Merge "Configure Edge TPU DBA HAL sepolicy."

edgetpu/edgetpu_dba_service.te

@@ -0,0 +1,38 @@
+# EdgeTPU DBA service.
+type edgetpu_dba_server, domain;
+type edgetpu_dba_server_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(edgetpu_dba_server)
+
+# The vendor service will use binder calls.
+binder_use(edgetpu_dba_server);
+
+# The vendor service will serve a binder service.
+binder_service(edgetpu_dba_server);
+
+# EdgeTPU DBA service to register the service to service_manager.
+add_service(edgetpu_dba_server, edgetpu_dba_service);
+
+# Allow EdgeTPU DBA service to look for TPU instance in /dev/edgetpu or /dev/edgetpu-soc.
+allow edgetpu_dba_server edgetpu_device:chr_file rw_file_perms;
+
+# Allow EdgeTPU DBA service to request power hints from the Power Service.
+hal_client_domain(edgetpu_dba_server, hal_power)
+
+# Allow EdgeTPU DBA service to access hardware buffers and ION memory.
+allow edgetpu_dba_server hal_allocator:fd use;
+allow edgetpu_dba_server hal_graphics_mapper_hwservice:hwservice_manager find;
+allow edgetpu_dba_server hal_graphics_allocator:fd use;
+allow edgetpu_dba_server gpu_device:chr_file rw_file_perms;
+allow edgetpu_dba_server gpu_device:dir r_dir_perms;
+allow edgetpu_dba_server ion_device:chr_file r_file_perms;
+
+# Allow EdgeTPU DBA service to read the overcommit_memory info.
+allow edgetpu_dba_server proc_overcommit_memory:file r_file_perms;
+
+# Allow EdgeTPU DBA service to read the kernel version.
+# This is done inside the InitGoogle.
+allow edgetpu_dba_server proc_version:file r_file_perms;
+
+# Allow EdgeTPU DBA service to send trace packets to Perfetto with SELinux enabled
+# under userdebug builds.
+userdebug_or_eng(`perfetto_producer(edgetpu_dba_server)')

edgetpu/file_contexts

@@ -25,3 +25,8 @@
 
 # EdgeTPU metrics logging service.
 /vendor/lib64/libmetrics_logger\.so u:object_r:same_process_hal_file:s0
+
+# EdgeTPU DBA service
+/vendor/bin/hw/com\.google\.edgetpu.dba-service u:object_r:edgetpu_dba_server_exec:s0
+/vendor/lib64/com\.google\.edgetpu.dba-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libedgetpu_dba_hal\.so u:object_r:same_process_hal_file:s0

edgetpu/priv_app.te

@@ -10,3 +10,6 @@ allow priv_app edgetpu_device:chr_file { getattr read write ioctl map };
 
 # Allows privileged applications to access the PowerHAL.
 hal_client_domain(priv_app, hal_power)
+
+# Allows privileged applications to discover the EdgeTPU DBA service.
+allow priv_app edgetpu_dba_service:service_manager find;

edgetpu/service.te

@@ -3,3 +3,4 @@ type edgetpu_app_service, service_manager_type;
 
 type edgetpu_vendor_service, service_manager_type, hal_service_type;
 type edgetpu_nnapi_service, app_api_service, service_manager_type;
+type edgetpu_dba_service, app_api_service, service_manager_type;

edgetpu/service_contexts

@@ -5,3 +5,5 @@ com.google.edgetpu.IEdgeTpuVendorService/default           u:object_r:edgetpu_ve
 # TPU NNAPI Service
 android.hardware.neuralnetworks.IDevice/google-edgetpu	   u:object_r:edgetpu_nnapi_service:s0
 
+# EdgeTPU DBA Service
+com.google.edgetpu.dba.IDevice/default                     u:object_r:edgetpu_dba_service:s0