summaryrefslogtreecommitdiff
path: root/prebuilts/api/32.0/public/hal_neuralnetworks.te
diff options
context:
space:
mode:
Diffstat (limited to 'prebuilts/api/32.0/public/hal_neuralnetworks.te')
-rw-r--r--prebuilts/api/32.0/public/hal_neuralnetworks.te41
1 files changed, 41 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/public/hal_neuralnetworks.te b/prebuilts/api/32.0/public/hal_neuralnetworks.te
new file mode 100644
index 000000000..7497deca7
--- /dev/null
+++ b/prebuilts/api/32.0/public/hal_neuralnetworks.te
@@ -0,0 +1,41 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_neuralnetworks_client, hal_neuralnetworks_server)
+binder_call(hal_neuralnetworks_server, hal_neuralnetworks_client)
+
+hal_attribute_hwservice(hal_neuralnetworks, hal_neuralnetworks_hwservice)
+allow hal_neuralnetworks hidl_memory_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hal_allocator:fd use;
+allow hal_neuralnetworks hal_graphics_mapper_hwservice:hwservice_manager find;
+allow hal_neuralnetworks hal_graphics_allocator:fd use;
+
+# Allow NN HAL service to use a client-provided fd residing in /data/data/.
+allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
+allow hal_neuralnetworks_server privapp_data_file:file { read write getattr map };
+
+# Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
+allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
+
+# Allow NN HAL service to read a client-provided ION memory fd.
+allow hal_neuralnetworks_server ion_device:chr_file r_file_perms;
+
+# Allow NN HAL service to use a client-provided fd residing in /storage
+allow hal_neuralnetworks_server storage_file:file { getattr map read };
+
+# Allow NN HAL service to read a client-provided fd residing in /data/app/.
+allow hal_neuralnetworks_server apk_data_file:file { getattr map read };
+
+# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
+# property to determine whether to deny NNAPI extensions use for apps
+# on product partition (apps in GSI are not allowed to use NNAPI extensions).
+get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop);
+# This property is only expected to be found in /product/build.prop,
+# allow to be set only by init.
+neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
+
+# Define sepolicy for NN AIDL HAL service
+hal_attribute_service(hal_neuralnetworks, hal_neuralnetworks_service)
+binder_call(hal_neuralnetworks_server, servicemanager)
+
+binder_use(hal_neuralnetworks_server)
+
+allow hal_neuralnetworks_server dumpstate:fifo_file write;
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 05:17:41 +0000