From ea331aa7b8e5cda406ac5da77b7c5c8477f4ea0f Mon Sep 17 00:00:00 2001
From: Michael Butler <butlermichael@google.com>
Date: Fri, 15 Dec 2017 14:16:25 -0800
Subject: [PATCH] Allow applications to use NN API HAL services

The NeuralNetworks runtime is a library that communicates with
NeuralNetworks HIDL services and is linked by applications. To enable
the NN runtime to use these services, applications must have explicit
sepolicy permissions to find the NN services and communicate across
binder.

This CL relaxes neverallow rules for hal_neuralnetworks_*.

Because it is affecting pre-existing neverallow rules, this CL requires
a CTS rebuild.

Bug: 70340780
Test: mm
Test: ran neuralnetworks vts and cts binaries
Change-Id: I84f73ac77486681f91d1f8687268c0fa22a7ba0b
(cherry picked from commit 598870bebc4bb34542df81799b46f3cdcfb6723b)
---
 private/app_neverallows.te | 3 ++-
 private/technical_debt.cil | 5 +++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c4cbfd859..05ef5ed32 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -172,6 +172,7 @@ neverallow all_untrusted_apps {
   -hal_graphics_allocator_hwservice
   -hal_omx_hwservice
   -hal_cas_hwservice
+  -hal_neuralnetworks_hwservice
   -untrusted_app_visible_hwservice
 }:hwservice_manager find;
 
@@ -194,7 +195,6 @@ neverallow all_untrusted_apps {
   hal_keymaster_hwservice
   hal_light_hwservice
   hal_memtrack_hwservice
-  hal_neuralnetworks_hwservice
   hal_nfc_hwservice
   hal_oemlock_hwservice
   hal_power_hwservice
@@ -238,6 +238,7 @@ full_treble_only(`
     -hal_configstore_server
     -hal_graphics_allocator_server
     -hal_cas_server
+    -hal_neuralnetworks_server
     -binder_in_vendor_violators # TODO(b/35870313): Remove once all violations are gone
     -untrusted_app_visible_halserver
   }:binder { call transfer };
diff --git a/private/technical_debt.cil b/private/technical_debt.cil
index 974f32831..7f9d315ed 100644
--- a/private/technical_debt.cil
+++ b/private/technical_debt.cil
@@ -31,3 +31,8 @@
 ; Unfortunately, we can't currently express this in module policy language:
 ;     typeattribute hal_camera hal_allocator_client;
 (typeattributeset hal_allocator_client (hal_camera))
+
+; Apps, except isolated apps, are clients of Neuralnetworks HAL
+; Unfortunately, we can't currently express this in module policy language:
+;     typeattribute { appdomain -isolated_app } hal_neuralnetworks_client;
+(typeattributeset hal_neuralnetworks_client ((and (appdomain) ((not (isolated_app))))))
-- 
GitLab