From 55f48f663ccaa5742e687195230f8a9f4b12c58d Mon Sep 17 00:00:00 2001
From: Nishok Kumar S <nishok@google.com>
Date: Tue, 16 Jan 2024 07:40:07 +0000
Subject: [PATCH] Connect Gxp runtime to TPU authentication service

 - Add selinux policies to allow edgetpu_app_service to access gxp
   device.

Bug: 316262348
Test: Disable selinux policies for GCA, then verify if GCA is able to
access device through edgetpu app service.

Change-Id: I83429755b1406289c8714d9499c1f14c1ec76a30
---
 edgetpu/sepolicy/file_contexts      | 2 +-
 gxp/sepolicy/appdomain.te           | 2 ++
 gxp/sepolicy/edgetpu_app_service.te | 6 ++++++
 gxp/sepolicy/priv_app.te            | 3 +++
 gxp/sepolicy/untrusted_app_all.te   | 3 +++
 5 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 gxp/sepolicy/appdomain.te
 create mode 100644 gxp/sepolicy/edgetpu_app_service.te
 create mode 100644 gxp/sepolicy/priv_app.te
 create mode 100644 gxp/sepolicy/untrusted_app_all.te

diff --git a/edgetpu/sepolicy/file_contexts b/edgetpu/sepolicy/file_contexts
index df0a63e..0cada88 100644
--- a/edgetpu/sepolicy/file_contexts
+++ b/edgetpu/sepolicy/file_contexts
@@ -15,7 +15,7 @@
 /vendor/lib64/libmetrics_logger\.so                                        u:object_r:same_process_hal_file:s0
 /vendor/lib64/libedgetpu_util\.so                                          u:object_r:same_process_hal_file:s0
 # EdgeTPU runtime libraries
-/vendor/lib64/com\.google\.edgetpu_app_service-V[1-2]-ndk\.so              u:object_r:same_process_hal_file:s0
+/vendor/lib64/com\.google\.edgetpu_app_service-V[1-3]-ndk\.so              u:object_r:same_process_hal_file:s0
 /vendor/lib64/com\.google\.edgetpu_vendor_service-V[1-2]-ndk\.so           u:object_r:same_process_hal_file:s0
 
 # EdgeTPU data files
diff --git a/gxp/sepolicy/appdomain.te b/gxp/sepolicy/appdomain.te
new file mode 100644
index 0000000..ada9421
--- /dev/null
+++ b/gxp/sepolicy/appdomain.te
@@ -0,0 +1,2 @@
+# Allow apps to read gxp properties
+get_prop(appdomain, vendor_gxp_prop)
diff --git a/gxp/sepolicy/edgetpu_app_service.te b/gxp/sepolicy/edgetpu_app_service.te
new file mode 100644
index 0000000..780823f
--- /dev/null
+++ b/gxp/sepolicy/edgetpu_app_service.te
@@ -0,0 +1,6 @@
+# Allow Edgetpu App Service to access the GXP device and read GXP properties.
+allow edgetpu_app_server gxp_device:chr_file rw_file_perms;
+get_prop(edgetpu_app_server, vendor_gxp_prop)
+
+# Allows Edgetpu App Service to search for GXP firmware file.
+allow edgetpu_app_server vendor_fw_file:dir search;
diff --git a/gxp/sepolicy/priv_app.te b/gxp/sepolicy/priv_app.te
new file mode 100644
index 0000000..8afc24d
--- /dev/null
+++ b/gxp/sepolicy/priv_app.te
@@ -0,0 +1,3 @@
+# Allows privileged applications to access the GXP device, except open,
+# which is guarded by the EdgeTPU service.
+allow priv_app gxp_device:chr_file { getattr read write ioctl map };
diff --git a/gxp/sepolicy/untrusted_app_all.te b/gxp/sepolicy/untrusted_app_all.te
new file mode 100644
index 0000000..456dfee
--- /dev/null
+++ b/gxp/sepolicy/untrusted_app_all.te
@@ -0,0 +1,3 @@
+# Allows applications to access the GXP device, except open,
+# which is guarded by the EdgeTPU service.
+allow untrusted_app_all gxp_device:chr_file { getattr read write ioctl map };