From af0e90ecb1a93d249d5925a2100b9b83146da8ac Mon Sep 17 00:00:00 2001 From: Adam Shih Date: Tue, 8 Nov 2022 13:21:51 +0800 Subject: [PATCH] centralize common settings for edgeTPU Bug: 258114806 Test: build pass with all the things still in the ROM Change-Id: Iafa355c047d39cfb21ef043ed0e7b4108630b781 --- edgetpu/edgetpu.mk | 23 ++++++++ edgetpu/sepolicy/device.te | 2 + edgetpu/sepolicy/edgetpu_app_service.te | 38 +++++++++++++ edgetpu/sepolicy/edgetpu_logging.te | 15 ++++++ edgetpu/sepolicy/edgetpu_vendor_server.te | 31 +++++++++++ edgetpu/sepolicy/file.te | 8 +++ edgetpu/sepolicy/file_contexts | 24 +++++++++ .../sepolicy/hal_neuralnetworks_darwinn.te | 53 +++++++++++++++++++ edgetpu/sepolicy/priv_app.te | 10 ++++ edgetpu/sepolicy/property.te | 4 ++ edgetpu/sepolicy/property_contexts | 3 ++ edgetpu/sepolicy/service.te | 5 ++ edgetpu/sepolicy/service_contexts | 7 +++ edgetpu/sepolicy/untrusted_app_all.te | 7 +++ 14 files changed, 230 insertions(+) create mode 100644 edgetpu/edgetpu.mk create mode 100644 edgetpu/sepolicy/device.te create mode 100644 edgetpu/sepolicy/edgetpu_app_service.te create mode 100644 edgetpu/sepolicy/edgetpu_logging.te create mode 100644 edgetpu/sepolicy/edgetpu_vendor_server.te create mode 100644 edgetpu/sepolicy/file.te create mode 100644 edgetpu/sepolicy/file_contexts create mode 100644 edgetpu/sepolicy/hal_neuralnetworks_darwinn.te create mode 100644 edgetpu/sepolicy/priv_app.te create mode 100644 edgetpu/sepolicy/property.te create mode 100644 edgetpu/sepolicy/property_contexts create mode 100644 edgetpu/sepolicy/service.te create mode 100644 edgetpu/sepolicy/service_contexts create mode 100644 edgetpu/sepolicy/untrusted_app_all.te diff --git a/edgetpu/edgetpu.mk b/edgetpu/edgetpu.mk new file mode 100644 index 0000000..3f79438 --- /dev/null +++ b/edgetpu/edgetpu.mk @@ -0,0 +1,23 @@ +# TPU logging service +PRODUCT_PACKAGES += \ + android.hardware.edgetpu.logging@service-edgetpu-logging +# TPU NN AIDL HAL +PRODUCT_PACKAGES += \ + android.hardware.neuralnetworks@service-darwinn-aidl +# TPU application service +PRODUCT_PACKAGES += \ + vendor.google.edgetpu_app_service@1.0-service +# TPU vendor service +PRODUCT_PACKAGES += \ + vendor.google.edgetpu_vendor_service@1.0-service +# TPU HAL client library +PRODUCT_PACKAGES += \ + libedgetpu_client.google +# TPU metrics logger library +PRODUCT_PACKAGES += \ + libmetrics_logger +# TPU TFlite Delegate +PRODUCT_PACKAGES += \ + libedgetpu_util + +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/edgetpu/sepolicy diff --git a/edgetpu/sepolicy/device.te b/edgetpu/sepolicy/device.te new file mode 100644 index 0000000..9296ba5 --- /dev/null +++ b/edgetpu/sepolicy/device.te @@ -0,0 +1,2 @@ +# EdgeTPU device (DarwiNN) +type edgetpu_device, dev_type, mlstrustedobject; diff --git a/edgetpu/sepolicy/edgetpu_app_service.te b/edgetpu/sepolicy/edgetpu_app_service.te new file mode 100644 index 0000000..58ce246 --- /dev/null +++ b/edgetpu/sepolicy/edgetpu_app_service.te @@ -0,0 +1,38 @@ +# EdgeTPU app server process which runs the EdgeTPU binder service. +type edgetpu_app_server, coredomain, domain; +type edgetpu_app_server_exec, exec_type, system_file_type, file_type; +init_daemon_domain(edgetpu_app_server) + +# The server will use binder calls. +binder_use(edgetpu_app_server); + +# The server will serve a binder service. +binder_service(edgetpu_app_server); + +# EdgeTPU server to register the service to service_manager. +add_service(edgetpu_app_server, edgetpu_app_service); + +# EdgeTPU service needs to access /dev/abrolhos. +allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms; +allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms; +allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms; + +# Applications are not allowed to open the EdgeTPU device directly. +neverallow appdomain edgetpu_device:chr_file { open }; + +# Allow EdgeTPU service to access the Package Manager service. +allow edgetpu_app_server package_native_service:service_manager find; +binder_call(edgetpu_app_server, system_server); + +# Allow EdgeTPU service to read EdgeTPU service related system properties. +get_prop(edgetpu_app_server, vendor_edgetpu_service_prop); + +# Allow EdgeTPU service to generate Perfetto traces. +perfetto_producer(edgetpu_app_server); + +# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service. +allow edgetpu_app_server edgetpu_vendor_service:service_manager find; +binder_call(edgetpu_app_server, edgetpu_vendor_server); + +# Allow EdgeTPU service to log to stats service. (metrics) +allow edgetpu_app_server fwk_stats_service:service_manager find; diff --git a/edgetpu/sepolicy/edgetpu_logging.te b/edgetpu/sepolicy/edgetpu_logging.te new file mode 100644 index 0000000..2cd9ea4 --- /dev/null +++ b/edgetpu/sepolicy/edgetpu_logging.te @@ -0,0 +1,15 @@ +type edgetpu_logging, domain; +type edgetpu_logging_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(edgetpu_logging) + +# The logging service accesses /dev/ +allow edgetpu_logging edgetpu_device:chr_file rw_file_perms; + +# Allows the logging service to access /sys/class/edgetpu +allow edgetpu_logging sysfs_edgetpu:dir search; +allow edgetpu_logging sysfs_edgetpu:file rw_file_perms; + +# Allow TPU logging service to log to stats service. (metrics) +allow edgetpu_logging fwk_stats_service:service_manager find; +binder_call(edgetpu_logging, system_server); +binder_use(edgetpu_logging) diff --git a/edgetpu/sepolicy/edgetpu_vendor_server.te b/edgetpu/sepolicy/edgetpu_vendor_server.te new file mode 100644 index 0000000..1060510 --- /dev/null +++ b/edgetpu/sepolicy/edgetpu_vendor_server.te @@ -0,0 +1,31 @@ +# EdgeTPU vendor service. +type edgetpu_vendor_server, domain; +type edgetpu_vendor_server_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(edgetpu_vendor_server) + +# The vendor service will use binder calls. +binder_use(edgetpu_vendor_server); + +# The vendor service will serve a binder service. +binder_service(edgetpu_vendor_server); + +# EdgeTPU vendor service to register the service to service_manager. +add_service(edgetpu_vendor_server, edgetpu_vendor_service); + +# Allow communications between other vendor services. +allow edgetpu_vendor_server vndbinder_device:chr_file { read write open ioctl map }; + +# Allow EdgeTPU vendor service to access its data files. +allow edgetpu_vendor_server edgetpu_vendor_service_data_file:file create_file_perms; +allow edgetpu_vendor_server edgetpu_vendor_service_data_file:dir create_dir_perms; + +# Allow EdgeTPU vendor service to access Android shared memory allocated +# by the camera hal for on-device compilation. +allow edgetpu_vendor_server hal_camera_default:fd use; + +# Allow EdgeTPU vendor service to read the kernel version. +# This is done inside the InitGoogle. +allow edgetpu_vendor_server proc_version:file r_file_perms; + +# Allow EdgeTPU vendor service to read the overcommit_memory info. +allow edgetpu_vendor_server proc_overcommit_memory:file r_file_perms; diff --git a/edgetpu/sepolicy/file.te b/edgetpu/sepolicy/file.te new file mode 100644 index 0000000..5b3c8b5 --- /dev/null +++ b/edgetpu/sepolicy/file.te @@ -0,0 +1,8 @@ +# EdgeTPU sysfs +type sysfs_edgetpu, sysfs_type, fs_type; + +# EdgeTPU hal data file +type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type; + +# EdgeTPU vendor service data file +type edgetpu_vendor_service_data_file, file_type, data_file_type; diff --git a/edgetpu/sepolicy/file_contexts b/edgetpu/sepolicy/file_contexts new file mode 100644 index 0000000..e8fb9ac --- /dev/null +++ b/edgetpu/sepolicy/file_contexts @@ -0,0 +1,24 @@ +# EdgeTPU logging service +/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0 + +# NeuralNetworks file contexts +/vendor/bin/hw/android\.hardware\.neuralnetworks@service-darwinn-aidl u:object_r:hal_neuralnetworks_darwinn_exec:s0 + +# EdgeTPU service binaries and libraries +/system_ext/bin/hw/vendor\.google\.edgetpu_app_service@1\.0-service u:object_r:edgetpu_app_server_exec:s0 + +# EdgeTPU vendor service +/vendor/bin/hw/vendor\.google\.edgetpu_vendor_service@1\.0-service u:object_r:edgetpu_vendor_server_exec:s0 + +# EdgeTPU metrics logging service. +/vendor/lib64/libedgetpu_client\.google\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libmetrics_logger\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/libedgetpu_util\.so u:object_r:same_process_hal_file:s0 +# EdgeTPU runtime libraries +/vendor/lib64/com\.google\.edgetpu_app_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0 +/vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so u:object_r:same_process_hal_file:s0 + +# EdgeTPU data files +/data/vendor/hal_neuralnetworks_darwinn(/.*)? u:object_r:hal_neuralnetworks_darwinn_data_file:s0 +/data/vendor/edgetpu(/.*)? u:object_r:edgetpu_vendor_service_data_file:s0 + diff --git a/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te b/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te new file mode 100644 index 0000000..f301a72 --- /dev/null +++ b/edgetpu/sepolicy/hal_neuralnetworks_darwinn.te @@ -0,0 +1,53 @@ +type hal_neuralnetworks_darwinn, domain; +hal_server_domain(hal_neuralnetworks_darwinn, hal_neuralnetworks) + +type hal_neuralnetworks_darwinn_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_neuralnetworks_darwinn) + +# The TPU HAL looks for TPU instance in /dev/abrolhos +allow hal_neuralnetworks_darwinn edgetpu_device:chr_file rw_file_perms; + +# Allow DawriNN service to use a client-provided fd residing in /vendor/etc/. +allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms; + +# Allow DarwiNN service to access data files. +allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:file create_file_perms; +allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir_perms; + +# Allow DarwiNN service to access unix sockets for IPC. +allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:sock_file { create unlink rw_file_perms }; + +# Register to hwbinder service. +# add_hwservice() is granted by hal_server_domain + hal_neuralnetworks.te +hwbinder_use(hal_neuralnetworks_darwinn) +get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop) + +# Allow TPU HAL to read the kernel version. +# This is done inside the InitGoogle. +allow hal_neuralnetworks_darwinn proc_version:file r_file_perms; + +# Allow TPU NNAPI HAL to log to stats service. (metrics) +allow hal_neuralnetworks_darwinn fwk_stats_service:service_manager find; +binder_call(hal_neuralnetworks_darwinn, system_server); +binder_use(hal_neuralnetworks_darwinn) + +# Allow TPU NNAPI HAL to request power hints from the Power Service +hal_client_domain(hal_neuralnetworks_darwinn, hal_power) + +# TPU NNAPI to register the service to service_manager. +add_service(hal_neuralnetworks_darwinn, edgetpu_nnapi_service); + +# Allow TPU NNAPI HAL to read the overcommit_memory info. +allow hal_neuralnetworks_darwinn proc_overcommit_memory:file r_file_perms; + +# Allows the logging service to access /sys/class/edgetpu +allow hal_neuralnetworks_darwinn sysfs_edgetpu:dir r_dir_perms; +allow hal_neuralnetworks_darwinn sysfs_edgetpu:file r_file_perms; + +# Allows the NNAPI HAL to access the edgetpu_app_service +allow hal_neuralnetworks_darwinn edgetpu_app_service:service_manager find; +binder_call(hal_neuralnetworks_darwinn, edgetpu_app_server); + +# Allow NNAPI HAL to send trace packets to Perfetto with SELinux enabled +# under userdebug builds. +userdebug_or_eng(`perfetto_producer(hal_neuralnetworks_darwinn)') diff --git a/edgetpu/sepolicy/priv_app.te b/edgetpu/sepolicy/priv_app.te new file mode 100644 index 0000000..22021a8 --- /dev/null +++ b/edgetpu/sepolicy/priv_app.te @@ -0,0 +1,10 @@ +# Allows privileged applications to discover the EdgeTPU service. +allow priv_app edgetpu_app_service:service_manager find; + +# Allows privileged applications to discover the NNAPI TPU service. +allow priv_app edgetpu_nnapi_service:service_manager find; + +# Allows privileged applications to access the EdgeTPU device, except open, +# which is guarded by the EdgeTPU service. +allow priv_app edgetpu_device:chr_file { getattr read write ioctl map }; + diff --git a/edgetpu/sepolicy/property.te b/edgetpu/sepolicy/property.te new file mode 100644 index 0000000..ed93d44 --- /dev/null +++ b/edgetpu/sepolicy/property.te @@ -0,0 +1,4 @@ +# EdgeTPU service requires system public properties +# since it lives under /system_ext/. +system_public_prop(vendor_edgetpu_service_prop) + diff --git a/edgetpu/sepolicy/property_contexts b/edgetpu/sepolicy/property_contexts new file mode 100644 index 0000000..130cfef --- /dev/null +++ b/edgetpu/sepolicy/property_contexts @@ -0,0 +1,3 @@ +# for EdgeTPU +vendor.edgetpu.service. u:object_r:vendor_edgetpu_service_prop:s0 + diff --git a/edgetpu/sepolicy/service.te b/edgetpu/sepolicy/service.te new file mode 100644 index 0000000..3cb81dd --- /dev/null +++ b/edgetpu/sepolicy/service.te @@ -0,0 +1,5 @@ +type edgetpu_nnapi_service, app_api_service, service_manager_type; +type edgetpu_vendor_service, service_manager_type, hal_service_type; + +# EdgeTPU binder service type declaration. +type edgetpu_app_service, service_manager_type; diff --git a/edgetpu/sepolicy/service_contexts b/edgetpu/sepolicy/service_contexts new file mode 100644 index 0000000..9972eae --- /dev/null +++ b/edgetpu/sepolicy/service_contexts @@ -0,0 +1,7 @@ + +com.google.edgetpu.IEdgeTpuVendorService/default u:object_r:edgetpu_vendor_service:s0 +# TPU NNAPI Service +android.hardware.neuralnetworks.IDevice/google-edgetpu u:object_r:edgetpu_nnapi_service:s0 + +# EdgeTPU service +com.google.edgetpu.IEdgeTpuAppService/default u:object_r:edgetpu_app_service:s0 diff --git a/edgetpu/sepolicy/untrusted_app_all.te b/edgetpu/sepolicy/untrusted_app_all.te new file mode 100644 index 0000000..9abec61 --- /dev/null +++ b/edgetpu/sepolicy/untrusted_app_all.te @@ -0,0 +1,7 @@ +# Allows applications to discover the EdgeTPU service. +allow untrusted_app_all edgetpu_app_service:service_manager find; + +# Allows applications to access the EdgeTPU device, except open, which is guarded +# by the EdgeTPU service. +allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map }; +