| # HwBinder IPC from client to server, and callbacks |
| binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server) |
| binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client) |
| |
| hal_attribute_hwservice(hal_neuralnetworks, hal_neuralnetworks_hwservice) |
| allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find; |
| allow hal_neuralnetworks hal_allocator:fd use; |
| allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find; |
| allow hal_neuralnetworks hal_graphics_allocator:fd use; |
| |
| # Allow NN HAL service to use a client-provided fd residing in /data/data/. |
| allow hal_neuralnetworks_server app_data_file:file { read write getattr map }; |
| allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map }; |
| |
| # Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/. |
| allow hal_neuralnetworks_server shell_data_file:file { read write getattr map }; |
| |
| # Allow NN HAL service to read a client-provided ION memory fd. |
| allow hal_neuralnetworks_server ion_device:chr_file r_file_perms; |
| |
| # Allow NN HAL service to use a client-provided fd residing in /storage |
| allow hal_neuralnetworks_server storage_file:file { getattr map read }; |
| |
| # Allow NN HAL service to read a client-provided fd residing in /data/app/. |
| allow hal_neuralnetworks_server apk_data_file:file { getattr map read }; |
| |
| # Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product |
| # property to determine whether to deny NNAPI extensions use for apps |
| # on product partition (apps in GSI are not allowed to use NNAPI extensions). |
| get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop); |
| |
| # Allow NN HAL client to read device_config_nnapi_native_prop. |
| get_prop(hal_neuralnetworks_client, device_config_nnapi_native_prop) |
| |
| # This property is only expected to be found in /product/build.prop, |
| # allow to be set only by init. |
| neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set; |
| |
| # Define sepolicy for NN AIDL HAL service |
| hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service) |
| binder_call(hal_neuralnetworks_server, servicemanager) |
| |
| binder_use(hal_neuralnetworks_server) |
| |
| allow hal_neuralnetworks_server dumpstate:fifo_file write; |