# EdgeTPU server process which runs the EdgeTPU binder service.
type edgetpu_server, coredomain, domain;
type edgetpu_server_exec, exec_type, system_file_type, file_type;
init_daemon_domain(edgetpu_server, edgetpu_server_exec)

# The server will use binder calls.
binder_use(edgetpu_server);

# The server will serve a binder service.
binder_service(edgetpu_server);

# EdgeTPU binder service type declaration.
type edgetpu_service, service_manager_type;

# EdgeTPU server to register the service to service_manager.
add_service(edgetpu_server, edgetpu_service);

# EdgeTPU service needs to access /dev/abrolhos.
allow edgetpu_server edgetpu_device:chr_file rw_file_perms;
allow edgetpu_server sysfs_edgetpu:dir r_dir_perms;
allow edgetpu_server sysfs_edgetpu:file rw_file_perms;

# Applications are not allowed to open the EdgeTPU device directly.
neverallow appdomain edgetpu_device:chr_file { open };

# Allow EdgeTPU service access to its data files.
allow edgetpu_server edgetpu_service_data_file:file create_file_perms;
allow edgetpu_server edgetpu_service_data_file:dir rw_dir_perms;

# Allow EdgeTPU service to access the Package Manager service.
allow edgetpu_server package_native_service:service_manager find;
binder_call(edgetpu_server, system_server);

# Allow EdgeTPU service to access Android shared memory allocated
# by the camera hal for on-device compilation.
allow edgetpu_server hal_camera_default:fd use;

# Allow EdgeTPU service to read the kernel version.
# This is done inside the InitGoogle.
allow edgetpu_server proc_version:file r_file_perms;

# Allow EdgeTPU service to read EdgeTPU service related system properties.
get_prop(edgetpu_server, vendor_edgetpu_service_prop);