drgreen/android_device_google_gs-common
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
android_device_google_gs-co.../edgetpu/sepolicy/edgetpu_app_service.te
feiyuchen a59d019822 Allow EdgeTpu service to read persist.device_config.edgetpu_native properties 
Background:
Darwinn Runtime team wants to use a cloud-based infra (Android Core Experiments) to push flags from server to device. The flags will be stored into android properties under the namespace: `persist.device_config.edgetpu_native`, which has a property context called `device_config_edgetpu_native_prop` as added by the other CL: https://android-review.git.corp.google.com/c/platform/system/sepolicy/+/2434232

Change:
Allow EdgeTpu service to read device_config_edgetpu_native_prop

Test: Verified EdgeTpu has access to read the property
Bug: 243553703
Bug: 246401730
Change-Id: I19dca0e2d3008e36bdbca50f610810148a7e11dd
2023-02-15 07:19:07 +00:00

41 lines
1.7 KiB
Plaintext
Raw Blame History

# EdgeTPU app server process which runs the EdgeTPU binder service.
type edgetpu_app_server, coredomain, domain;
type edgetpu_app_server_exec, exec_type, system_file_type, file_type;
init_daemon_domain(edgetpu_app_server)
# The server will use binder calls.
binder_use(edgetpu_app_server);
# The server will serve a binder service.
binder_service(edgetpu_app_server);
# EdgeTPU server to register the service to service_manager.
add_service(edgetpu_app_server, edgetpu_app_service);
# EdgeTPU service needs to access /dev/abrolhos.
allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms;
allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms;
allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms;
# Applications are not allowed to open the EdgeTPU device directly.
neverallow appdomain edgetpu_device:chr_file { open };
# Allow EdgeTPU service to access the Package Manager service.
allow edgetpu_app_server package_native_service:service_manager find;
binder_call(edgetpu_app_server, system_server);
# Allow EdgeTPU service to read EdgeTPU service related system properties.
get_prop(edgetpu_app_server, vendor_edgetpu_service_prop);
# Allow EdgeTPU service to read device_configs that are set by the cloud server.
get_prop(edgetpu_app_server, device_config_edgetpu_native_prop);
# Allow EdgeTPU service to generate Perfetto traces.
perfetto_producer(edgetpu_app_server);
# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service.
allow edgetpu_app_server edgetpu_vendor_service:service_manager find;
binder_call(edgetpu_app_server, edgetpu_vendor_server);
# Allow EdgeTPU service to log to stats service. (metrics)
allow edgetpu_app_server fwk_stats_service:service_manager find;
Reference in New Issue View Git Blame Copy Permalink