drgreen/android_device_google_gs-common
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
41836d64ce
android_device_google_gs-co.../edgetpu/sepolicy/edgetpu_app_service.te
Richard Hsu f9c4631891 [mlock] Allow edgetpu_app_service to call mlock() 
This CL references keunyoung's ag/25999220

This is to support the GenAI effort, allowing file backed large models to be mlocked, satisfying the memory accounting on Android.

AVC error message:
https://paste.googleplex.com/5844645780652032

Bug: 322229786

Tested:
end-to-end on ZUM and ZPR.

Change-Id: I6abef85eebbc051cb5e41b8f11f70f7ae1b489ab
2024-03-11 12:16:02 -07:00

50 lines
2.0 KiB
Plaintext
Raw Blame History

# EdgeTPU app server process which runs the EdgeTPU binder service.
type edgetpu_app_server, coredomain, domain;
type edgetpu_app_server_exec, exec_type, system_file_type, file_type;
init_daemon_domain(edgetpu_app_server)
# The server will use binder calls.
binder_use(edgetpu_app_server);
# The server will serve a binder service.
binder_service(edgetpu_app_server);
# EdgeTPU server to register the service to service_manager.
add_service(edgetpu_app_server, edgetpu_app_service);
# EdgeTPU service needs to access /dev/abrolhos.
allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms;
allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms;
allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms;
# Applications are not allowed to open the EdgeTPU device directly.
neverallow appdomain edgetpu_device:chr_file { open };
# Allow EdgeTPU service to access the Package Manager service.
allow edgetpu_app_server package_native_service:service_manager find;
binder_call(edgetpu_app_server, system_server);
# Allow EdgeTPU service to read EdgeTPU service related system properties.
get_prop(edgetpu_app_server, vendor_edgetpu_service_prop);
# Allow EdgeTPU service to read device_configs that are set by the cloud server.
get_prop(edgetpu_app_server, device_config_edgetpu_native_prop);
# Allow EdgeTPU service to generate Perfetto traces.
perfetto_producer(edgetpu_app_server);
# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service.
allow edgetpu_app_server edgetpu_vendor_service:service_manager find;
binder_call(edgetpu_app_server, edgetpu_vendor_server);
# Allow EdgeTPU service to log to stats service. (metrics)
allow edgetpu_app_server fwk_stats_service:service_manager find;
# Allow mlock without size restriction
allow edgetpu_app_server self:capability ipc_lock;
# Need to effectively read file mapped file when mmap + mlocked.
allow edgetpu_app_server privapp_data_file:file { map read};
# For shell level testing of mlock
allow edgetpu_app_server shell_data_file:file { map read};
Reference in New Issue View Git Blame Copy Permalink