From 2c11d61122273443086a02b0b0fda9638e677bfc Mon Sep 17 00:00:00 2001 From: dianlujitao Date: Sun, 20 Mar 2022 19:17:05 -0300 Subject: veux: sepolicy: Make fastrpc_shell_3 publicly available * Used by GCAM for DSP-accelerated HDR processing * Arguably we should label /vendor/dsp/cdsp/fastrpc_shell_3 to same_process_hal_file like Pixels, but the partition is prebuilt thus we're unable to relabel it. * Copy the file to writable tmpfs, setup attributes and bind mount back to workaround the limitation. [ghostrider-reborn]: Allow adsp/cdsprpcd and neuralnetworks HAL to access fastrpc_shell_3 [kras edit: 1. rename some contexts as per qva/kona 2. extend to allow camera HAL and VPP service to access it as well] Co-authored-by: Adithya R --- sepolicy/vendor/adsprpcd.te | 3 +++ sepolicy/vendor/app.te | 3 +++ sepolicy/vendor/cdsprpcd.te | 1 + sepolicy/vendor/file_contexts | 5 +++++ sepolicy/vendor/hal_camera_default.te | 2 ++ sepolicy/vendor/hal_neuralnetworks_default.te | 1 + sepolicy/vendor/init.te | 1 + sepolicy/vendor/vppservice.te | 1 + 8 files changed, 17 insertions(+) create mode 100644 sepolicy/vendor/cdsprpcd.te create mode 100644 sepolicy/vendor/hal_neuralnetworks_default.te create mode 100644 sepolicy/vendor/init.te create mode 100644 sepolicy/vendor/vppservice.te (limited to 'sepolicy/vendor') diff --git a/sepolicy/vendor/adsprpcd.te b/sepolicy/vendor/adsprpcd.te index 58fe3e7..d5efe9f 100644 --- a/sepolicy/vendor/adsprpcd.te +++ b/sepolicy/vendor/adsprpcd.te @@ -1 +1,4 @@ +type public_adsprpcd_file, file_type; + +r_dir_file(vendor_adsprpcd, public_adsprpcd_file) r_dir_file(vendor_adsprpcd, vendor_sysfs_graphics) diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te index 60325ab..b70be61 100644 --- a/sepolicy/vendor/app.te +++ b/sepolicy/vendor/app.te @@ -1 +1,4 @@ +allow { appdomain -isolated_app } adsprpcd_file:dir r_dir_perms; +allow { appdomain -isolated_app } public_adsprpcd_file:file r_file_perms; + get_prop({ appdomain -isolated_app }, vendor_mlipay_prop) diff --git a/sepolicy/vendor/cdsprpcd.te b/sepolicy/vendor/cdsprpcd.te new file mode 100644 index 0000000..36612a5 --- /dev/null +++ b/sepolicy/vendor/cdsprpcd.te @@ -0,0 +1 @@ +r_dir_file(vendor_cdsprpcd, public_adsprpcd_file) \ No newline at end of file diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index 7afaa3a..7475fab 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -15,6 +15,11 @@ # Camera /mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0 +# Hexagon DSP-side executable needed for Halide operation +# This is labeled as public_adsprpcd_file as it needs to be read by apps +# (e.g. Google Camera App) +/mnt/vendor/dsp/fastrpc_shell_3 u:object_r:public_adsprpcd_file:s0 + # Fingerprint /dev/goodix_fp u:object_r:vendor_fingerprint_device:s0 /dev/silead_fp u:object_r:vendor_fingerprint_device:s0 diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te index d97b6ee..cbca59c 100644 --- a/sepolicy/vendor/hal_camera_default.te +++ b/sepolicy/vendor/hal_camera_default.te @@ -1,2 +1,4 @@ r_dir_file(hal_camera_default, camera_persist_file) set_prop(hal_camera_default, vendor_camera_sensor_prop) + +allow hal_camera_default public_adsprpcd_file:file r_file_perms; diff --git a/sepolicy/vendor/hal_neuralnetworks_default.te b/sepolicy/vendor/hal_neuralnetworks_default.te new file mode 100644 index 0000000..97582e9 --- /dev/null +++ b/sepolicy/vendor/hal_neuralnetworks_default.te @@ -0,0 +1 @@ +r_dir_file(vendor_hal_neuralnetworks_default, public_adsprpcd_file) \ No newline at end of file diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te new file mode 100644 index 0000000..5be36d2 --- /dev/null +++ b/sepolicy/vendor/init.te @@ -0,0 +1 @@ +allow init adsprpcd_file:file mounton; \ No newline at end of file diff --git a/sepolicy/vendor/vppservice.te b/sepolicy/vendor/vppservice.te new file mode 100644 index 0000000..1870236 --- /dev/null +++ b/sepolicy/vendor/vppservice.te @@ -0,0 +1 @@ +r_dir_file(vendor_vppservice, public_adsprpcd_file) \ No newline at end of file -- cgit v1.2.3