commit 83db40bdc71a9c2f5d8ff36cdb3fab193fed51af
author Xusong Wang <xusongw@google.com> Fri Feb 21 10:53:09 2020 -0800
committer Xusong Wang <xusongw@google.com> Fri Feb 21 11:56:38 2020 -0800
tree f417b538993f2e97ad02afb72865a42bf99e31d0
parent e39f8d23ede078a10653da7ef78c3c3ec5e591cf

Configure sepolicy to allow NN HAL services to use gralloc buffers.

All NNAPI drivers are expected to be able to read BLOB mode AHWBs
allocated by the client.

Bug: 147677855
Bug: 149870344
Test: m
Test: NNT_static
Change-Id: I3e4f32d039e1f229a477eb9bca613c554cc35b93

public/hal_neuralnetworks.te

diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 1ef6cad..f8d6ff5 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -5,6 +5,8 @@
 hal_attribute_hwservice(hal_neuralnetworks, hal_neuralnetworks_hwservice)
 allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
 allow hal_neuralnetworks hal_allocator:fd use;
+allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hal_graphics_allocator:fd use;
 
 # Allow NN HAL service to use a client-provided fd residing in /data/data/.
 allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
@@ -13,6 +15,9 @@
 # Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
 allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
 
+# Allow NN HAL service to read a client-provided ION memory fd.
+allow hal_neuralnetworks_server ion_device:chr_file r_file_perms;
+
 # Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
 # property to determine whether to deny NNAPI extensions use for apps
 # on product partition (apps in GSI are not allowed to use NNAPI extensions).