Evolution-X-Tensor/device_google_gs101
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added the SELinux rule for the EdgeTPU vendor service.

Browse source 
To comply with the GSI compliance test, this change
splits the compiler part of the edgetpu_service into a
separate edgetpu_vendor_service under vendor.

The edgetpu_service locates under /system_ext/ and used
to be connected by both applications and vendor clients.
With this change, vendor clients could talk to the vendor
part of this service directly without having to cross
the system and vendor boundary.

Applications will still talk to the system_ext one, which
will forward the requests to the vendor service.

Bug: 185432427
Test: tested on Oriole + GCA.
Change-Id: I1ee47946f1fc3694d5f8b5325c192d6bd720a76e
This commit is contained in:
Yu-Chi Cheng 2021-04-23 16:28:14 -07:00
parent 6a5cfd86f5
commit b844190a34
7 changed files with 49 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

18
whitechapel/vendor/google/edgetpu_service.te vendored
View file

@ -1,7 +1,7 @@
# EdgeTPU server process which runs the EdgeTPU binder service.
type edgetpu_server, coredomain, domain;
type edgetpu_server_exec, exec_type, system_file_type, file_type;
init_daemon_domain(edgetpu_server, edgetpu_server_exec)
init_daemon_domain(edgetpu_server)
# The server will use binder calls.
binder_use(edgetpu_server);
@ -23,24 +23,16 @@ allow edgetpu_server sysfs_edgetpu:file rw_file_perms;
# Applications are not allowed to open the EdgeTPU device directly.
neverallow appdomain edgetpu_device:chr_file { open };
# Allow EdgeTPU service access to its data files.
allow edgetpu_server edgetpu_service_data_file:file create_file_perms;
allow edgetpu_server edgetpu_service_data_file:dir rw_dir_perms;
# Allow EdgeTPU service to access the Package Manager service.
allow edgetpu_server package_native_service:service_manager find;
binder_call(edgetpu_server, system_server);
# Allow EdgeTPU service to access Android shared memory allocated
# by the camera hal for on-device compilation.
allow edgetpu_server hal_camera_default:fd use;
# Allow EdgeTPU service to read the kernel version.
# This is done inside the InitGoogle.
allow edgetpu_server proc_version:file r_file_perms;
# Allow EdgeTPU service to read EdgeTPU service related system properties.
get_prop(edgetpu_server, vendor_edgetpu_service_prop);
# Allow EdgeTPU service to generate Perfetto traces.
perfetto_producer(edgetpu_server);
# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service.
allow edgetpu_server edgetpu_vendor_service:service_manager find;
binder_call(edgetpu_server, edgetpu_vendor_server);

28
whitechapel/vendor/google/edgetpu_vendor_service.te vendored Normal file
View file

@ -0,0 +1,28 @@
# EdgeTPU vendor service.
type edgetpu_vendor_server, domain;
type edgetpu_vendor_server_exec, exec_type, vendor_file_type, file_type;
init_daemon_domain(edgetpu_vendor_server)
# The vendor service will use binder calls.
binder_use(edgetpu_vendor_server);
# The vendor service will serve a binder service.
binder_service(edgetpu_vendor_server);
# EdgeTPU vendor service to register the service to service_manager.
add_service(edgetpu_vendor_server, edgetpu_vendor_service);
# Allow communications between other vendor services.
allow edgetpu_vendor_server vndbinder_device:chr_file { read write open ioctl map };
# Allow EdgeTPU vendor service to access its data files.
allow edgetpu_vendor_server edgetpu_vendor_service_data_file:file create_file_perms;
allow edgetpu_vendor_server edgetpu_vendor_service_data_file:dir create_dir_perms;
# Allow EdgeTPU vendor service to access Android shared memory allocated
# by the camera hal for on-device compilation.
allow edgetpu_vendor_server hal_camera_default:fd use;
# Allow EdgeTPU vendor service to read the kernel version.
# This is done inside the InitGoogle.
allow edgetpu_vendor_server proc_version:file r_file_perms;

8
whitechapel/vendor/google/file.te vendored
View file

@ -131,11 +131,13 @@ type persist_camera_file, file_type;
type vendor_camera_tuning_file, vendor_file_type, file_type;
type vendor_camera_data_file, file_type, data_file_type;
# EdgeTPU device (DarwiNN)
# EdgeTPU hal data file
type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type;
# EdgeTPU
type edgetpu_service_data_file, file_type, data_file_type, core_data_file_type;
# EdgeTPU vendor service data file
type edgetpu_vendor_service_data_file, file_type, data_file_type;
# EdgeTPU sysfs
type sysfs_edgetpu, sysfs_type, fs_type;
# Vendor sched files

8
whitechapel/vendor/google/file_contexts vendored
View file

@ -361,17 +361,21 @@
# EdgeTPU logging service
/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
# EdgeTPU service binary and libraries
# EdgeTPU service binaries and libraries
/system_ext/bin/hw/vendor\.google\.edgetpu@1\.0-service u:object_r:edgetpu_server_exec:s0
/vendor/lib64/com\.google\.edgetpu-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
# EdgeTPU vendor service
/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0
/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
# EdgeTPU runtime libraries
/vendor/lib64/libedgetpu_darwinn2\.so u:object_r:same_process_hal_file:s0
/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
# EdgeTPU data files
/data/edgetpu(/.*)? u:object_r:edgetpu_service_data_file:s0
/data/vendor/edgetpu(/.*)? u:object_r:edgetpu_vendor_service_data_file:s0
/data/vendor/hal_neuralnetworks_darwinn(/.*)? u:object_r:hal_neuralnetworks_darwinn_data_file:s0
# Tetheroffload Service

5
whitechapel/vendor/google/hal_camera_default.te vendored
View file

@ -20,9 +20,8 @@ allow hal_camera_default tee_device:chr_file rw_file_perms;
allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
allow hal_camera_default sysfs_edgetpu:file r_file_perms;
allow hal_camera_default edgetpu_server:fd use;
allow hal_camera_default edgetpu_service:service_manager find;
binder_call(hal_camera_default, edgetpu_server)
allow hal_camera_default edgetpu_vendor_service:service_manager find;
binder_call(hal_camera_default, edgetpu_vendor_server)
# Allow access to data files used by the camera HAL
allow hal_camera_default mnt_vendor_file:dir search;

1
whitechapel/vendor/google/service.te vendored
View file

@ -2,3 +2,4 @@ type hal_pixel_display_service, service_manager_type, vendor_service;
type uwb_vendor_service, service_manager_type, vendor_service;
type touch_context_service, service_manager_type, vendor_service;
type hal_uwb_service, service_manager_type, vendor_service;
type edgetpu_vendor_service, service_manager_type, vendor_service;

2
whitechapel/vendor/google/service_contexts vendored
View file

@ -1,5 +1,7 @@
# EdgeTPU service
com.google.edgetpu.IEdgeTpuService/default u:object_r:edgetpu_service:s0
com.google.edgetpu.IEdgeTpuVendorService/default u:object_r:edgetpu_vendor_service:s0
com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0
com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0
uwb_vendor u:object_r:uwb_vendor_service:s0