Merge "organize EdgeTPU modules and sepolicy" into sc-dev am: 22fae537b5 am: 8879662f92

Original change: https://googleplex-android-review.googlesource.com/c/device/google/gs101-sepolicy/+/14911633

Change-Id: I8a7ba2a9bf58b81631cc2e699180147e9515f9dd

edgetpu/device.te

@@ -0,0 +1,2 @@
+# EdgeTPU device (DarwiNN)
+type edgetpu_device, dev_type, mlstrustedobject;

edgetpu/edgetpu_app_service.te

@@ -9,9 +9,6 @@ binder_use(edgetpu_app_server);
 # The server will serve a binder service.
 binder_service(edgetpu_app_server);
 
-# EdgeTPU binder service type declaration.
-type edgetpu_app_service, service_manager_type;
-
 # EdgeTPU server to register the service to service_manager.
 add_service(edgetpu_app_server, edgetpu_app_service);
 

edgetpu/file.te

@@ -0,0 +1,9 @@
+# EdgeTPU sysfs
+type sysfs_edgetpu, sysfs_type, fs_type;
+
+# EdgeTPU hal data file
+type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type;
+
+# EdgeTPU vendor service data file
+type edgetpu_vendor_service_data_file, file_type, data_file_type;
+

edgetpu/file_contexts

@@ -0,0 +1,25 @@
+# EdgeTPU logging service
+/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
+
+# EdgeTPU device (DarwiNN)
+/dev/abrolhos                      u:object_r:edgetpu_device:s0
+
+# EdgeTPU service binaries and libraries
+/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0
+/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
+
+# EdgeTPU vendor service
+/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0
+/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
+
+# EdgeTPU runtime libraries
+/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
+
+# EdgeTPU data files
+/data/vendor/edgetpu(/.*)?                              u:object_r:edgetpu_vendor_service_data_file:s0
+/data/vendor/hal_neuralnetworks_darwinn(/.*)?           u:object_r:hal_neuralnetworks_darwinn_data_file:s0
+
+# NeuralNetworks file contexts
+/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0
+

edgetpu/genfs_contexts

@@ -0,0 +1,4 @@
+# EdgeTPU
+genfscon sysfs /devices/platform/1ce00000.abrolhos                              u:object_r:sysfs_edgetpu:s0
+genfscon sysfs /devices/platform/abrolhos                                       u:object_r:sysfs_edgetpu:s0
+

edgetpu/property.te

@@ -0,0 +1,4 @@
+# EdgeTPU service requires system public properties
+# since it lives under /system_ext/.
+system_public_prop(vendor_edgetpu_service_prop)
+

edgetpu/property_contexts

@@ -0,0 +1,3 @@
+# for EdgeTPU
+vendor.edgetpu.service.                         u:object_r:vendor_edgetpu_service_prop:s0
+

edgetpu/service.te

@@ -0,0 +1,5 @@
+# EdgeTPU binder service type declaration.
+type edgetpu_app_service, service_manager_type;
+
+type edgetpu_vendor_service, service_manager_type, vendor_service;
+type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service;

edgetpu/service_contexts

@@ -0,0 +1,7 @@
+# EdgeTPU service
+com.google.edgetpu.IEdgeTpuAppService/default              u:object_r:edgetpu_app_service:s0
+com.google.edgetpu.IEdgeTpuVendorService/default           u:object_r:edgetpu_vendor_service:s0
+
+# TPU NNAPI Service
+android.hardware.neuralnetworks.IDevice/google-edgetpu	   u:object_r:edgetpu_nnapi_service:s0
+

edgetpu/untrusted_app_all.te

@@ -0,0 +1,7 @@
+# Allows applications to discover the EdgeTPU service.
+allow untrusted_app_all edgetpu_app_service:service_manager find;
+
+# Allows applications to access the EdgeTPU device, except open, which is guarded
+# by the EdgeTPU service.
+allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map };
+

edgetpu/vendor_init.te

@@ -0,0 +1 @@
+set_prop(vendor_init, vendor_edgetpu_service_prop)

tracking_denials/hal_neuralnetworks_darwinn.te

@@ -1,14 +0,0 @@
-# b/182524105
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { open };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { write };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { map };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { write };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { open };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { map };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
-dontaudit hal_neuralnetworks_darwinn tmpfs:file { read };
-# b/183935302
-dontaudit hal_neuralnetworks_darwinn proc_version:file { read };
-dontaudit hal_neuralnetworks_darwinn proc_version:file { read };

whitechapel/vendor/google/device.te

@@ -21,9 +21,6 @@ type tui_device, dev_type;
 # usbpd
 type logbuffer_device, dev_type;
 
-# EdgeTPU device (DarwiNN)
-type edgetpu_device, dev_type, mlstrustedobject;
-
 #cpuctl
 type cpuctl_device, dev_type;
 

whitechapel/vendor/google/file.te

@@ -134,15 +134,6 @@ type vendor_camera_tuning_file, vendor_file_type, file_type;
 type vendor_camera_data_file, file_type, data_file_type;
 type sysfs_camera, sysfs_type, fs_type;
 
-# EdgeTPU hal data file
-type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type;
-
-# EdgeTPU vendor service data file
-type edgetpu_vendor_service_data_file, file_type, data_file_type;
-
-# EdgeTPU sysfs
-type sysfs_edgetpu, sysfs_type, fs_type;
-
 # Vendor sched files
 type sysfs_vendor_sched, sysfs_type, fs_type;
 userdebug_or_eng(`

whitechapel/vendor/google/file_contexts

@@ -344,9 +344,6 @@
 # AoC file contexts.
 /vendor/bin/aocd   u:object_r:aocd_exec:s0
 
-# NeuralNetworks file contexts
-/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0
-
 # GRIL
 /vendor/bin/hw/vendor\.google\.radioext@1\.0-service                 u:object_r:hal_radioext_default_exec:s0
 
@@ -363,28 +360,6 @@
 # Citadel StrongBox
 /dev/gsc0                                                                   u:object_r:citadel_device:s0
 
-# EdgeTPU device (DarwiNN)
-/dev/abrolhos                      u:object_r:edgetpu_device:s0
-
-# EdgeTPU logging service
-/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
-
-# EdgeTPU service binaries and libraries
-/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
-/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
-
-# EdgeTPU vendor service
-/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0
-/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0
-
-# EdgeTPU runtime libraries
-/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
-
-# EdgeTPU data files
-/data/vendor/edgetpu(/.*)?                              u:object_r:edgetpu_vendor_service_data_file:s0
-/data/vendor/hal_neuralnetworks_darwinn(/.*)?           u:object_r:hal_neuralnetworks_darwinn_data_file:s0
-
 # Tetheroffload Service
 /dev/dit2                      u:object_r:vendor_toe_device:s0
 /vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service     u:object_r:hal_tetheroffload_default_exec:s0

whitechapel/vendor/google/genfs_contexts

@@ -109,10 +109,6 @@ genfscon proc  /fts/driver_test
 genfscon proc  /fts_ext/driver_test                                             u:object_r:proc_touch:s0
 genfscon sysfs /devices/virtual/sec/tsp                                         u:object_r:sysfs_touch:s0
 
-# EdgeTPU
-genfscon sysfs /devices/platform/1ce00000.abrolhos                              u:object_r:sysfs_edgetpu:s0
-genfscon sysfs /devices/platform/abrolhos                                       u:object_r:sysfs_edgetpu:s0
-
 # Vendor sched files
 genfscon sysfs /kernel/vendor_sched                                            u:object_r:sysfs_vendor_sched:s0
 genfscon proc  /vendor_sched                                                   u:object_r:proc_vendor_sched:s0

whitechapel/vendor/google/property.te

@@ -27,10 +27,6 @@ vendor_internal_prop(vendor_camera_debug_prop)
 vendor_internal_prop(vendor_camera_fatp_prop)
 vendor_internal_prop(vendor_gps_prop)
 
-# EdgeTPU service requires system public properties
-# since it lives under /system_ext/.
-system_public_prop(vendor_edgetpu_service_prop)
-
 # Battery defender
 vendor_internal_prop(vendor_battery_defender_prop)
 

whitechapel/vendor/google/property_contexts

@@ -90,9 +90,6 @@ vendor.camera.fatp.                  u:object_r:vendor_camera_fatp_prop:s0
 # for gps
 vendor.gps                   u:object_r:vendor_gps_prop:s0
 
-# for EdgeTPU
-vendor.edgetpu.service.                         u:object_r:vendor_edgetpu_service_prop:s0
-
 # SecureElement
 persist.vendor.se.                              u:object_r:vendor_secure_element_prop:s0
 

whitechapel/vendor/google/service.te

@@ -2,5 +2,3 @@ type hal_pixel_display_service, service_manager_type, vendor_service;
 type uwb_vendor_service, service_manager_type, vendor_service;
 type touch_context_service, service_manager_type, vendor_service;
 type hal_uwb_service, service_manager_type, vendor_service;
-type edgetpu_vendor_service, service_manager_type, vendor_service;
-type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service;

whitechapel/vendor/google/service_contexts

@@ -1,10 +1,3 @@
-# EdgeTPU service
-com.google.edgetpu.IEdgeTpuAppService/default              u:object_r:edgetpu_app_service:s0
-com.google.edgetpu.IEdgeTpuVendorService/default           u:object_r:edgetpu_vendor_service:s0
-
-# TPU NNAPI Service
-android.hardware.neuralnetworks.IDevice/google-edgetpu	   u:object_r:edgetpu_nnapi_service:s0
-
 com.google.hardware.pixel.display.IDisplay/default         u:object_r:hal_pixel_display_service:s0
 com.google.input.ITouchContextService/default              u:object_r:touch_context_service:s0
 uwb_vendor                                                 u:object_r:uwb_vendor_service:s0

whitechapel/vendor/google/untrusted_app_all.te

@@ -1,10 +1,3 @@
-# Allows applications to discover the EdgeTPU service.
-allow untrusted_app_all edgetpu_app_service:service_manager find;
-
-# Allows applications to access the EdgeTPU device, except open, which is guarded
-# by the EdgeTPU service.
-allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map };
-
 # Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap
 # for secure video playback
 allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms;

whitechapel/vendor/google/vendor_init.te

@@ -10,7 +10,6 @@ set_prop(vendor_init, vendor_rcs_prop)
 set_prop(vendor_init, vendor_ssrdump_prop)
 set_prop(vendor_init, vendor_ro_config_default_prop)
 get_prop(vendor_init, vendor_touchpanel_prop)
-set_prop(vendor_init, vendor_edgetpu_service_prop)
 set_prop(vendor_init, vendor_tcpdump_log_prop)
 set_prop(vendor_init, vendor_thermal_prop)