Merge "Added the SELinux rule for the EdgeTPU vendor service." into sc-dev am: 7eef8643a3

Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs101-sepolicy/+/14299125

Change-Id: Ia605bdd86e266c6487d591ddc30d64101365e929

whitechapel/vendor/google/edgetpu_service.te

@@ -1,7 +1,7 @@
 # EdgeTPU server process which runs the EdgeTPU binder service.
 type edgetpu_server, coredomain, domain;
 type edgetpu_server_exec, exec_type, system_file_type, file_type;
-init_daemon_domain(edgetpu_server, edgetpu_server_exec)
+init_daemon_domain(edgetpu_server)
 
 # The server will use binder calls.
 binder_use(edgetpu_server);
@@ -23,24 +23,16 @@ allow edgetpu_server sysfs_edgetpu:file rw_file_perms;
 # Applications are not allowed to open the EdgeTPU device directly.
 neverallow appdomain edgetpu_device:chr_file { open };
 
-# Allow EdgeTPU service access to its data files.
-allow edgetpu_server edgetpu_service_data_file:file create_file_perms;
-allow edgetpu_server edgetpu_service_data_file:dir rw_dir_perms;
-
 # Allow EdgeTPU service to access the Package Manager service.
 allow edgetpu_server package_native_service:service_manager find;
 binder_call(edgetpu_server, system_server);
 
-# Allow EdgeTPU service to access Android shared memory allocated
-# by the camera hal for on-device compilation.
-allow edgetpu_server hal_camera_default:fd use;
-
-# Allow EdgeTPU service to read the kernel version.
-# This is done inside the InitGoogle.
-allow edgetpu_server proc_version:file r_file_perms;
-
 # Allow EdgeTPU service to read EdgeTPU service related system properties.
 get_prop(edgetpu_server, vendor_edgetpu_service_prop);
 
 # Allow EdgeTPU service to generate Perfetto traces.
 perfetto_producer(edgetpu_server);
+
+# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service.
+allow edgetpu_server edgetpu_vendor_service:service_manager find;
+binder_call(edgetpu_server, edgetpu_vendor_server);

whitechapel/vendor/google/edgetpu_vendor_service.te

@@ -0,0 +1,28 @@
+# EdgeTPU vendor service.
+type edgetpu_vendor_server, domain;
+type edgetpu_vendor_server_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(edgetpu_vendor_server)
+
+# The vendor service will use binder calls.
+binder_use(edgetpu_vendor_server);
+
+# The vendor service will serve a binder service.
+binder_service(edgetpu_vendor_server);
+
+# EdgeTPU vendor service to register the service to service_manager.
+add_service(edgetpu_vendor_server, edgetpu_vendor_service);
+
+# Allow communications between other vendor services.
+allow edgetpu_vendor_server vndbinder_device:chr_file { read write open ioctl map };
+
+# Allow EdgeTPU vendor service to access its data files.
+allow edgetpu_vendor_server edgetpu_vendor_service_data_file:file create_file_perms;
+allow edgetpu_vendor_server edgetpu_vendor_service_data_file:dir create_dir_perms;
+
+# Allow EdgeTPU vendor service to access Android shared memory allocated
+# by the camera hal for on-device compilation.
+allow edgetpu_vendor_server hal_camera_default:fd use;
+
+# Allow EdgeTPU vendor service to read the kernel version.
+# This is done inside the InitGoogle.
+allow edgetpu_vendor_server proc_version:file r_file_perms;

whitechapel/vendor/google/file.te

@@ -131,11 +131,13 @@ type persist_camera_file, file_type;
 type vendor_camera_tuning_file, vendor_file_type, file_type;
 type vendor_camera_data_file, file_type, data_file_type;
 
-# EdgeTPU device (DarwiNN)
+# EdgeTPU hal data file
 type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type;
 
-# EdgeTPU
+# EdgeTPU vendor service data file
-type edgetpu_service_data_file, file_type, data_file_type, core_data_file_type;
+type edgetpu_vendor_service_data_file, file_type, data_file_type;
+
+# EdgeTPU sysfs
 type sysfs_edgetpu, sysfs_type, fs_type;
 
 # Vendor sched files

whitechapel/vendor/google/file_contexts

@@ -361,17 +361,21 @@
 # EdgeTPU logging service
 /vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
 
-# EdgeTPU service binary and libraries
+# EdgeTPU service binaries and libraries
 /system_ext/bin/hw/vendor\.google\.edgetpu@1\.0-service u:object_r:edgetpu_server_exec:s0
 /vendor/lib64/com\.google\.edgetpu-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
 
+# EdgeTPU vendor service
+/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0
+/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+
 # EdgeTPU runtime libraries
 /vendor/lib64/libedgetpu_darwinn2\.so u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
 
 # EdgeTPU data files
-/data/edgetpu(/.*)?                                                         u:object_r:edgetpu_service_data_file:s0
+/data/vendor/edgetpu(/.*)?                              u:object_r:edgetpu_vendor_service_data_file:s0
 /data/vendor/hal_neuralnetworks_darwinn(/.*)?           u:object_r:hal_neuralnetworks_darwinn_data_file:s0
 
 # Tetheroffload Service

whitechapel/vendor/google/hal_camera_default.te

@@ -20,9 +20,8 @@ allow hal_camera_default tee_device:chr_file rw_file_perms;
 allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
 allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
 allow hal_camera_default sysfs_edgetpu:file r_file_perms;
-allow hal_camera_default edgetpu_server:fd use;
+allow hal_camera_default edgetpu_vendor_service:service_manager find;
-allow hal_camera_default edgetpu_service:service_manager find;
+binder_call(hal_camera_default, edgetpu_vendor_server)
-binder_call(hal_camera_default, edgetpu_server)
 
 # Allow access to data files used by the camera HAL
 allow hal_camera_default mnt_vendor_file:dir search;

whitechapel/vendor/google/service.te

@@ -2,3 +2,4 @@ type hal_pixel_display_service, service_manager_type, vendor_service;
 type uwb_vendor_service, service_manager_type, vendor_service;
 type touch_context_service, service_manager_type, vendor_service;
 type hal_uwb_service, service_manager_type, vendor_service;
+type edgetpu_vendor_service, service_manager_type, vendor_service;

whitechapel/vendor/google/service_contexts

@@ -1,5 +1,7 @@
 # EdgeTPU service
 com.google.edgetpu.IEdgeTpuService/default                 u:object_r:edgetpu_service:s0
+com.google.edgetpu.IEdgeTpuVendorService/default           u:object_r:edgetpu_vendor_service:s0
+
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0