From 100dd2387d00dd2a9dc80d696d33b56805a4c966 Mon Sep 17 00:00:00 2001
From: Dinesh Yadav <dkyadav@google.com>
Date: Mon, 29 May 2023 10:43:51 +0000
Subject: [PATCH] Add sepolicy for gxp_logging service to report metrics
 [RESTRICT AUTOMERGE]

gxp_logging service will periodically check the sysfs files exposed by
the gxp kernel driver and report stats to Suez framework.
These policies are needed to report the metrics.

Tested:
Found no violation with these policies on a P23 device

Bug: 278514198
Change-Id: I8c3e57dfe4e9a6caab425f2424d07e83f5e7b9c6
Signed-off-by: Dinesh Yadav <dkyadav@google.com>
---
 vendor/debug_camera_app.te   |  3 ++-
 vendor/file.te               |  3 +++
 vendor/genfs_contexts        |  3 +++
 vendor/google_camera_app.te  |  3 +++
 vendor/gxp_logging.te        | 12 ++++++++++++
 vendor/hal_camera_default.te |  1 +
 vendor/property.te           |  3 +++
 vendor/property_contexts     |  3 +++
 vendor/vendor_init.te        |  3 +++
 9 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/vendor/debug_camera_app.te b/vendor/debug_camera_app.te
index c55f64e3..eb7ccde5 100644
--- a/vendor/debug_camera_app.te
+++ b/vendor/debug_camera_app.te
@@ -11,8 +11,9 @@ userdebug_or_eng(`
 	allow debug_camera_app mediametrics_service:service_manager find;
 	allow debug_camera_app mediaserver_service:service_manager find;
 
-	# Allows GCA-Eng & GCA-Next access the GXP device.
+	# Allows GCA-Eng & GCA-Next access the GXP device and properties.
 	allow debug_camera_app gxp_device:chr_file rw_file_perms;
+	get_prop(debug_camera_app, vendor_gxp_prop)
 
 	# Allows GCA-Eng & GCA-Next to find and access the EdgeTPU.
 	allow debug_camera_app edgetpu_app_service:service_manager find;
diff --git a/vendor/file.te b/vendor/file.te
index 9865c50a..98e5fd17 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -15,6 +15,9 @@ type sysfs_aoc_udfps, sysfs_type, fs_type;
 # Trusty
 type sysfs_trusty, sysfs_type, fs_type;
 
+# Gxp sysfs file
+type sysfs_gxp, sysfs_type, fs_type;
+
 # mount FS
 allow proc_vendor_sched proc:filesystem associate;
 allow bootdevice_sysdev sysfs:filesystem associate;
diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index f651cfc7..3eeb6a4b 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -23,6 +23,9 @@ genfscon sysfs /devices/platform/cpupm/cpupm/cpd_cl2_target_residency
 # EdgeTPU
 genfscon sysfs /devices/platform/1a000000.rio                           u:object_r:sysfs_edgetpu:s0
 
+# Gxp
+genfscon sysfs /devices/platform/20c00000.callisto                      u:object_r:sysfs_gxp:s0
+
 # debugfs
 genfscon debugfs /google_charger                                        u:object_r:vendor_charger_debugfs:s0
 genfscon debugfs /max77729_pmic                                         u:object_r:vendor_charger_debugfs:s0
diff --git a/vendor/google_camera_app.te b/vendor/google_camera_app.te
index cc918180..fd09abc2 100644
--- a/vendor/google_camera_app.te
+++ b/vendor/google_camera_app.te
@@ -12,6 +12,9 @@ allow google_camera_app mediaserver_service:service_manager find;
 # Allows GCA to acccess the GXP device.
 allow google_camera_app gxp_device:chr_file rw_file_perms;
 
+# Allow GCA to access the GXP properies.
+get_prop(google_camera_app, vendor_gxp_prop)
+
 # Allows GCA to access the PowerHAL.
 hal_client_domain(google_camera_app, hal_power)
 
diff --git a/vendor/gxp_logging.te b/vendor/gxp_logging.te
index 000138a6..fb78c538 100644
--- a/vendor/gxp_logging.te
+++ b/vendor/gxp_logging.te
@@ -5,6 +5,18 @@ init_daemon_domain(gxp_logging)
 # The logging service accesses /dev/gxp
 allow gxp_logging gxp_device:chr_file rw_file_perms;
 
+# Allow logging service to access /sys/class/gxp
+allow gxp_logging sysfs_gxp:dir search;
+allow gxp_logging sysfs_gxp:file rw_file_perms;
+
+# Allow logging service to log to stats service for reporting metrics.
+allow gxp_logging fwk_stats_service:service_manager find;
+binder_call(gxp_logging, system_server);
+binder_use(gxp_logging)
+
+# Allow logging service to read gxp properties.
+get_prop(gxp_logging, vendor_gxp_prop)
+
 # Allow gxp tracing service to send packets to Perfetto
 userdebug_or_eng(`perfetto_producer(gxp_logging)')
 
diff --git a/vendor/hal_camera_default.te b/vendor/hal_camera_default.te
index 92e5cd47..e252b288 100644
--- a/vendor/hal_camera_default.te
+++ b/vendor/hal_camera_default.te
@@ -31,6 +31,7 @@ allow hal_camera_default vendor_camera_data_file:file create_file_perms;
 
 # Allow the camera hal to access the GXP device.
 allow hal_camera_default gxp_device:chr_file rw_file_perms;
+get_prop(hal_camera_default, vendor_gxp_prop)
 
 # Allow creating dump files for debugging in non-release builds
 userdebug_or_eng(`
diff --git a/vendor/property.te b/vendor/property.te
index 105574b9..814beb20 100644
--- a/vendor/property.te
+++ b/vendor/property.te
@@ -16,3 +16,6 @@ vendor_restricted_prop(vendor_arm_runtime_option_prop)
 
 # ArmNN
 vendor_internal_prop(vendor_armnn_config_prop)
+
+# Gxp properties
+system_vendor_config_prop(vendor_gxp_prop)
diff --git a/vendor/property_contexts b/vendor/property_contexts
index e837a5cb..77ac2550 100644
--- a/vendor/property_contexts
+++ b/vendor/property_contexts
@@ -23,3 +23,6 @@ vendor.mali.                               u:object_r:vendor_arm_runtime_option_
 
 # ArmNN configuration
 ro.vendor.armnn.                           u:object_r:vendor_armnn_config_prop:s0 prefix
+
+# Gxp
+vendor.gxp.                                u:object_r:vendor_gxp_prop:s0
diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te
index 24ce7cce..3abf696e 100644
--- a/vendor/vendor_init.te
+++ b/vendor/vendor_init.te
@@ -39,3 +39,6 @@ set_prop(vendor_init, vendor_armnn_config_prop)
 
 # MM
 allow vendor_init proc_watermark_scale_factor:file w_file_perms;
+
+# Gxp
+set_prop(vendor_init, vendor_gxp_prop)