From e67bb2ceaa55da9aa15e64509f11b5a80a29dc97 Mon Sep 17 00:00:00 2001 From: Aayush Gupta Date: Mon, 25 Jan 2021 17:10:58 +0530 Subject: [PATCH] non_plat: Label neural networks hidls and grant required permissions Signed-off-by: Aayush Gupta Change-Id: I32d6131cb52ac77aa90e9ac1e73b1ca498ffe5cd --- non_plat/file_contexts | 4 ++++ non_plat/mtk_hal_neuralnetworks.te | 38 ++++++++++++++++++++++++++++++ non_plat/platform_app.te | 3 +++ non_plat/system_app.te | 3 +++ non_plat/untrusted_app.te | 3 +++ 5 files changed, 51 insertions(+) create mode 100644 non_plat/mtk_hal_neuralnetworks.te diff --git a/non_plat/file_contexts b/non_plat/file_contexts index 8fd80c5..36cbbed 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -737,3 +737,7 @@ # DFPS /(system\/vendor|vendor)/bin/hw/vendor\.mediatek\.hardware\.dfps@1\.0-service u:object_r:mtk_hal_dfps_exec:s0 + +# Neural Networks +/(system\/vendor|vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.1-service-gpunn u:object_r:mtk_hal_neuralnetworks_exec:s0 +/(system\/vendor|vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.1-service-neuron-ann u:object_r:mtk_hal_neuralnetworks_exec:s0 diff --git a/non_plat/mtk_hal_neuralnetworks.te b/non_plat/mtk_hal_neuralnetworks.te new file mode 100644 index 0000000..de3d70a --- /dev/null +++ b/non_plat/mtk_hal_neuralnetworks.te @@ -0,0 +1,38 @@ +type mtk_hal_neuralnetworks, domain; +type mtk_hal_neuralnetworks_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(mtk_hal_neuralnetworks) +hal_server_domain(mtk_hal_neuralnetworks, hal_neuralnetworks) + +allow mtk_hal_neuralnetworks ion_device:chr_file r_file_perms; +allow mtk_hal_neuralnetworks debugfs_ion:dir r_dir_perms; +allow mtk_hal_neuralnetworks vpu_device:chr_file rw_file_perms; +allow mtk_hal_neuralnetworks mdla_device:chr_file rw_file_perms; +allow mtk_hal_neuralnetworks gpu_device:chr_file rw_file_perms; +allow mtk_hal_neuralnetworks untrusted_app_25:binder { call transfer }; +allow mtk_hal_neuralnetworks untrusted_app:binder { call transfer }; +allow mtk_hal_neuralnetworks shell_data_file:file read; +allow mtk_hal_neuralnetworks vendor_configs_file:file r_file_perms; +allow mtk_hal_neuralnetworks vendor_configs_file:dir r_dir_perms; +allow mtk_hal_neuralnetworks sdcardfs:file r_file_perms; +allow mtk_hal_neuralnetworks untrusted_app_25:fd use; +allow mtk_hal_neuralnetworks untrusted_app:fd use; +allow mtk_hal_neuralnetworks sysfs_lowmemorykiller:dir r_dir_perms; +allow mtk_hal_neuralnetworks sysfs_lowmemorykiller:file r_file_perms; +allow mtk_hal_neuralnetworks proc_zoneinfo:file r_file_perms; +allow mtk_hal_neuralnetworks apk_data_file:file read; +allow mtk_hal_neuralnetworks proc_ged:file rw_file_perms; +allow mtk_hal_neuralnetworks gpu_device:dir r_dir_perms; + +allow mtk_hal_neuralnetworks proc_perfmgr:dir r_dir_perms; +allow mtk_hal_neuralnetworks proc_perfmgr:file r_file_perms; + +allowxperm mtk_hal_neuralnetworks proc_perfmgr:file ioctl { + PERFMGR_EARA_NN_BEGIN + PERFMGR_EARA_NN_END + PERFMGR_EARA_GETUSAGE +}; + +allow mtk_hal_neuralnetworks proc_ged:file r_file_perms; + +allowxperm mtk_hal_neuralnetworks proc_ged:file ioctl { proc_ged_ioctls }; diff --git a/non_plat/platform_app.te b/non_plat/platform_app.te index 33178e0..982b4e5 100644 --- a/non_plat/platform_app.te +++ b/non_plat/platform_app.te @@ -125,3 +125,6 @@ binder_call(platform_app, mtk_hal_bgs) binder_call(mtk_hal_bgs, platform_app) binder_call(platform_app, mtk_hal_camera) binder_call(mtk_hal_camera, platform_app) + +# Neuralnetwork +allow platform_app mtk_hal_neuralnetworks:binder { call transfer }; diff --git a/non_plat/system_app.te b/non_plat/system_app.te index 4e18c90..bd86f07 100644 --- a/non_plat/system_app.te +++ b/non_plat/system_app.te @@ -48,3 +48,6 @@ allow system_app mtk_hal_hdmi:binder call; allow system_app self:netlink_kobject_uevent_socket {read bind create setopt }; # system_app need to read from sysfs /sys/class/switch/hdmi/state r_dir_file(system_app, sysfs_switch); + +# Neuralnetwork +allow system_app mtk_hal_neuralnetworks:binder { call transfer }; diff --git a/non_plat/untrusted_app.te b/non_plat/untrusted_app.te index 040d47f..8110e88 100644 --- a/non_plat/untrusted_app.te +++ b/non_plat/untrusted_app.te @@ -10,3 +10,6 @@ # from MTK kernel modules for thermal tests at OEM/ODM. allow untrusted_app proc_mtktz:dir search; allow untrusted_app proc_mtktz:file r_file_perms; + +# Neural network +allow untrusted_app mtk_hal_neuralnetworks:binder { call transfer };