1# EdgeTPU app server process which runs the EdgeTPU binder service. 2type edgetpu_app_server, coredomain, domain; 3type edgetpu_app_server_exec, exec_type, system_file_type, file_type; 4init_daemon_domain(edgetpu_app_server) 5 6# The server will use binder calls. 7binder_use(edgetpu_app_server); 8 9# The server will serve a binder service. 10binder_service(edgetpu_app_server); 11 12# EdgeTPU server to register the service to service_manager. 13add_service(edgetpu_app_server, edgetpu_app_service); 14 15# EdgeTPU service needs to access /dev/abrolhos. 16allow edgetpu_app_server edgetpu_device:chr_file rw_file_perms; 17allow edgetpu_app_server sysfs_edgetpu:dir r_dir_perms; 18allow edgetpu_app_server sysfs_edgetpu:file rw_file_perms; 19 20# Applications are not allowed to open the EdgeTPU device directly. 21neverallow appdomain edgetpu_device:chr_file { open }; 22 23# Allow EdgeTPU service to access the Package Manager service. 24allow edgetpu_app_server package_native_service:service_manager find; 25binder_call(edgetpu_app_server, system_server); 26 27# Allow EdgeTPU service to read EdgeTPU service related system properties. 28get_prop(edgetpu_app_server, vendor_edgetpu_service_prop); 29# Allow EdgeTPU service to read device_configs that are set by the cloud server. 30get_prop(edgetpu_app_server, device_config_edgetpu_native_prop); 31 32# Allow EdgeTPU service to generate Perfetto traces. 33perfetto_producer(edgetpu_app_server); 34 35# Allow EdgeTPU service to connect to the EdgeTPU vendor version of the service. 36allow edgetpu_app_server edgetpu_vendor_service:service_manager find; 37binder_call(edgetpu_app_server, edgetpu_vendor_server); 38 39# Allow EdgeTPU service to log to stats service. (metrics) 40allow edgetpu_app_server fwk_stats_service:service_manager find; 41 42# Allow mlock without size restriction 43allow edgetpu_app_server self:capability ipc_lock; 44 45# Need to effectively read file mapped file when mmap + mlocked. 46allow edgetpu_app_server privapp_data_file:file { map read}; 47 48# For shell level testing of mlock 49allow edgetpu_app_server shell_data_file:file { map read}; 50