From 91d153e9b58f8f069dc571712355e03709c41ade Mon Sep 17 00:00:00 2001
From: Ian Hua <ianhua@google.com>
Date: Tue, 5 Oct 2021 15:23:18 +0100
Subject: [PATCH] Update sepolicy for adding nnapi_native namespace.

Test: mm
Bug: 201399117
Change-Id: I40a2431b6f5a54deae27fe68f503aff9b99e2793
---
 private/compat/31.0/31.0.ignore.cil | 1 +
 private/flags_health_check.te       | 1 +
 private/property_contexts           | 1 +
 private/system_server.te            | 2 ++
 public/hal_neuralnetworks.te        | 4 ++++
 public/property.te                  | 1 +
 6 files changed, 10 insertions(+)

diff --git a/private/compat/31.0/31.0.ignore.cil b/private/compat/31.0/31.0.ignore.cil
index 0fdb697c4..58841c60f 100644
--- a/private/compat/31.0/31.0.ignore.cil
+++ b/private/compat/31.0/31.0.ignore.cil
@@ -7,6 +7,7 @@
   ( new_objects
     artd_service
     camera2_extensions_prop
+    device_config_nnapi_native_prop
     extra_free_kbytes
     extra_free_kbytes_exec
     hal_contexthub_service
diff --git a/private/flags_health_check.te b/private/flags_health_check.te
index aefbb3dcc..c4e589de6 100644
--- a/private/flags_health_check.te
+++ b/private/flags_health_check.te
@@ -9,6 +9,7 @@ set_prop(flags_health_check, device_config_runtime_native_prop)
 set_prop(flags_health_check, device_config_input_native_boot_prop)
 set_prop(flags_health_check, device_config_lmkd_native_prop)
 set_prop(flags_health_check, device_config_netd_native_prop)
+set_prop(flags_health_check, device_config_nnapi_native_prop)
 set_prop(flags_health_check, device_config_activity_manager_native_boot_prop)
 set_prop(flags_health_check, device_config_media_native_prop)
 set_prop(flags_health_check, device_config_profcollect_native_boot_prop)
diff --git a/private/property_contexts b/private/property_contexts
index 8f08dd34c..266761568 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -241,6 +241,7 @@ persist.device_config.input_native_boot.            u:object_r:device_config_inp
 persist.device_config.lmkd_native.                  u:object_r:device_config_lmkd_native_prop:s0
 persist.device_config.media_native.                 u:object_r:device_config_media_native_prop:s0
 persist.device_config.netd_native.                  u:object_r:device_config_netd_native_prop:s0
+persist.device_config.nnapi_native.                 u:object_r:device_config_nnapi_native_prop:s0
 persist.device_config.profcollect_native_boot.      u:object_r:device_config_profcollect_native_boot_prop:s0
 persist.device_config.runtime_native.               u:object_r:device_config_runtime_native_prop:s0
 persist.device_config.runtime_native_boot.          u:object_r:device_config_runtime_native_boot_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index 66f9ba48c..4c87b3f04 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -696,6 +696,7 @@ set_prop(system_server, cppreopt_prop)
 # server configurable flags properties
 set_prop(system_server, device_config_input_native_boot_prop)
 set_prop(system_server, device_config_netd_native_prop)
+set_prop(system_server, device_config_nnapi_native_prop)
 set_prop(system_server, device_config_activity_manager_native_boot_prop)
 set_prop(system_server, device_config_runtime_native_boot_prop)
 set_prop(system_server, device_config_runtime_native_prop)
@@ -1217,6 +1218,7 @@ neverallow {
   device_config_input_native_boot_prop
   device_config_lmkd_native_prop
   device_config_netd_native_prop
+  device_config_nnapi_native_prop
   device_config_runtime_native_boot_prop
   device_config_runtime_native_prop
   device_config_media_native_prop
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 7497deca7..04d0b59a5 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -28,6 +28,10 @@ allow hal_neuralnetworks_server apk_data_file:file { getattr map read };
 # property to determine whether to deny NNAPI extensions use for apps
 # on product partition (apps in GSI are not allowed to use NNAPI extensions).
 get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop);
+
+# Allow NN HAL client to read device_config_nnapi_native_prop.
+get_prop(hal_neuralnetworks_client, device_config_nnapi_native_prop)
+
 # This property is only expected to be found in /product/build.prop,
 # allow to be set only by init.
 neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
diff --git a/public/property.te b/public/property.te
index 2b2af6d19..de6174823 100644
--- a/public/property.te
+++ b/public/property.te
@@ -65,6 +65,7 @@ system_restricted_prop(bq_config_prop)
 system_restricted_prop(build_bootimage_prop)
 system_restricted_prop(build_prop)
 system_restricted_prop(charger_status_prop)
+system_restricted_prop(device_config_nnapi_native_prop)
 system_restricted_prop(device_config_runtime_native_boot_prop)
 system_restricted_prop(device_config_runtime_native_prop)
 system_restricted_prop(fingerprint_prop)