From ea331aa7b8e5cda406ac5da77b7c5c8477f4ea0f Mon Sep 17 00:00:00 2001 From: Michael Butler Date: Fri, 15 Dec 2017 14:16:25 -0800 Subject: [PATCH] Allow applications to use NN API HAL services The NeuralNetworks runtime is a library that communicates with NeuralNetworks HIDL services and is linked by applications. To enable the NN runtime to use these services, applications must have explicit sepolicy permissions to find the NN services and communicate across binder. This CL relaxes neverallow rules for hal_neuralnetworks_*. Because it is affecting pre-existing neverallow rules, this CL requires a CTS rebuild. Bug: 70340780 Test: mm Test: ran neuralnetworks vts and cts binaries Change-Id: I84f73ac77486681f91d1f8687268c0fa22a7ba0b (cherry picked from commit 598870bebc4bb34542df81799b46f3cdcfb6723b) --- private/app_neverallows.te | 3 ++- private/technical_debt.cil | 5 +++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/private/app_neverallows.te b/private/app_neverallows.te index c4cbfd859..05ef5ed32 100644 --- a/private/app_neverallows.te +++ b/private/app_neverallows.te @@ -172,6 +172,7 @@ neverallow all_untrusted_apps { -hal_graphics_allocator_hwservice -hal_omx_hwservice -hal_cas_hwservice + -hal_neuralnetworks_hwservice -untrusted_app_visible_hwservice }:hwservice_manager find; @@ -194,7 +195,6 @@ neverallow all_untrusted_apps { hal_keymaster_hwservice hal_light_hwservice hal_memtrack_hwservice - hal_neuralnetworks_hwservice hal_nfc_hwservice hal_oemlock_hwservice hal_power_hwservice @@ -238,6 +238,7 @@ full_treble_only(` -hal_configstore_server -hal_graphics_allocator_server -hal_cas_server + -hal_neuralnetworks_server -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone -untrusted_app_visible_halserver }:binder { call transfer }; diff --git a/private/technical_debt.cil b/private/technical_debt.cil index 974f32831..7f9d315ed 100644 --- a/private/technical_debt.cil +++ b/private/technical_debt.cil @@ -31,3 +31,8 @@ ; Unfortunately, we can't currently express this in module policy language: ; typeattribute hal_camera hal_allocator_client; (typeattributeset hal_allocator_client (hal_camera)) + +; Apps, except isolated apps, are clients of Neuralnetworks HAL +; Unfortunately, we can't currently express this in module policy language: +; typeattribute { appdomain -isolated_app } hal_neuralnetworks_client; +(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))