From c319cdc9b78d8d8fffad317a66fa66cbda9882f4 Mon Sep 17 00:00:00 2001 From: Renato Grottesi Date: Thu, 13 Jul 2023 18:50:57 +0000 Subject: [PATCH] New ArmNN AIDL SELinux permissions and settings Compile ArmNN shim over the support library This change adds the SELinux permissions for the new ArmNN AIDL backend based on a shim over the NNAPI Support Library. Test: Local run of CtsNNAPITestCases Test: Local run of VtsHalNeuralnetworksTargetTest Test: Local run of MLTS Benchmark Bug: 283724775 Merged-In: I24b69c4f6d65f45ec6935744717b66bed14cb236 Change-Id: Ie834e6f23ad5983ad48f52714373c3c7da2ad236 --- gpu/gpu.mk | 3 +++ gpu/sepolicy/file_contexts | 1 + gpu/sepolicy/hal_neuralnetworks_armnn.te | 18 ++++++++++++++++++ gpu/sepolicy/priv_app.te | 3 +++ gpu/sepolicy/service.te | 5 +++++ gpu/sepolicy/service_contexts | 4 ++++ 6 files changed, 34 insertions(+) create mode 100644 gpu/gpu.mk create mode 100644 gpu/sepolicy/file_contexts create mode 100644 gpu/sepolicy/hal_neuralnetworks_armnn.te create mode 100644 gpu/sepolicy/priv_app.te create mode 100644 gpu/sepolicy/service.te create mode 100644 gpu/sepolicy/service_contexts diff --git a/gpu/gpu.mk b/gpu/gpu.mk new file mode 100644 index 0000000..f7a3542 --- /dev/null +++ b/gpu/gpu.mk @@ -0,0 +1,3 @@ +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gpu/sepolicy + +PRODUCT_PACKAGES += android.hardware.neuralnetworks-shim-service-armnn diff --git a/gpu/sepolicy/file_contexts b/gpu/sepolicy/file_contexts new file mode 100644 index 0000000..571c211 --- /dev/null +++ b/gpu/sepolicy/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/android\.hardware\.neuralnetworks-shim-service-armnn u:object_r:hal_neuralnetworks_armnn_exec:s0 diff --git a/gpu/sepolicy/hal_neuralnetworks_armnn.te b/gpu/sepolicy/hal_neuralnetworks_armnn.te new file mode 100644 index 0000000..d08ec2c --- /dev/null +++ b/gpu/sepolicy/hal_neuralnetworks_armnn.te @@ -0,0 +1,18 @@ +type hal_neuralnetworks_armnn, domain; +hal_server_domain(hal_neuralnetworks_armnn, hal_neuralnetworks) + +type hal_neuralnetworks_armnn_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_neuralnetworks_armnn) + +add_service(hal_neuralnetworks_armnn, armnn_nnapi_service); + +allow hal_neuralnetworks_armnn armnn_app_service:service_manager find; + +get_prop(hal_neuralnetworks_armnn, hwservicemanager_prop) + +allow isolated_app app_data_file:file setattr; + +allow hal_neuralnetworks_armnn fwk_stats_service:service_manager find; +binder_call(hal_neuralnetworks_armnn, system_server); +binder_use(hal_neuralnetworks_armnn) + diff --git a/gpu/sepolicy/priv_app.te b/gpu/sepolicy/priv_app.te new file mode 100644 index 0000000..c2452f1 --- /dev/null +++ b/gpu/sepolicy/priv_app.te @@ -0,0 +1,3 @@ +allow priv_app armnn_app_service:service_manager find; +allow priv_app armnn_nnapi_service:service_manager find; + diff --git a/gpu/sepolicy/service.te b/gpu/sepolicy/service.te new file mode 100644 index 0000000..cb788b6 --- /dev/null +++ b/gpu/sepolicy/service.te @@ -0,0 +1,5 @@ +type armnn_nnapi_service, app_api_service, service_manager_type, isolated_compute_allowed_service; +type armnn_vendor_service, service_manager_type, hal_service_type; +type armnn_dba_service, app_api_service, service_manager_type, isolated_compute_allowed_service; +type armnn_app_service, service_manager_type; + diff --git a/gpu/sepolicy/service_contexts b/gpu/sepolicy/service_contexts new file mode 100644 index 0000000..d81ca78 --- /dev/null +++ b/gpu/sepolicy/service_contexts @@ -0,0 +1,4 @@ +com.google.armnn.IArmnnVendorService/default u:object_r:armnn_vendor_service:s0 +android.hardware.neuralnetworks.IDevice/google-armnn u:object_r:armnn_nnapi_service:s0 +com.google.armnn.IArmnnpAppService/default u:object_r:armnn_app_service:s0 +