From d4b6972bc0d34e81e98daf674e5a36f9040cef7e Mon Sep 17 00:00:00 2001
From: hmz007 <hmz007@gmail.com>
Date: Mon, 9 May 2022 19:02:38 +0800
Subject: [PATCH] rockchip: update sepolicy_vendor for rknn_server

Signed-off-by: hmz007 <hmz007@gmail.com>
---
 .../rockchip/rk356x/sepolicy_vendor/adbd.te   |  1 +
 .../rockchip/rk356x/sepolicy_vendor/file.te   |  1 +
 .../rk356x/sepolicy_vendor/file_contexts      |  1 +
 .../rk356x/sepolicy_vendor/propery.te         |  2 ++
 .../rk356x/sepolicy_vendor/propery_contexts   |  2 ++
 .../rk356x/sepolicy_vendor/rknn_server.te     | 19 +++++++++++++++++++
 6 files changed, 26 insertions(+)
 create mode 100644 device/rockchip/rk356x/sepolicy_vendor/adbd.te
 create mode 100644 device/rockchip/rk356x/sepolicy_vendor/file.te
 create mode 100644 device/rockchip/rk356x/sepolicy_vendor/propery.te
 create mode 100644 device/rockchip/rk356x/sepolicy_vendor/propery_contexts
 create mode 100644 device/rockchip/rk356x/sepolicy_vendor/rknn_server.te

diff --git a/device/rockchip/rk356x/sepolicy_vendor/adbd.te b/device/rockchip/rk356x/sepolicy_vendor/adbd.te
new file mode 100644
index 00000000000..6e3fcca72e2
--- /dev/null
+++ b/device/rockchip/rk356x/sepolicy_vendor/adbd.te
@@ -0,0 +1 @@
+allow adbd rknn_server:unix_stream_socket { connectto };
diff --git a/device/rockchip/rk356x/sepolicy_vendor/file.te b/device/rockchip/rk356x/sepolicy_vendor/file.te
new file mode 100644
index 00000000000..40c7dfed69b
--- /dev/null
+++ b/device/rockchip/rk356x/sepolicy_vendor/file.te
@@ -0,0 +1 @@
+type rknn_data_file, file_type, data_file_type, core_data_file_type;
diff --git a/device/rockchip/rk356x/sepolicy_vendor/file_contexts b/device/rockchip/rk356x/sepolicy_vendor/file_contexts
index 9a320dfde73..1bf4b7c2219 100644
--- a/device/rockchip/rk356x/sepolicy_vendor/file_contexts
+++ b/device/rockchip/rk356x/sepolicy_vendor/file_contexts
@@ -1 +1,2 @@
 /vendor/lib(64)?/hw/vulkan.rk356x.so            u:object_r:same_process_hal_file:s0
+/vendor/bin/rknn_server                         u:object_r:rknn_server_exec:s0
diff --git a/device/rockchip/rk356x/sepolicy_vendor/propery.te b/device/rockchip/rk356x/sepolicy_vendor/propery.te
new file mode 100644
index 00000000000..8cc71b0a573
--- /dev/null
+++ b/device/rockchip/rk356x/sepolicy_vendor/propery.te
@@ -0,0 +1,2 @@
+#type vendor_rknn_prop, property_type;
+vendor_internal_prop(vendor_rknn_prop)
diff --git a/device/rockchip/rk356x/sepolicy_vendor/propery_contexts b/device/rockchip/rk356x/sepolicy_vendor/propery_contexts
new file mode 100644
index 00000000000..14f5b105f60
--- /dev/null
+++ b/device/rockchip/rk356x/sepolicy_vendor/propery_contexts
@@ -0,0 +1,2 @@
+#for rknn_tools
+persist.vendor.rknn.	                        u:object_r:vendor_rknn_prop:s0
diff --git a/device/rockchip/rk356x/sepolicy_vendor/rknn_server.te b/device/rockchip/rk356x/sepolicy_vendor/rknn_server.te
new file mode 100644
index 00000000000..8c504936f72
--- /dev/null
+++ b/device/rockchip/rk356x/sepolicy_vendor/rknn_server.te
@@ -0,0 +1,19 @@
+type rknn_server, domain;
+type rknn_server_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(rknn_server)
+
+#allow rknn_server rknn_data_file:dir {write read create add_name };
+allow rknn_server rknn_data_file:file { write read };
+allow rknn_server socket_device:dir { write add_name remove_name create read };
+allow rknn_server socket_device:sock_file { write create read unlink setattr};
+allow rknn_server property_socket:sock_file { write read };
+allow rknn_server init:unix_stream_socket { connectto};
+allow rknn_server gpu_device:dir { getattr search write };
+allow rknn_server gpu_device:chr_file { open getattr read write ioctl map};
+dontaudit rknn_server self:capability { sys_admin dac_override };
+set_prop(rknn_server, vendor_rknn_prop);
+get_prop(rknn_server, vendor_rknn_prop);
+get_prop(vendor-rknn-hal, vendor_rknn_prop);
+
+dontaudit rknn_server sysfs:file rw_file_perms;