centralize common settings for edgeTPU
Bug: 258114806
Test: build pass with all the things still in the ROM
Change-Id: Iafa355c047d39cfb21ef043ed0e7b4108630b781
diff --git a/edgetpu/edgetpu.mk b/edgetpu/edgetpu.mk
new file mode 100644
index 0000000..3f79438
--- /dev/null
+++ b/edgetpu/edgetpu.mk
@@ -0,0 +1,23 @@
+# TPU logging service
+PRODUCT_PACKAGES += \
+ android.hardware.edgetpu.logging@service-edgetpu-logging
+# TPU NN AIDL HAL
+PRODUCT_PACKAGES += \
+ android.hardware.neuralnetworks@service-darwinn-aidl
+# TPU application service
+PRODUCT_PACKAGES += \
+ vendor.google.edgetpu_app_service@1.0-service
+# TPU vendor service
+PRODUCT_PACKAGES += \
+ vendor.google.edgetpu_vendor_service@1.0-service
+# TPU HAL client library
+PRODUCT_PACKAGES += \
+ libedgetpu_client.google
+# TPU metrics logger library
+PRODUCT_PACKAGES += \
+ libmetrics_logger
+# TPU TFlite Delegate
+PRODUCT_PACKAGES += \
+ libedgetpu_util
+
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/edgetpu/sepolicy
diff --git a/edgetpu/sepolicy/device.te b/edgetpu/sepolicy/device.te
new file mode 100644
index 0000000..9296ba5
--- /dev/null
+++ b/edgetpu/sepolicy/device.te
@@ -0,0 +1,2 @@
+# EdgeTPU device (DarwiNN)
+type edgetpu_device, dev_type, mlstrustedobject;
diff --git a/edgetpu/sepolicy/edgetpu_app_service.te b/edgetpu/sepolicy/edgetpu_app_service.te
new file mode 100644
index 0000000..58ce246
--- /dev/null
+++ b/edgetpu/sepolicy/edgetpu_app_service.te
@@ -0,0 +1,38 @@
+# EdgeTPU app server process which runs the EdgeTPU binder service.
+type edgetpu_app_server, coredomain, domain;
+type edgetpu_app_server_exec, exec_type, system_file_type, file_type;
+init_daemon_domain(edgetpu_app_server)
+
+# The server will use binder calls.
+binder_use(edgetpu_app_server);
+
+# The server will serve a binder service.
+binder_service(edgetpu_app_server);
+
+# EdgeTPU server to register the service to service_manager.
+add_service(edgetpu_app_server, edgetpu_app_service);
+
+# EdgeTPU service needs to access /dev/abrolhos.
+allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms;
+allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms;
+allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms;
+
+# Applications are not allowed to open the EdgeTPU device directly.
+neverallow appdomain edgetpu_device:chr_file { open };
+
+# Allow EdgeTPU service to access the Package Manager service.
+allow edgetpu_app_server package_native_service:service_manager find;
+binder_call(edgetpu_app_server, system_server);
+
+# Allow EdgeTPU service to read EdgeTPU service related system properties.
+get_prop(edgetpu_app_server, vendor_edgetpu_service_prop);
+
+# Allow EdgeTPU service to generate Perfetto traces.
+perfetto_producer(edgetpu_app_server);
+
+# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service.
+allow edgetpu_app_server edgetpu_vendor_service:service_manager find;
+binder_call(edgetpu_app_server, edgetpu_vendor_server);
+
+# Allow EdgeTPU service to log to stats service. (metrics)
+allow edgetpu_app_server fwk_stats_service:service_manager find;
diff --git a/edgetpu/sepolicy/edgetpu_logging.te b/edgetpu/sepolicy/edgetpu_logging.te
new file mode 100644
index 0000000..2cd9ea4
--- /dev/null
+++ b/edgetpu/sepolicy/edgetpu_logging.te
@@ -0,0 +1,15 @@
+type edgetpu_logging, domain;
+type edgetpu_logging_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(edgetpu_logging)
+
+# The logging service accesses /dev/<edgetpu device>
+allow edgetpu_logging edgetpu_device:chr_file rw_file_perms;
+
+# Allows the logging service to access /sys/class/edgetpu
+allow edgetpu_logging sysfs_edgetpu:dir search;
+allow edgetpu_logging sysfs_edgetpu:file rw_file_perms;
+
+# Allow TPU logging service to log to stats service. (metrics)
+allow edgetpu_logging fwk_stats_service:service_manager find;
+binder_call(edgetpu_logging, system_server);
+binder_use(edgetpu_logging)
diff --git a/edgetpu/sepolicy/edgetpu_vendor_server.te b/edgetpu/sepolicy/edgetpu_vendor_server.te
new file mode 100644
index 0000000..1060510
--- /dev/null
+++ b/edgetpu/sepolicy/edgetpu_vendor_server.te
@@ -0,0 +1,31 @@
+# EdgeTPU vendor service.
+type edgetpu_vendor_server, domain;
+type edgetpu_vendor_server_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(edgetpu_vendor_server)
+
+# The vendor service will use binder calls.
+binder_use(edgetpu_vendor_server);
+
+# The vendor service will serve a binder service.
+binder_service(edgetpu_vendor_server);
+
+# EdgeTPU vendor service to register the service to service_manager.
+add_service(edgetpu_vendor_server, edgetpu_vendor_service);
+
+# Allow communications between other vendor services.
+allow edgetpu_vendor_server vndbinder_device:chr_file { read write open ioctl map };
+
+# Allow EdgeTPU vendor service to access its data files.
+allow edgetpu_vendor_server edgetpu_vendor_service_data_file:file create_file_perms;
+allow edgetpu_vendor_server edgetpu_vendor_service_data_file:dir create_dir_perms;
+
+# Allow EdgeTPU vendor service to access Android shared memory allocated
+# by the camera hal for on-device compilation.
+allow edgetpu_vendor_server hal_camera_default:fd use;
+
+# Allow EdgeTPU vendor service to read the kernel version.
+# This is done inside the InitGoogle.
+allow edgetpu_vendor_server proc_version:file r_file_perms;
+
+# Allow EdgeTPU vendor service to read the overcommit_memory info.
+allow edgetpu_vendor_server proc_overcommit_memory:file r_file_perms;
diff --git a/edgetpu/sepolicy/file.te b/edgetpu/sepolicy/file.te
new file mode 100644
index 0000000..5b3c8b5
--- /dev/null
+++ b/edgetpu/sepolicy/file.te
@@ -0,0 +1,8 @@
+# EdgeTPU sysfs
+type sysfs_edgetpu, sysfs_type, fs_type;
+
+# EdgeTPU hal data file
+type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type;
+
+# EdgeTPU vendor service data file
+type edgetpu_vendor_service_data_file, file_type, data_file_type;
diff --git a/edgetpu/sepolicy/file_contexts b/edgetpu/sepolicy/file_contexts
new file mode 100644
index 0000000..e8fb9ac
--- /dev/null
+++ b/edgetpu/sepolicy/file_contexts
@@ -0,0 +1,24 @@
+# EdgeTPU logging service
+/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
+
+# NeuralNetworks file contexts
+/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0
+
+# EdgeTPU service binaries and libraries
+/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0
+
+# EdgeTPU vendor service
+/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0
+
+# EdgeTPU metrics logging service.
+/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libmetrics_logger\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0
+# EdgeTPU runtime libraries
+/vendor/lib64/com\.google\.edgetpu_app_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0
+
+# EdgeTPU data files
+/data/vendor/hal_neuralnetworks_darwinn(/.*)? u:object_r:hal_neuralnetworks_darwinn_data_file:s0
+/data/vendor/edgetpu(/.*)? u:object_r:edgetpu_vendor_service_data_file:s0
+
diff --git a/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te b/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te
new file mode 100644
index 0000000..f301a72
--- /dev/null
+++ b/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te
@@ -0,0 +1,53 @@
+type hal_neuralnetworks_darwinn, domain;
+hal_server_domain(hal_neuralnetworks_darwinn, hal_neuralnetworks)
+
+type hal_neuralnetworks_darwinn_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_neuralnetworks_darwinn)
+
+# The TPU HAL looks for TPU instance in /dev/abrolhos
+allow hal_neuralnetworks_darwinn edgetpu_device:chr_file rw_file_perms;
+
+# Allow DawriNN service to use a client-provided fd residing in /vendor/etc/.
+allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms;
+
+# Allow DarwiNN service to access data files.
+allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:file create_file_perms;
+allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir_perms;
+
+# Allow DarwiNN service to access unix sockets for IPC.
+allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:sock_file { create unlink rw_file_perms };
+
+# Register to hwbinder service.
+# add_hwservice() is granted by hal_server_domain + hal_neuralnetworks.te
+hwbinder_use(hal_neuralnetworks_darwinn)
+get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop)
+
+# Allow TPU HAL to read the kernel version.
+# This is done inside the InitGoogle.
+allow hal_neuralnetworks_darwinn proc_version:file r_file_perms;
+
+# Allow TPU NNAPI HAL to log to stats service. (metrics)
+allow hal_neuralnetworks_darwinn fwk_stats_service:service_manager find;
+binder_call(hal_neuralnetworks_darwinn, system_server);
+binder_use(hal_neuralnetworks_darwinn)
+
+# Allow TPU NNAPI HAL to request power hints from the Power Service
+hal_client_domain(hal_neuralnetworks_darwinn, hal_power)
+
+# TPU NNAPI to register the service to service_manager.
+add_service(hal_neuralnetworks_darwinn, edgetpu_nnapi_service);
+
+# Allow TPU NNAPI HAL to read the overcommit_memory info.
+allow hal_neuralnetworks_darwinn proc_overcommit_memory:file r_file_perms;
+
+# Allows the logging service to access /sys/class/edgetpu
+allow hal_neuralnetworks_darwinn sysfs_edgetpu:dir r_dir_perms;
+allow hal_neuralnetworks_darwinn sysfs_edgetpu:file r_file_perms;
+
+# Allows the NNAPI HAL to access the edgetpu_app_service
+allow hal_neuralnetworks_darwinn edgetpu_app_service:service_manager find;
+binder_call(hal_neuralnetworks_darwinn, edgetpu_app_server);
+
+# Allow NNAPI HAL to send trace packets to Perfetto with SELinux enabled
+# under userdebug builds.
+userdebug_or_eng(`perfetto_producer(hal_neuralnetworks_darwinn)')
diff --git a/edgetpu/sepolicy/priv_app.te b/edgetpu/sepolicy/priv_app.te
new file mode 100644
index 0000000..22021a8
--- /dev/null
+++ b/edgetpu/sepolicy/priv_app.te
@@ -0,0 +1,10 @@
+# Allows privileged applications to discover the EdgeTPU service.
+allow priv_app edgetpu_app_service:service_manager find;
+
+# Allows privileged applications to discover the NNAPI TPU service.
+allow priv_app edgetpu_nnapi_service:service_manager find;
+
+# Allows privileged applications to access the EdgeTPU device, except open,
+# which is guarded by the EdgeTPU service.
+allow priv_app edgetpu_device:chr_file { getattr read write ioctl map };
+
diff --git a/edgetpu/sepolicy/property.te b/edgetpu/sepolicy/property.te
new file mode 100644
index 0000000..ed93d44
--- /dev/null
+++ b/edgetpu/sepolicy/property.te
@@ -0,0 +1,4 @@
+# EdgeTPU service requires system public properties
+# since it lives under /system_ext/.
+system_public_prop(vendor_edgetpu_service_prop)
+
diff --git a/edgetpu/sepolicy/property_contexts b/edgetpu/sepolicy/property_contexts
new file mode 100644
index 0000000..130cfef
--- /dev/null
+++ b/edgetpu/sepolicy/property_contexts
@@ -0,0 +1,3 @@
+# for EdgeTPU
+vendor.edgetpu.service. u:object_r:vendor_edgetpu_service_prop:s0
+
diff --git a/edgetpu/sepolicy/service.te b/edgetpu/sepolicy/service.te
new file mode 100644
index 0000000..3cb81dd
--- /dev/null
+++ b/edgetpu/sepolicy/service.te
@@ -0,0 +1,5 @@
+type edgetpu_nnapi_service, app_api_service, service_manager_type;
+type edgetpu_vendor_service, service_manager_type, hal_service_type;
+
+# EdgeTPU binder service type declaration.
+type edgetpu_app_service, service_manager_type;
diff --git a/edgetpu/sepolicy/service_contexts b/edgetpu/sepolicy/service_contexts
new file mode 100644
index 0000000..9972eae
--- /dev/null
+++ b/edgetpu/sepolicy/service_contexts
@@ -0,0 +1,7 @@
+
+com.google.edgetpu.IEdgeTpuVendorService/default u:object_r:edgetpu_vendor_service:s0
+# TPU NNAPI Service
+android.hardware.neuralnetworks.IDevice/google-edgetpu u:object_r:edgetpu_nnapi_service:s0
+
+# EdgeTPU service
+com.google.edgetpu.IEdgeTpuAppService/default u:object_r:edgetpu_app_service:s0
diff --git a/edgetpu/sepolicy/untrusted_app_all.te b/edgetpu/sepolicy/untrusted_app_all.te
new file mode 100644
index 0000000..9abec61
--- /dev/null
+++ b/edgetpu/sepolicy/untrusted_app_all.te
@@ -0,0 +1,7 @@
+# Allows applications to discover the EdgeTPU service.
+allow untrusted_app_all edgetpu_app_service:service_manager find;
+
+# Allows applications to access the EdgeTPU device, except open, which is guarded
+# by the EdgeTPU service.
+allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map };
+