NNAPI property to disable extensions use on GSI/AOSP product partition.
Property is NNAPI client-readable and writeable only by init/build.prop.
Bug: 129666983
Bug: 120483623
Test: flashed crosshatch/Cts tests for NNAPI
Change-Id: Ic4c0f176440610a2c54c078863f3d5382323cc65
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index eea3dd5..6267922 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -99,6 +99,7 @@
network_stack
network_stack_service
network_stack_tmpfs
+ nnapi_ext_deny_product_prop
overlayfs_file
password_slot_metadata_file
permissionmgr_service
diff --git a/private/property_contexts b/private/property_contexts
index 3622d12..c1f1228 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -191,3 +191,7 @@
gsid. u:object_r:gsid_prop:s0
ro.gsid. u:object_r:gsid_prop:s0
+
+# Property for disabling NNAPI vendor extensions on product image (used on GSI /product image,
+# which can't use NNAPI vendor extensions).
+ro.nnapi.extensions.deny_on_product u:object_r:nnapi_ext_deny_product_prop:s0
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 21374bc..c2549ff 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -11,3 +11,11 @@
# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
+
+# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
+# property to determine whether to deny NNAPI extensions use for apps
+# on product partition (apps in GSI are not allowed to use NNAPI extensions).
+get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop);
+# This property is only expected to be found in /product/build.prop,
+# allow to be set only by init.
+neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
diff --git a/public/property.te b/public/property.te
index 473baa2..12f0425 100644
--- a/public/property.te
+++ b/public/property.te
@@ -64,6 +64,7 @@
type net_radio_prop, property_type, core_property_type;
type netd_stable_secret_prop, property_type;
type nfc_prop, property_type, core_property_type;
+type nnapi_ext_deny_product_prop, property_type;
type overlay_prop, property_type;
type pan_result_prop, property_type, core_property_type;
type persist_debug_prop, property_type, core_property_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 5a3e918..de60312 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -206,6 +206,7 @@
-last_boot_reason_prop
-apexd_prop
-gsid_prop
+ -nnapi_ext_deny_product_prop
})
')