Merge "Allowed Camera hal to access EdgeTPU service for on-device compilation." into sc-dev am: a802ac3b05

Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs101-sepolicy/+/13889939

Change-Id: Iff962bcb9446a4a48123dc0ff435ffd56a115079

tracking_denials/edgetpu_server.te

@@ -1,9 +0,0 @@
-# b/182706078
-dontaudit edgetpu_server tmpfs:file { getattr };
-dontaudit edgetpu_server tmpfs:file { getattr };
-dontaudit edgetpu_server tmpfs:file { map };
-dontaudit edgetpu_server tmpfs:file { read write };
-dontaudit edgetpu_server hal_camera_default:fd { use };
-dontaudit edgetpu_server hal_camera_default:fd { use };
-dontaudit edgetpu_server tmpfs:file { read write };
-dontaudit edgetpu_server tmpfs:file { map };

whitechapel/vendor/google/edgetpu_service.te

@@ -30,3 +30,7 @@ allow edgetpu_server edgetpu_service_data_file:dir rw_dir_perms;
 # Allow EdgeTPU service to access the Package Manager service.
 allow edgetpu_server package_native_service:service_manager find;
 binder_call(edgetpu_server, system_server);
+
+# Allow EdgeTPU service to access Android shared memory allocated
+# by the camera hal for on-device compilation.
+allow edgetpu_server hal_camera_default:fd use;

whitechapel/vendor/google/hal_camera_default.te

@@ -13,6 +13,13 @@ allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
 allow hal_camera_default sysfs_edgetpu:file r_file_perms;
 allow hal_camera_default sysfs_chip_id:file r_file_perms;
 
+# Allow the camera hal to access the EdgeTPU service and the
+# Android shared memory allocated by the EdgeTPU service for
+# on-device compilation.
+allow hal_camera_default edgetpu_server:fd use;
+allow hal_camera_default edgetpu_service:service_manager find;
+binder_call(hal_camera_default, edgetpu_server)
+
 allow hal_camera_default mnt_vendor_file:dir search;
 allow hal_camera_default persist_file:dir search;
 allow hal_camera_default persist_camera_file:dir search;