Revert^2 "New ArmNN AIDL SELinux permissions and settings"
58c26f29062fb48925f58c88aa11b25403c370c3
Compile ArmNN shim over the support library
This change adds the SELinux permissions for the new
ArmNN AIDL backend based on a shim over the NNAPI
Support Library.
Test: Local run of CtsNNAPITestCases
Test: Local run of VtsHalNeuralnetworksTargetTest
Test: Local run of MLTS Benchmark
Bug: 283724775
Change-Id: I24b69c4f6d65f45ec6935744717b66bed14cb236
diff --git a/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te b/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te
index 7d50bfc..f867528 100644
--- a/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te
+++ b/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te
@@ -7,7 +7,7 @@
# The TPU HAL looks for TPU instance in /dev/abrolhos
allow hal_neuralnetworks_darwinn edgetpu_device:chr_file rw_file_perms;
-# Allow DawriNN service to use a client-provided fd residing in /vendor/etc/.
+# Allow DarwiNN service to use a client-provided fd residing in /vendor/etc/.
allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms;
# Allow DarwiNN service to access data files.
diff --git a/gpu/gpu.mk b/gpu/gpu.mk
index d1c3a6d..67d1263 100644
--- a/gpu/gpu.mk
+++ b/gpu/gpu.mk
@@ -1,3 +1,4 @@
BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gpu/sepolicy
PRODUCT_PACKAGES += gpu_probe
+PRODUCT_PACKAGES += android.hardware.neuralnetworks-shim-service-armnn
diff --git a/gpu/sepolicy/file_contexts b/gpu/sepolicy/file_contexts
index 3752908..7cadf04 100644
--- a/gpu/sepolicy/file_contexts
+++ b/gpu/sepolicy/file_contexts
@@ -1 +1,3 @@
-/vendor/bin/gpu_probe u:object_r:gpu_probe_exec:s0
+/vendor/bin/gpu_probe u:object_r:gpu_probe_exec:s0
+
+/vendor/bin/hw/android\.hardware\.neuralnetworks-shim-service-armnn u:object_r:hal_neuralnetworks_armnn_exec:s0
diff --git a/gpu/sepolicy/hal_neuralnetworks_armnn.te b/gpu/sepolicy/hal_neuralnetworks_armnn.te
new file mode 100644
index 0000000..62c3257
--- /dev/null
+++ b/gpu/sepolicy/hal_neuralnetworks_armnn.te
@@ -0,0 +1,17 @@
+type hal_neuralnetworks_armnn, domain;
+hal_server_domain(hal_neuralnetworks_armnn, hal_neuralnetworks)
+
+type hal_neuralnetworks_armnn_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_neuralnetworks_armnn)
+
+add_service(hal_neuralnetworks_armnn, armnn_nnapi_service);
+
+allow hal_neuralnetworks_armnn armnn_app_service:service_manager find;
+
+get_prop(hal_neuralnetworks_armnn, hwservicemanager_prop)
+
+allow isolated_app app_data_file:file setattr;
+
+allow hal_neuralnetworks_armnn fwk_stats_service:service_manager find;
+binder_call(hal_neuralnetworks_armnn, system_server);
+binder_use(hal_neuralnetworks_armnn)
diff --git a/gpu/sepolicy/priv_app.te b/gpu/sepolicy/priv_app.te
new file mode 100644
index 0000000..97eec7c
--- /dev/null
+++ b/gpu/sepolicy/priv_app.te
@@ -0,0 +1,2 @@
+allow priv_app armnn_app_service:service_manager find;
+allow priv_app armnn_nnapi_service:service_manager find;
diff --git a/gpu/sepolicy/service.te b/gpu/sepolicy/service.te
new file mode 100644
index 0000000..bf5f3ce
--- /dev/null
+++ b/gpu/sepolicy/service.te
@@ -0,0 +1,4 @@
+type armnn_nnapi_service, app_api_service, service_manager_type, isolated_compute_allowed_service;
+type armnn_vendor_service, service_manager_type, hal_service_type;
+type armnn_dba_service, app_api_service, service_manager_type, isolated_compute_allowed_service;
+type armnn_app_service, service_manager_type;
diff --git a/gpu/sepolicy/service_contexts b/gpu/sepolicy/service_contexts
new file mode 100644
index 0000000..a881130
--- /dev/null
+++ b/gpu/sepolicy/service_contexts
@@ -0,0 +1,3 @@
+com.google.armnn.IArmnnVendorService/default u:object_r:armnn_vendor_service:s0
+android.hardware.neuralnetworks.IDevice/google-armnn u:object_r:armnn_nnapi_service:s0
+com.google.armnn.IArmnnpAppService/default u:object_r:armnn_app_service:s0