platform_system_sepolicy/public/hal_neuralnetworks.te

# HwBinder IPC from client to server, and callbacks
binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)

hal_attribute_hwservice(hal_neuralnetworks, hal_neuralnetworks_hwservice)
allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
allow hal_neuralnetworks hal_allocator:fd use;
allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
allow hal_neuralnetworks hal_graphics_allocator:fd use;
allow hal_neuralnetworks gpu_device:chr_file rw_file_perms;
allow hal_neuralnetworks gpu_device:dir r_dir_perms;

# Allow NN HAL service to use a client-provided fd residing in /data/data/.
allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map };

# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };

# Allow NN HAL service to read a client-provided ION memory fd.
allow hal_neuralnetworks_server ion_device:chr_file r_file_perms;

# Allow NN HAL service to use a client-provided fd residing in /storage
allow hal_neuralnetworks_server storage_file:file { getattr map read };

# Allow NN HAL service to read a client-provided fd residing in /data/app/.
allow hal_neuralnetworks_server apk_data_file:file { getattr map read };

# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
# property to determine whether to deny NNAPI extensions use for apps
# on product partition (apps in GSI are not allowed to use NNAPI extensions).
get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop);

# Allow NN HAL client to read device_config_nnapi_native_prop.
get_prop(hal_neuralnetworks_client, device_config_nnapi_native_prop)

# This property is only expected to be found in /product/build.prop,
# allow to be set only by init.
neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;

# Define sepolicy for NN AIDL HAL service
hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
binder_call(hal_neuralnetworks_server, servicemanager)

binder_use(hal_neuralnetworks_server)

allow hal_neuralnetworks_server dumpstate:fifo_file write;