Gitiles
Code Review Sign In
gerrit.omnirom.org / android_device_google_gs-common / 12b799b125d51b3fb6163b2cc9fa3e283fc422c6^! / .
commit12b799b125d51b3fb6163b2cc9fa3e283fc422c6[log] [tgz]
authorfeiyuchen <feiyuchen@google.com>Tue May 07 19:12:30 2024 +0000
committerfeiyuchen <feiyuchen@google.com>Wed May 08 18:48:03 2024 +0000
tree33db020e19c96d1c81cd58ae8386ae4cf18e4853
parent7b342c14eac7fb905ada1d72cbfeada1ddf02aab [diff]
Add SELinux policy for apps to use Tachyon lib

Bug: 339133130
Test: Verified apps can now open Tachyon client lib
Change-Id: I8ca9f08517ae8fc1deb5f97ce2823cd5eb5fafb6

diff --git a/edgetpu/sepolicy/file_contexts b/edgetpu/sepolicy/file_contexts
index 06f0a89..6190fcf 100644
--- a/edgetpu/sepolicy/file_contexts
+++ b/edgetpu/sepolicy/file_contexts

@@ -17,6 +17,8 @@
 # EdgeTPU runtime libraries
 /vendor/lib64/com\.google\.edgetpu_app_service-V[1-4]-ndk\.so              u:object_r:same_process_hal_file:s0
 /vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so           u:object_r:same_process_hal_file:s0
+# EdgeTPU Tachyon libraries
+/vendor/lib64/libedgetpu_tachyon\.google\.so                               u:object_r:same_process_hal_file:s0
 
 # EdgeTPU data files
 /data/vendor/hal_neuralnetworks_darwinn(/.*)?                              u:object_r:hal_neuralnetworks_darwinn_data_file:s0
@@ -27,3 +29,6 @@
 
 # Tachyon service
 /vendor/bin/hw/com\.google\.edgetpu.tachyon-service                        u:object_r:edgetpu_tachyon_server_exec:s0
+
+# libfmq.so is dynamically loaded by the Tachyon client-side library libedgetpu_tachyon.google.so
+/vendor/lib64/libfmq\.so                                                   u:object_r:same_process_hal_file:s0

diff --git a/edgetpu/sepolicy/priv_app.te b/edgetpu/sepolicy/priv_app.te
index a9b49c3..579cc61 100644
--- a/edgetpu/sepolicy/priv_app.te
+++ b/edgetpu/sepolicy/priv_app.te

@@ -7,3 +7,6 @@
 # Allows privileged applications to access the EdgeTPU device, except open,
 # which is guarded by the EdgeTPU service.
 allow priv_app edgetpu_device:chr_file { getattr read write ioctl map };
+
+# Allows EdgeTPU Tachyon service to call the app.
+binder_call(edgetpu_tachyon_server, priv_app);

diff --git a/edgetpu/sepolicy/untrusted_app_all.te b/edgetpu/sepolicy/untrusted_app_all.te
index 9abec61..3c92900 100644
--- a/edgetpu/sepolicy/untrusted_app_all.te
+++ b/edgetpu/sepolicy/untrusted_app_all.te

@@ -5,3 +5,5 @@
 # by the EdgeTPU service.
 allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map };
 
+# Allows EdgeTPU Tachyon service to call the app.
+binder_call(edgetpu_tachyon_server, untrusted_app_all);