| # EdgeTPU server process which runs the EdgeTPU binder service. |
| type edgetpu_server, coredomain, domain; |
| type edgetpu_server_exec, exec_type, system_file_type, file_type; |
| init_daemon_domain(edgetpu_server, edgetpu_server_exec) |
| |
| # The server will use binder calls. |
| binder_use(edgetpu_server); |
| |
| # The server will serve a binder service. |
| binder_service(edgetpu_server); |
| |
| # EdgeTPU binder service type declaration. |
| type edgetpu_service, service_manager_type; |
| |
| # EdgeTPU server to register the service to service_manager. |
| add_service(edgetpu_server, edgetpu_service); |
| |
| # EdgeTPU service needs to access /dev/abrolhos. |
| allow edgetpu_server edgetpu_device:chr_file rw_file_perms; |
| allow edgetpu_server sysfs_edgetpu:dir r_dir_perms; |
| allow edgetpu_server sysfs_edgetpu:file rw_file_perms; |
| |
| # Applications are not allowed to open the EdgeTPU device directly. |
| neverallow appdomain edgetpu_device:chr_file { open }; |
| |
| # Allow EdgeTPU service access to its data files. |
| allow edgetpu_server edgetpu_service_data_file:file create_file_perms; |
| allow edgetpu_server edgetpu_service_data_file:dir rw_dir_perms; |