New ArmNN AIDL SELinux permissions and settings

Compile ArmNN shim over the support library

This change adds the SELinux permissions for the new
ArmNN AIDL backend based on a shim over the NNAPI
Support Library.

Test: Local run of CtsNNAPITestCases
Test: Local run of VtsHalNeuralnetworksTargetTest
Test: Local run of MLTS Benchmark
Bug: 283724775
Merged-In: I24b69c4f6d65f45ec6935744717b66bed14cb236
Change-Id: Ie834e6f23ad5983ad48f52714373c3c7da2ad236
diff --git a/gpu/gpu.mk b/gpu/gpu.mk
new file mode 100644
index 0000000..f7a3542
--- /dev/null
+++ b/gpu/gpu.mk
@@ -0,0 +1,3 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gpu/sepolicy
+
+PRODUCT_PACKAGES += android.hardware.neuralnetworks-shim-service-armnn
diff --git a/gpu/sepolicy/file_contexts b/gpu/sepolicy/file_contexts
new file mode 100644
index 0000000..571c211
--- /dev/null
+++ b/gpu/sepolicy/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/hw/android\.hardware\.neuralnetworks-shim-service-armnn       u:object_r:hal_neuralnetworks_armnn_exec:s0
diff --git a/gpu/sepolicy/hal_neuralnetworks_armnn.te b/gpu/sepolicy/hal_neuralnetworks_armnn.te
new file mode 100644
index 0000000..d08ec2c
--- /dev/null
+++ b/gpu/sepolicy/hal_neuralnetworks_armnn.te
@@ -0,0 +1,18 @@
+type hal_neuralnetworks_armnn, domain;
+hal_server_domain(hal_neuralnetworks_armnn, hal_neuralnetworks)
+
+type hal_neuralnetworks_armnn_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_neuralnetworks_armnn)
+
+add_service(hal_neuralnetworks_armnn, armnn_nnapi_service);
+
+allow hal_neuralnetworks_armnn armnn_app_service:service_manager find;
+
+get_prop(hal_neuralnetworks_armnn, hwservicemanager_prop)
+
+allow isolated_app app_data_file:file setattr;
+
+allow hal_neuralnetworks_armnn fwk_stats_service:service_manager find;
+binder_call(hal_neuralnetworks_armnn, system_server);
+binder_use(hal_neuralnetworks_armnn)
+
diff --git a/gpu/sepolicy/priv_app.te b/gpu/sepolicy/priv_app.te
new file mode 100644
index 0000000..c2452f1
--- /dev/null
+++ b/gpu/sepolicy/priv_app.te
@@ -0,0 +1,3 @@
+allow priv_app armnn_app_service:service_manager find;
+allow priv_app armnn_nnapi_service:service_manager find;
+
diff --git a/gpu/sepolicy/service.te b/gpu/sepolicy/service.te
new file mode 100644
index 0000000..cb788b6
--- /dev/null
+++ b/gpu/sepolicy/service.te
@@ -0,0 +1,5 @@
+type armnn_nnapi_service, app_api_service, service_manager_type, isolated_compute_allowed_service;
+type armnn_vendor_service, service_manager_type, hal_service_type;
+type armnn_dba_service, app_api_service, service_manager_type, isolated_compute_allowed_service;
+type armnn_app_service, service_manager_type;
+
diff --git a/gpu/sepolicy/service_contexts b/gpu/sepolicy/service_contexts
new file mode 100644
index 0000000..d81ca78
--- /dev/null
+++ b/gpu/sepolicy/service_contexts
@@ -0,0 +1,4 @@
+com.google.armnn.IArmnnVendorService/default             u:object_r:armnn_vendor_service:s0
+android.hardware.neuralnetworks.IDevice/google-armnn     u:object_r:armnn_nnapi_service:s0
+com.google.armnn.IArmnnpAppService/default               u:object_r:armnn_app_service:s0
+