Add sepolicy for biometric face virtual hal Bug: 326227403 Test: atest CtsBiometricTestCases Change-Id: I24559117b133628fa83ee1a2f58e616be6fdf6eb

commit: 09a026c9c7b28db878ba79158700075156a85066 [log] [tgz]
author: Jeff Pu <jeffpu@google.com> Tue Sep 17 16:47:51 2024 +0000
committer: Jeff Pu <jeffpu@google.com> Tue Sep 17 19:46:33 2024 +0000
tree: 27d22107709cebf4246d11f99c7851aa670c20c9
parent: 3e5e1613a2f2ab2a413dc21274f707599fff564e [diff]
diff --git a/private/compat/202404/202404.ignore.cil b/private/compat/202404/202404.ignore.cil
index 73058ef..ff84b4e 100644
--- a/private/compat/202404/202404.ignore.cil
+++ b/private/compat/202404/202404.ignore.cil

@@ -15,4 +15,6 @@
     app_function_service
     virtual_fingerprint
     virtual_fingerprint_exec
+    virtual_face
+    virtual_face_exec
   ))

diff --git a/private/hal_face.te b/private/hal_face.te
index e14666a..5e43953 100644
--- a/private/hal_face.te
+++ b/private/hal_face.te

@@ -11,5 +11,5 @@
 allow hal_face ion_device:chr_file r_file_perms;
 
 # Allow read/write access to the face template directory.
-allow hal_face face_vendor_data_file:file create_file_perms;
-allow hal_face face_vendor_data_file:dir rw_dir_perms;
+allow {hal_face -coredomain} face_vendor_data_file:file create_file_perms;
+allow {hal_face -coredomain} face_vendor_data_file:dir rw_dir_perms;

diff --git a/private/service_contexts b/private/service_contexts
index 5fdae3c..960bb66 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -26,6 +26,7 @@
 android.hardware.automotive.vehicle.IVehicle/default                 u:object_r:hal_vehicle_service:s0
 android.hardware.biometrics.face.IFace/default                       u:object_r:hal_face_service:s0
 android.hardware.biometrics.face.IFace/virtual                       u:object_r:hal_face_service:s0
+android.hardware.biometrics.face.virtualhal.IVirtualHal/virtual      u:object_r:hal_face_service:s0
 android.hardware.biometrics.fingerprint.IFingerprint/default         u:object_r:hal_fingerprint_service:s0
 android.hardware.biometrics.fingerprint.IFingerprint/virtual         u:object_r:hal_fingerprint_service:s0
 android.hardware.biometrics.fingerprint.virtualhal.IVirtualHal/virtual u:object_r:hal_fingerprint_service:s0

diff --git a/private/virtual_face.te b/private/virtual_face.te
new file mode 100644
index 0000000..0e33d6b
--- /dev/null
+++ b/private/virtual_face.te

@@ -0,0 +1,6 @@
+# biometric virtual face sensor
+type virtual_face, domain;
+type virtual_face_exec, system_file_type, exec_type, file_type;
+hal_server_domain(virtual_face, hal_face)
+typeattribute virtual_face coredomain;
+init_daemon_domain(virtual_face)
commit	09a026c9c7b28db878ba79158700075156a85066	[log] [tgz]
author	Jeff Pu <jeffpu@google.com>	Tue Sep 17 16:47:51 2024 +0000
committer	Jeff Pu <jeffpu@google.com>	Tue Sep 17 19:46:33 2024 +0000
tree	27d22107709cebf4246d11f99c7851aa670c20c9
parent	3e5e1613a2f2ab2a413dc21274f707599fff564e [diff]