edgetpu/sepolicy/edgetpu_tachyon_service.te - android_device_google_gs-common - Gitiles

 # Tachyon service.
 type edgetpu_tachyon_server, domain;
 type edgetpu_tachyon_server_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(edgetpu_tachyon_server)

 # The vendor service will use binder calls.
 binder_use(edgetpu_tachyon_server);

 # The vendor service will serve a binder service.
 binder_service(edgetpu_tachyon_server);

 # Tachyon service to register the service to service_manager.
 add_service(edgetpu_tachyon_server, edgetpu_tachyon_service);

 # Allow Tachyon service to access the edgetpu_app_service.
 allow edgetpu_tachyon_server edgetpu_app_service:service_manager find;
 binder_call(edgetpu_tachyon_server, edgetpu_app_server);

 # Allow Tachyon service to look for TPU instance in /dev/edgetpu or /dev/edgetpu-soc.
 allow edgetpu_tachyon_server edgetpu_device:chr_file rw_file_perms;

 # Allow Tachyon service to access hardware buffers and ION memory.
 allow edgetpu_tachyon_server hal_allocator:fd use;
 allow edgetpu_tachyon_server hal_graphics_mapper_hwservice:hwservice_manager find;
 allow edgetpu_tachyon_server hal_graphics_allocator:fd use;
 allow edgetpu_tachyon_server gpu_device:chr_file rw_file_perms;
 allow edgetpu_tachyon_server gpu_device:dir r_dir_perms;
 allow edgetpu_tachyon_server ion_device:chr_file r_file_perms;

 # Allow Tachyon service to access camera hal via binder.
 binder_call(edgetpu_tachyon_server, hal_camera_default);

 # Allow Tachyon service to access dmabuf sysytem.
 allow edgetpu_tachyon_server dmabuf_system_heap_device:chr_file r_file_perms;

 # Allow Tachyon service to read the overcommit_memory info.
 allow edgetpu_tachyon_server proc_overcommit_memory:file r_file_perms;

 # Allow Tachyon service to read the kernel version.
 # This is done inside the InitGoogle.
 allow edgetpu_tachyon_server proc_version:file r_file_perms;

 # Allow Tachyon service to send trace packets to Perfetto with SELinux enabled
 # under userdebug builds.
 userdebug_or_eng(`perfetto_producer(edgetpu_tachyon_server)')

 # Allow Tachyon service to read tflite DarwiNN delegate properties
 get_prop(edgetpu_tachyon_server, vendor_tflite_delegate_prop)
 # Allow Tachyon service to read DarwiNN runtime properties
 get_prop(edgetpu_tachyon_server, vendor_edgetpu_runtime_prop)
 # Allow Tachyon service to read hetero runtime properties
 get_prop(edgetpu_tachyon_server, vendor_hetero_runtime_prop)
 # Allow Tachyon service to read EdgeTPU CPU scheduler properties
 get_prop(edgetpu_tachyon_server, vendor_edgetpu_cpu_scheduler_prop)

 # Allow mlock without size restriction
 allow edgetpu_tachyon_server self:capability ipc_lock;

 # Need to effectively read file mapped file when mmap + mlocked.
 allow edgetpu_tachyon_server privapp_data_file:file { map read};

 # For shell level testing of mlock
 userdebug_or_eng(`
     allow edgetpu_tachyon_server shell_data_file:file { map read};
 ')

 # For shell level testing
 userdebug_or_eng(`
     binder_call(edgetpu_tachyon_server, shell);
 ')
	# Tachyon service.
	type edgetpu_tachyon_server, domain;
	type edgetpu_tachyon_server_exec, exec_type, vendor_file_type, file_type;
	init_daemon_domain(edgetpu_tachyon_server)

	# The vendor service will use binder calls.
	binder_use(edgetpu_tachyon_server);

	# The vendor service will serve a binder service.
	binder_service(edgetpu_tachyon_server);

	# Tachyon service to register the service to service_manager.
	add_service(edgetpu_tachyon_server, edgetpu_tachyon_service);

	# Allow Tachyon service to access the edgetpu_app_service.
	allow edgetpu_tachyon_server edgetpu_app_service:service_manager find;
	binder_call(edgetpu_tachyon_server, edgetpu_app_server);

	# Allow Tachyon service to look for TPU instance in /dev/edgetpu or /dev/edgetpu-soc.
	allow edgetpu_tachyon_server edgetpu_device:chr_file rw_file_perms;

	# Allow Tachyon service to access hardware buffers and ION memory.
	allow edgetpu_tachyon_server hal_allocator:fd use;
	allow edgetpu_tachyon_server hal_graphics_mapper_hwservice:hwservice_manager find;
	allow edgetpu_tachyon_server hal_graphics_allocator:fd use;
	allow edgetpu_tachyon_server gpu_device:chr_file rw_file_perms;
	allow edgetpu_tachyon_server gpu_device:dir r_dir_perms;
	allow edgetpu_tachyon_server ion_device:chr_file r_file_perms;

	# Allow Tachyon service to access camera hal via binder.
	binder_call(edgetpu_tachyon_server, hal_camera_default);

	# Allow Tachyon service to access dmabuf sysytem.
	allow edgetpu_tachyon_server dmabuf_system_heap_device:chr_file r_file_perms;

	# Allow Tachyon service to read the overcommit_memory info.
	allow edgetpu_tachyon_server proc_overcommit_memory:file r_file_perms;

	# Allow Tachyon service to read the kernel version.
	# This is done inside the InitGoogle.
	allow edgetpu_tachyon_server proc_version:file r_file_perms;

	# Allow Tachyon service to send trace packets to Perfetto with SELinux enabled
	# under userdebug builds.
	userdebug_or_eng(`perfetto_producer(edgetpu_tachyon_server)')

	# Allow Tachyon service to read tflite DarwiNN delegate properties
	get_prop(edgetpu_tachyon_server, vendor_tflite_delegate_prop)
	# Allow Tachyon service to read DarwiNN runtime properties
	get_prop(edgetpu_tachyon_server, vendor_edgetpu_runtime_prop)
	# Allow Tachyon service to read hetero runtime properties
	get_prop(edgetpu_tachyon_server, vendor_hetero_runtime_prop)
	# Allow Tachyon service to read EdgeTPU CPU scheduler properties
	get_prop(edgetpu_tachyon_server, vendor_edgetpu_cpu_scheduler_prop)

	# Allow mlock without size restriction
	allow edgetpu_tachyon_server self:capability ipc_lock;

	# Need to effectively read file mapped file when mmap + mlocked.
	allow edgetpu_tachyon_server privapp_data_file:file { map read};

	# For shell level testing of mlock
	userdebug_or_eng(`
	allow edgetpu_tachyon_server shell_data_file:file { map read};
	')

	# For shell level testing
	userdebug_or_eng(`
	binder_call(edgetpu_tachyon_server, shell);
	')