From 02ccab0539f53e26f2a1d7675314da4cf0891b74 Mon Sep 17 00:00:00 2001 From: Richard Hsu Date: Tue, 15 Jun 2021 12:05:13 -0700 Subject: [PATCH] [Bringup] Update SEPolicy for TPU (Janeiro) for PRO. Reuse the same SEPolicy for edgetpu gs101 for gs201. 1. gs101 sepolicy has been refactored into an edgetpu directory, which is meant to be reused. We only need to match the gs201 side to mirror that. This CL references Adam's ag/14911633. 2. In a separete CL, add /dev/janeiro into the common gs101 sepolicy. Bug: 191185522 Test: run_tflite_test_odc passes. https://paste.googleplex.com/5466657955774464 Change-Id: Idd9e47a3c8da70f9dd4696cb7db7d4439e9897d6 --- edgetpu/file_contexts | 2 + .../hal_neuralnetworks_darwinn.te | 14 ------- whitechapel/vendor/google/device.te | 3 -- .../vendor/google/edgetpu_app_service.te | 41 ------------------- whitechapel/vendor/google/edgetpu_logging.te | 15 ------- .../vendor/google/edgetpu_vendor_service.te | 28 ------------- whitechapel/vendor/google/file.te | 9 ---- whitechapel/vendor/google/file_contexts | 25 ----------- whitechapel/vendor/google/genfs_contexts | 4 -- .../google/hal_neuralnetworks_darwinn.te | 35 ---------------- whitechapel/vendor/google/property.te | 4 -- whitechapel/vendor/google/property_contexts | 3 -- whitechapel/vendor/google/service.te | 2 - whitechapel/vendor/google/service_contexts | 7 ---- .../vendor/google/untrusted_app_all.te | 7 ---- whitechapel/vendor/google/vendor_init.te | 1 - 16 files changed, 2 insertions(+), 198 deletions(-) create mode 100644 edgetpu/file_contexts delete mode 100644 whitechapel/vendor/google/edgetpu_app_service.te delete mode 100644 whitechapel/vendor/google/edgetpu_logging.te delete mode 100644 whitechapel/vendor/google/edgetpu_vendor_service.te delete mode 100644 whitechapel/vendor/google/hal_neuralnetworks_darwinn.te diff --git a/edgetpu/file_contexts b/edgetpu/file_contexts new file mode 100644 index 00000000..7b5d25ab --- /dev/null +++ b/edgetpu/file_contexts @@ -0,0 +1,2 @@ +# EdgeTPU device (DarwiNN) +/dev/janeiro u:object_r:edgetpu_device:s0 diff --git a/tracking_denials/hal_neuralnetworks_darwinn.te b/tracking_denials/hal_neuralnetworks_darwinn.te index 54fa8a2f..e69de29b 100644 --- a/tracking_denials/hal_neuralnetworks_darwinn.te +++ b/tracking_denials/hal_neuralnetworks_darwinn.te @@ -1,14 +0,0 @@ -# b/182524105 -dontaudit hal_neuralnetworks_darwinn tmpfs:file { open }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { write }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { map }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { write }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { open }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { map }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -dontaudit hal_neuralnetworks_darwinn tmpfs:file { read }; -# b/183935302 -dontaudit hal_neuralnetworks_darwinn proc_version:file { read }; -dontaudit hal_neuralnetworks_darwinn proc_version:file { read }; diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te index 5c6a2d88..039c242b 100644 --- a/whitechapel/vendor/google/device.te +++ b/whitechapel/vendor/google/device.te @@ -21,9 +21,6 @@ type tui_device, dev_type; # usbpd type logbuffer_device, dev_type; -# EdgeTPU device (DarwiNN) -type edgetpu_device, dev_type, mlstrustedobject; - #cpuctl type cpuctl_device, dev_type; diff --git a/whitechapel/vendor/google/edgetpu_app_service.te b/whitechapel/vendor/google/edgetpu_app_service.te deleted file mode 100644 index ffecdd1f..00000000 --- a/whitechapel/vendor/google/edgetpu_app_service.te +++ /dev/null @@ -1,41 +0,0 @@ -# EdgeTPU app server process which runs the EdgeTPU binder service. -type edgetpu_app_server, coredomain, domain; -type edgetpu_app_server_exec, exec_type, system_file_type, file_type; -init_daemon_domain(edgetpu_app_server) - -# The server will use binder calls. -binder_use(edgetpu_app_server); - -# The server will serve a binder service. -binder_service(edgetpu_app_server); - -# EdgeTPU binder service type declaration. -type edgetpu_app_service, service_manager_type; - -# EdgeTPU server to register the service to service_manager. -add_service(edgetpu_app_server, edgetpu_app_service); - -# EdgeTPU service needs to access /dev/abrolhos. -allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms; -allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms; -allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms; - -# Applications are not allowed to open the EdgeTPU device directly. -neverallow appdomain edgetpu_device:chr_file { open }; - -# Allow EdgeTPU service to access the Package Manager service. -allow edgetpu_app_server package_native_service:service_manager find; -binder_call(edgetpu_app_server, system_server); - -# Allow EdgeTPU service to read EdgeTPU service related system properties. -get_prop(edgetpu_app_server, vendor_edgetpu_service_prop); - -# Allow EdgeTPU service to generate Perfetto traces. -perfetto_producer(edgetpu_app_server); - -# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service. -allow edgetpu_app_server edgetpu_vendor_service:service_manager find; -binder_call(edgetpu_app_server, edgetpu_vendor_server); - -# Allow EdgeTPU service to log to stats service. (metrics) -allow edgetpu_app_server fwk_stats_service:service_manager find; diff --git a/whitechapel/vendor/google/edgetpu_logging.te b/whitechapel/vendor/google/edgetpu_logging.te deleted file mode 100644 index 8c2f0dc7..00000000 --- a/whitechapel/vendor/google/edgetpu_logging.te +++ /dev/null @@ -1,15 +0,0 @@ -type edgetpu_logging, domain; -type edgetpu_logging_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(edgetpu_logging) - -# The logging service accesses /dev/abrolhos -allow edgetpu_logging edgetpu_device:chr_file rw_file_perms; - -# Allows the logging service to access /sys/class/edgetpu -allow edgetpu_logging sysfs_edgetpu:dir search; -allow edgetpu_logging sysfs_edgetpu:file rw_file_perms; - -# Allow TPU logging service to log to stats service. (metrics) -allow edgetpu_logging fwk_stats_service:service_manager find; -binder_call(edgetpu_logging, system_server); -binder_use(edgetpu_logging) diff --git a/whitechapel/vendor/google/edgetpu_vendor_service.te b/whitechapel/vendor/google/edgetpu_vendor_service.te deleted file mode 100644 index 538c47b9..00000000 --- a/whitechapel/vendor/google/edgetpu_vendor_service.te +++ /dev/null @@ -1,28 +0,0 @@ -# EdgeTPU vendor service. -type edgetpu_vendor_server, domain; -type edgetpu_vendor_server_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(edgetpu_vendor_server) - -# The vendor service will use binder calls. -binder_use(edgetpu_vendor_server); - -# The vendor service will serve a binder service. -binder_service(edgetpu_vendor_server); - -# EdgeTPU vendor service to register the service to service_manager. -add_service(edgetpu_vendor_server, edgetpu_vendor_service); - -# Allow communications between other vendor services. -allow edgetpu_vendor_server vndbinder_device:chr_file { read write open ioctl map }; - -# Allow EdgeTPU vendor service to access its data files. -allow edgetpu_vendor_server edgetpu_vendor_service_data_file:file create_file_perms; -allow edgetpu_vendor_server edgetpu_vendor_service_data_file:dir create_dir_perms; - -# Allow EdgeTPU vendor service to access Android shared memory allocated -# by the camera hal for on-device compilation. -allow edgetpu_vendor_server hal_camera_default:fd use; - -# Allow EdgeTPU vendor service to read the kernel version. -# This is done inside the InitGoogle. -allow edgetpu_vendor_server proc_version:file r_file_perms; diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te index 5fd7861e..91b134de 100644 --- a/whitechapel/vendor/google/file.te +++ b/whitechapel/vendor/google/file.te @@ -134,15 +134,6 @@ type persist_camera_file, file_type; type vendor_camera_tuning_file, vendor_file_type, file_type; type vendor_camera_data_file, file_type, data_file_type; -# EdgeTPU hal data file -type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type; - -# EdgeTPU vendor service data file -type edgetpu_vendor_service_data_file, file_type, data_file_type; - -# EdgeTPU sysfs -type sysfs_edgetpu, sysfs_type, fs_type; - # Vendor sched files type sysfs_vendor_sched, sysfs_type, fs_type; diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts index 58f4a691..be07af8d 100644 --- a/whitechapel/vendor/google/file_contexts +++ b/whitechapel/vendor/google/file_contexts @@ -345,8 +345,6 @@ # NeuralNetworks file contexts /vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-armnn u:object_r:hal_neuralnetworks_armnn_exec:s0 -/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-darwinn u:object_r:hal_neuralnetworks_darwinn_exec:s0 -/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0 # GRIL /vendor/bin/hw/vendor\.google\.radioext@1\.0-service u:object_r:hal_radioext_default_exec:s0 @@ -364,29 +362,6 @@ # Citadel StrongBox /dev/gsc0 u:object_r:citadel_device:s0 -# EdgeTPU device (DarwiNN) -/dev/abrolhos u:object_r:edgetpu_device:s0 - -# EdgeTPU logging service -/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0 - -# EdgeTPU service binaries and libraries -/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0 -/vendor/lib64/com\.google\.edgetpu_app_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU vendor service -/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0 -/vendor/lib64/com\.google\.edgetpu_vendor_service-V1-ndk_platform\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU runtime libraries -/vendor/lib64/libedgetpu_darwinn2\.so u:object_r:same_process_hal_file:s0 -/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0 - -# EdgeTPU data files -/data/vendor/edgetpu(/.*)? u:object_r:edgetpu_vendor_service_data_file:s0 -/data/vendor/hal_neuralnetworks_darwinn(/.*)? u:object_r:hal_neuralnetworks_darwinn_data_file:s0 - # Tetheroffload Service /dev/dit2 u:object_r:vendor_toe_device:s0 /vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service u:object_r:hal_tetheroffload_default_exec:s0 diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts index 0ef7b23f..531b9747 100644 --- a/whitechapel/vendor/google/genfs_contexts +++ b/whitechapel/vendor/google/genfs_contexts @@ -108,10 +108,6 @@ genfscon proc /fts/driver_test genfscon proc /fts_ext/driver_test u:object_r:proc_touch:s0 genfscon sysfs /devices/virtual/sec/tsp u:object_r:sysfs_touch:s0 -# EdgeTPU -genfscon sysfs /devices/platform/1ce00000.abrolhos u:object_r:sysfs_edgetpu:s0 -genfscon sysfs /devices/platform/abrolhos u:object_r:sysfs_edgetpu:s0 - # Vendor sched files genfscon sysfs /kernel/vendor_sched/bg_prefer_high_cap u:object_r:sysfs_vendor_sched:s0 genfscon sysfs /kernel/vendor_sched/bg_prefer_idle u:object_r:sysfs_vendor_sched:s0 diff --git a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te deleted file mode 100644 index 88a24db9..00000000 --- a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te +++ /dev/null @@ -1,35 +0,0 @@ -type hal_neuralnetworks_darwinn, domain; -hal_server_domain(hal_neuralnetworks_darwinn, hal_neuralnetworks) - -type hal_neuralnetworks_darwinn_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_neuralnetworks_darwinn) - -# The TPU HAL looks for TPU instance in /dev/abrolhos -allow hal_neuralnetworks_darwinn edgetpu_device:chr_file rw_file_perms; - -# Allow DawriNN service to use a client-provided fd residing in /vendor/etc/. -allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms; - -# Allow DarwiNN service to access data files. -allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:file create_file_perms; -allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir_perms; - -# Allow DarwiNN service to access unix sockets for IPC. -allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:sock_file { create unlink rw_file_perms }; - -# Register to hwbinder service. -# add_hwservice() is granted by hal_server_domain + hal_neuralnetworks.te -hwbinder_use(hal_neuralnetworks_darwinn) -get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop) - -# Allow TPU HAL to read the kernel version. -# This is done inside the InitGoogle. -allow hal_neuralnetworks_darwinn proc_version:file r_file_perms; - -# Allow TPU NNAPI HAL to log to stats service. (metrics) -allow hal_neuralnetworks_darwinn fwk_stats_service:service_manager find; -binder_call(hal_neuralnetworks_darwinn, system_server); -binder_use(hal_neuralnetworks_darwinn) - -# TPU NNAPI to register the service to service_manager. -add_service(hal_neuralnetworks_darwinn, edgetpu_nnapi_service); diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te index f1e377f0..5f0c7062 100644 --- a/whitechapel/vendor/google/property.te +++ b/whitechapel/vendor/google/property.te @@ -26,10 +26,6 @@ vendor_internal_prop(vendor_camera_debug_prop) vendor_internal_prop(vendor_camera_fatp_prop) vendor_internal_prop(vendor_gps_prop) -# EdgeTPU service requires system public properties -# since it lives under /system_ext/. -system_public_prop(vendor_edgetpu_service_prop) - # Battery defender vendor_internal_prop(vendor_battery_defender_prop) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index 61497257..94d4065f 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -90,9 +90,6 @@ vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 # for gps vendor.gps u:object_r:vendor_gps_prop:s0 -# for EdgeTPU -vendor.edgetpu.service. u:object_r:vendor_edgetpu_service_prop:s0 - # SecureElement persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te index c47e63f9..99e99483 100644 --- a/whitechapel/vendor/google/service.te +++ b/whitechapel/vendor/google/service.te @@ -2,5 +2,3 @@ type hal_pixel_display_service, service_manager_type, vendor_service; type uwb_vendor_service, service_manager_type, vendor_service; type touch_context_service, service_manager_type, vendor_service; type hal_uwb_service, service_manager_type, vendor_service; -type edgetpu_vendor_service, service_manager_type, vendor_service; -type edgetpu_nnapi_service, app_api_service, service_manager_type, vendor_service; diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts index 4e005ec4..687f8cc8 100644 --- a/whitechapel/vendor/google/service_contexts +++ b/whitechapel/vendor/google/service_contexts @@ -1,10 +1,3 @@ -# EdgeTPU service -com.google.edgetpu.IEdgeTpuAppService/default u:object_r:edgetpu_app_service:s0 -com.google.edgetpu.IEdgeTpuVendorService/default u:object_r:edgetpu_vendor_service:s0 - -# TPU NNAPI Service -android.hardware.neuralnetworks.IDevice/google-edgetpu u:object_r:edgetpu_nnapi_service:s0 - com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 com.google.input.ITouchContextService/default u:object_r:touch_context_service:s0 uwb_vendor u:object_r:uwb_vendor_service:s0 diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te index cd7fb41a..a4d8beb8 100644 --- a/whitechapel/vendor/google/untrusted_app_all.te +++ b/whitechapel/vendor/google/untrusted_app_all.te @@ -1,10 +1,3 @@ -# Allows applications to discover the EdgeTPU service. -allow untrusted_app_all edgetpu_app_service:service_manager find; - -# Allows applications to access the EdgeTPU device, except open, which is guarded -# by the EdgeTPU service. -allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }; - # Allows Exoplayer(and other applications) access to the vstream-secure DMA-BUF heap # for secure video playback allow untrusted_app_all dmabuf_system_secure_heap_device:chr_file r_file_perms; diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te index dedeaa7e..2759e77c 100644 --- a/whitechapel/vendor/google/vendor_init.te +++ b/whitechapel/vendor/google/vendor_init.te @@ -9,7 +9,6 @@ set_prop(vendor_init, vendor_ims_prop) set_prop(vendor_init, vendor_ssrdump_prop) set_prop(vendor_init, vendor_ro_config_default_prop) get_prop(vendor_init, vendor_touchpanel_prop) -set_prop(vendor_init, vendor_edgetpu_service_prop) set_prop(vendor_init, vendor_tcpdump_log_prop) set_prop(vendor_init, vendor_thermal_prop)