hal_camera_default sysfs_edgetpu:dir r_dir_perms; allow hal_camera_default sysfs_edgetpu:file r_file_perms; allow hal_camera_default sysfs_chip_id:file r_file_perms; +# Allow the camera hal to access the EdgeTPU service and the +# Android shared memory allocated by the EdgeTPU service for +# on-device compilation. +allow hal_camera_default edgetpu_server:fd use; +allow hal_camera_default edgetpu_service:service_manager find; +binder_call(hal_camera_default, edgetpu_server) + allow hal_camera_default mnt_vendor_file:dir search; allow hal_camera_default persist_file:dir search; allow hal_camera_default persist_camera_file:dir search;