diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts new file mode 100644 index 00000000..7b5d25ab --- /dev/null +++ b/edgetpu/file_contexts @@ -0,0 +1,2 @@ +# EdgeTPU device (DarwiNN) +/dev/janeiro u:object_r:edgetpu_device:s0 diff --git a/tracking_denials/hal_neuralnetworks_darwinn.te b/tracking_denials/hal_neuralnetworks_darwinn.te index 54fa8a2f..e69de29b 100644 --- a/tracking_denials/hal_neuralnetworks_darwinn.te +++ b/tracking_denials/hal_neuralnetworks_darwinn.te @@ -1,14 +0,0 @@ -# b/182524105 -dontaudit hal_neuralnetworks_darwinn tmpfs:file { open }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { write }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { map }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { write }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { open }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { map }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -# b/183935302 -dontaudit hal_neuralnetworks_darwinn proc_version:file { read }; -dontaudit hal_neuralnetworks_darwinn proc_version:file { read }; diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index 5c6a2d88..039c242b 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -21,9 +21,6 @@ type tui_device, dev_type; # usbpd type logbuffer_device, dev_type; -# EdgeTPU device (DarwiNN) -type edgetpu_device, dev_type, mlstrustedobject; - #cpuctl type cpuctl_device, dev_type; diff --git a/whitechapel/vendor/google/edgetpu_app_service.te b/whitechapel/vendor/google/edgetpu_app_service.te deleted file mode 100644 index ffecdd1f..00000000 --- a/whitechapel/vendor/google/edgetpu_app_service.te +++ /dev/null @@ -1,41 +0,0 @@ -# EdgeTPU app server process which runs the EdgeTPU binder service. -type edgetpu_app_server, coredomain, domain; -type edgetpu_app_server_exec, exec_type, system_file_type, file_type; -init_daemon_domain(edgetpu_app_server) - -# The server will use binder calls. -binder_use(edgetpu_app_server); - -# The server will serve a binder service. -binder_service(edgetpu_app_server); - -# EdgeTPU binder service type declaration. -type edgetpu_app_service, service_manager_type; - -# EdgeTPU server to register the service to service_manager. -add_service(edgetpu_app_server, edgetpu_app_service); - -# EdgeTPU service needs to access /dev/abrolhos. -allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms; -allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms; -allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms; - -# Applications are not allowed to open the EdgeTPU device directly. -neverallow appdomain edgetpu_device:chr_file { open }; - -# Allow EdgeTPU service to access the Package Manager service. -allow edgetpu_app_server package_native_service:service_manager find; -binder_call(edgetpu_app_server, system_server); - -# Allow EdgeTPU service to read EdgeTPU service related system properties. -get_prop(edgetpu_app_server, vendor_edgetpu_service_prop); - -# Allow EdgeTPU service to generate Perfetto traces. -perfetto_producer(edgetpu_app_server); - -# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service. -allow edgetpu_app_server edgetpu_vendor_service:service_manager find; -binder_call(edgetpu_app_server, edgetpu_vendor_server); - -# Allow EdgeTPU service to log to stats service. (metrics) -allow edgetpu_app_server fwk_stats_service:service_manager find; diff --git a/whitechapel/vendor/google/edgetpu_logging.te b/whitechapel/vendor/google/edgetpu_logging.te deleted file mode 100644 index 8c2f0dc7..00000000 --- a/whitechapel/vendor/google/edgetpu_logging.te +++ /dev/null @@ -1,15 +0,0 @@ -type edgetpu_logging, domain; -type edgetpu_logging_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(edgetpu_logging) - -# The logging service accesses /dev/abrolhos -allow edgetpu_logging edgetpu_device:chr_file rw_file_perms; - -# Allows the logging service to access /sys/class/edgetpu -allow edgetpu_logging sysfs_edgetpu:dir search; -allow edgetpu_logging sysfs_edgetpu:file rw_file_perms; - -# Allow TPU logging service to log to stats service. (metrics) -allow edgetpu_logging fwk_stats_service:service_manager find; -binder_call(edgetpu_logging, system_server); -binder_use(edgetpu_logging) diff --git a/whitechapel/vendor/google/edgetpu_vendor_service.te b/whitechapel/vendor/google/edgetpu_vendor_service.te deleted file mode 100644 index 538c47b9..00000000 --- a/whitechapel/vendor/google/edgetpu_vendor_service.te +++ /dev/null @@ -1,28 +0,0 @@ -# EdgeTPU vendor service. -type edgetpu_vendor_server, domain; -type edgetpu_vendor_server_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(edgetpu_vendor_server) - -# The vendor service will use binder calls. -binder_use(edgetpu_vendor_server); - -# The vendor service will serve a binder service. -binder_service(edgetpu_vendor_server); - -# EdgeTPU vendor service to register the service to service_manager. -add_service(edgetpu_vendor_server, edgetpu_vendor_service); - -# Allow communications between other vendor services. -allow edgetpu_vendor_server vndbinder_device:chr_file { read write open ioctl map }; - -# Allow EdgeTPU vendor service to access its data files. -allow edgetpu_vendor_server edgetpu_vendor_service_data_file:file create_file_perms; -allow edgetpu_vendor_server edgetpu_vendor_service_data_file:dir create_dir_perms; - -# Allow EdgeTPU vendor service to access Android shared memory allocated -# by the camera hal for on-device compilation. -allow edgetpu_vendor_server hal_camera_default:fd use; - -# Allow EdgeTPU vendor service to read the kernel version. -# This is done inside the InitGoogle. -allow edgetpu_vendor_server proc_version:file r_file_perms; diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 5fd7861e..91b134de 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -134,15 +134,6 @@ type persist_camera_file, file_type; type vendor_camera_tuning_file, vendor_file_type, file_type; type vendor_camera_data_file, file_type, data_file_type; -# EdgeTPU hal data file -type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type; - -# EdgeTPU vendor service data file -type edgetpu_vendor_service_data_file, file_type, data_file_type; - -# EdgeTPU sysfs -type sysfs_edgetpu, sysfs_type, fs_type; - # Vendor sched files type sysfs_vendor_sched, sysfs_type, fs_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 58f4a691..be07af8d 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -345,8 +345,6 @@ # NeuralNetworks file contexts /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn u:object_r:hal_neuralnetworks_armnn_exec:s0 -/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-darwinn u:object_r:hal_neuralnetworks_darwinn_exec:s0 -/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0 # GRIL /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 @@ -364,29 +362,6 @@ # Citadel StrongBox /dev/gsc0 u:object_r:citadel_device:s0 -# EdgeTPU device (DarwiNN) -/dev/abrolhos u:object_r:edgetpu_device:s0 - -# EdgeTPU logging service -/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0 - -# EdgeTPU service binaries and libraries -/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0 -/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU vendor service -/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0 -/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU runtime libraries -/vendor/lib64/libedgetpu_darwinn2\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU data files -/data/vendor/edgetpu(/.*)? u:object_r:edgetpu_vendor_service_data_file:s0 -/data/vendor/hal_neuralnetworks_darwinn(/.*)? u:object_r:hal_neuralnetworks_darwinn_data_file:s0 - # Tetheroffload Service /dev/dit2 u:object_r:vendor_toe_device:s0 /vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service u:object_r:hal_tetheroffload_default_exec:s0 diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 0ef7b23f..531b9747 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -108,10 +108,6 @@ genfscon proc /fts/driver_test genfscon proc /fts_ext/driver_test u:object_r:proc_touch:s0 genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 -# EdgeTPU -genfscon sysfs /devices/platform/1ce00000.abrolhos u:object_r:sysfs_edgetpu:s0 -genfscon sysfs /devices/platform/abrolhos u:object_r:sysfs_edgetpu:s0 - # Vendor sched files genfscon sysfs /kernel/vendor_sched/bg_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 genfscon sysfs /kernel/vendor_sched/bg_prefer_idle u:object_r:sysfs_vendor_sched:s0 diff --git a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te deleted file mode 100644 index 88a24db9..00000000 --- a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te +++ /dev/null @@ -1,35 +0,0 @@ -type hal_neuralnetworks_darwinn, domain; -hal_server_domain(hal_neuralnetworks_darwinn, hal_neuralnetworks) - -type hal_neuralnetworks_darwinn_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_neuralnetworks_darwinn) - -# The TPU HAL looks for TPU instance in /dev/abrolhos -allow hal_neuralnetworks_darwinn edgetpu_device:chr_file rw_file_perms; - -# Allow DawriNN service to use a client-provided fd residing in /vendor/etc/. -allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms; - -# Allow DarwiNN service to access data files. -allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:file create_file_perms; -allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir_perms; - -# Allow DarwiNN service to access unix sockets for IPC. -allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:sock_file { create unlink rw_file_perms }; - -# Register to hwbinder service. -# add_hwservice() is granted by hal_server_domain + hal_neuralnetworks.te -hwbinder_use(hal_neuralnetworks_darwinn) -get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop) - -# Allow TPU HAL to read the kernel version. -# This is done inside the InitGoogle. -allow hal_neuralnetworks_darwinn proc_version:file r_file_perms; - -# Allow TPU NNAPI HAL to log to stats service. (metrics) -allow hal_neuralnetworks_darwinn fwk_stats_service:service_manager find; -binder_call(hal_neuralnetworks_darwinn, system_server); -binder_use(hal_neuralnetworks_darwinn) - -# TPU NNAPI to register the service to service_manager. -add_service(hal_neuralnetworks_darwinn, edgetpu_nnapi_service); diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te index f1e377f0..5f0c7062 100644 --- a/whitechapel/vendor/google/property.te +++ b/whitechapel/vendor/google/property.te @@ -26,10 +26,6 @@ vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_gps_prop) -# EdgeTPU service requires system public properties -# since it lives under /system_ext/. -system_public_prop(vendor_edgetpu_service_prop) - # Battery defender vendor_internal_prop(vendor_battery_defender_prop) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index 61497257..94d4065f 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -90,9 +90,6 @@ vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for gps vendor.gps u:object_r:vendor_gps_prop:s0 -# for EdgeTPU -vendor.edgetpu.service. u:object_r:vendor_edgetpu_service_prop:s0 - # SecureElement persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te index c47e63f9..99e99483 100644 --- a/whitechapel/vendor/google/service.te +++ b/whitechapel/vendor/google/service.te @@ -2,5 +2,3 @@ type hal_pixel_display_service, service_manager_type, vendor_service; type uwb_vendor_service, service_manager_type, vendor_service; type touch_context_service, service_manager_type, vendor_service; type hal_uwb_service, service_manager_type, vendor_service; -type edgetpu_vendor_service, service_manager_type, vendor_service; -type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service; diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index 4e005ec4..687f8cc8 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -1,10 +1,3 @@ -# EdgeTPU service -com.google.edgetpu.IEdgeTpuAppService/default u:object_r:edgetpu_app_service:s0 -com.google.edgetpu.IEdgeTpuVendorService/default u:object_r:edgetpu_vendor_service:s0 - -# TPU NNAPI Service -android.hardware.neuralnetworks.IDevice/google-edgetpu u:object_r:edgetpu_nnapi_service:s0 - com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te index cd7fb41a..a4d8beb8 100644 --- a/whitechapel/vendor/google/untrusted_app_all.te +++ b/whitechapel/vendor/google/untrusted_app_all.te @@ -1,10 +1,3 @@ -# Allows applications to discover the EdgeTPU service. -allow untrusted_app_all edgetpu_app_service:service_manager find; - -# Allows applications to access the EdgeTPU device, except open, which is guarded -# by the EdgeTPU service. -allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }; - # Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap # for secure video playback allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms; diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te index dedeaa7e..2759e77c 100644 --- a/whitechapel/vendor/google/vendor_init.te +++ b/whitechapel/vendor/google/vendor_init.te @@ -9,7 +9,6 @@ set_prop(vendor_init, vendor_ims_prop) set_prop(vendor_init, vendor_ssrdump_prop) set_prop(vendor_init, vendor_ro_config_default_prop) get_prop(vendor_init, vendor_touchpanel_prop) -set_prop(vendor_init, vendor_edgetpu_service_prop) set_prop(vendor_init, vendor_tcpdump_log_prop) set_prop(vendor_init, vendor_thermal_prop)