From f9c463189171207c18b8e71c2dbe848f1715f9cd Mon Sep 17 00:00:00 2001
From: Richard Hsu <hsuy@google.com>
Date: Thu, 29 Feb 2024 17:24:29 -0800
Subject: [PATCH] [mlock] Allow edgetpu_app_service to call mlock()

This CL references keunyoung's ag/25999220

This is to support the GenAI effort, allowing file backed large models to be mlocked, satisfying the memory accounting on Android.

AVC error message:
https://paste.googleplex.com/5844645780652032

Bug: 322229786

Tested:
end-to-end on ZUM and ZPR.

Change-Id: I6abef85eebbc051cb5e41b8f11f70f7ae1b489ab
---
 edgetpu/sepolicy/edgetpu_app_service.te | 9 +++++++++
 edgetpu/sepolicy/file_contexts          | 2 +-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/edgetpu/sepolicy/edgetpu_app_service.te b/edgetpu/sepolicy/edgetpu_app_service.te
index 271805e..838f476 100644
--- a/edgetpu/sepolicy/edgetpu_app_service.te
+++ b/edgetpu/sepolicy/edgetpu_app_service.te
@@ -38,3 +38,12 @@ binder_call(edgetpu_app_server, edgetpu_vendor_server);
 
 # Allow EdgeTPU service to log to stats service. (metrics)
 allow edgetpu_app_server fwk_stats_service:service_manager find;
+
+# Allow mlock without size restriction
+allow edgetpu_app_server self:capability ipc_lock;
+
+# Need to effectively read file mapped file when mmap + mlocked.
+allow edgetpu_app_server privapp_data_file:file { map read};
+
+# For shell level testing of mlock
+allow edgetpu_app_server shell_data_file:file { map read};
diff --git a/edgetpu/sepolicy/file_contexts b/edgetpu/sepolicy/file_contexts
index 0cada88..06f0a89 100644
--- a/edgetpu/sepolicy/file_contexts
+++ b/edgetpu/sepolicy/file_contexts
@@ -15,7 +15,7 @@
 /vendor/lib64/libmetrics_logger\.so                                        u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_util\.so                                          u:object_r:same_process_hal_file:s0
 # EdgeTPU runtime libraries
-/vendor/lib64/com\.google\.edgetpu_app_service-V[1-3]-ndk\.so              u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_app_service-V[1-4]-ndk\.so              u:object_r:same_process_hal_file:s0
 /vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so           u:object_r:same_process_hal_file:s0
 
 # EdgeTPU data files