Merge "Allow system server and uncrypt to operate pipe file" into mnc-dev
diff --git a/access_vectors b/access_vectors
index e79ad1b..c280f08 100644
--- a/access_vectors
+++ b/access_vectors
@@ -890,25 +890,22 @@
class keystore_key
{
- test
+ get_state
get
insert
delete
exist
- saw
+ list
reset
password
lock
unlock
- zero
+ is_empty
sign
verify
grant
duplicate
clear_uid
- reset_uid
- sync_uid
- password_uid
add_auth
user_changed
}
diff --git a/app.te b/app.te
index af8c508..40de074 100644
--- a/app.te
+++ b/app.te
@@ -185,7 +185,7 @@
# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;
-allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
+allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
use_keystore({ appdomain -isolated_app })
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 82c733d..0bfd33a 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -13,6 +13,6 @@
allow binderservicedomain appdomain:fd use;
allow binderservicedomain appdomain:fifo_file write;
-allow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
+allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
use_keystore(binderservicedomain)
diff --git a/device.te b/device.te
index c155fcc..b2f4f1d 100644
--- a/device.te
+++ b/device.te
@@ -12,6 +12,7 @@
type pmsg_device, dev_type, mlstrustedobject;
type radio_device, dev_type;
type ram_device, dev_type;
+type rtc_device, dev_type;
type vold_device, dev_type;
type console_device, dev_type;
type cpuctl_device, dev_type;
diff --git a/file.te b/file.te
index 5e8687a..3ecb143 100644
--- a/file.te
+++ b/file.te
@@ -154,6 +154,8 @@
# vary per device, so this type is used in per
# device policy
type bluetooth_efs_file, file_type;
+# Type for fingerprint template file.
+type fingerprintd_data_file, file_type, data_file_type;
# Socket types
type adbd_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 9f895da..bcb4ae0 100644
--- a/file_contexts
+++ b/file_contexts
@@ -77,6 +77,7 @@
/dev/random u:object_r:random_device:s0
/dev/rpmsg-omx[0-9] u:object_r:rpmsg_device:s0
/dev/rproc_user u:object_r:rpmsg_device:s0
+/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/snd(/.*)? u:object_r:audio_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
@@ -148,6 +149,7 @@
/system/bin/mdnsd u:object_r:mdnsd_exec:s0
/system/bin/installd u:object_r:installd_exec:s0
/system/bin/keystore u:object_r:keystore_exec:s0
+/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
/system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
/system/bin/debuggerd u:object_r:debuggerd_exec:s0
/system/bin/debuggerd64 u:object_r:debuggerd_exec:s0
@@ -253,6 +255,9 @@
/data/misc/perfprofd(/.*)? u:object_r:perfprofd_data_file:s0
/data/system/heapdump(/.*)? u:object_r:heapdump_data_file:s0
+# Fingerprint data
+/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
+
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
diff --git a/fingerprintd.te b/fingerprintd.te
new file mode 100644
index 0000000..4ceb68d
--- /dev/null
+++ b/fingerprintd.te
@@ -0,0 +1,23 @@
+type fingerprintd, domain;
+type fingerprintd_exec, exec_type, file_type;
+
+# fingerprintd
+init_daemon_domain(fingerprintd)
+binder_use(fingerprintd)
+
+# need to find KeyStore and add self
+allow fingerprintd fingerprintd_service:service_manager { add find };
+
+# allow HAL module to read dir contents
+allow fingerprintd fingerprintd_data_file:file { create_file_perms };
+
+# allow HAL module to read/write/unlink contents of this dir
+allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(fingerprintd)
+allow fingerprintd keystore:keystore_key { add_auth };
+
+# For permissions checking
+binder_call(fingerprintd, system_server);
+allow fingerprintd permission_service:service_manager find;
diff --git a/mediaserver.te b/mediaserver.te
index cb0995c..0299466 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -80,6 +80,7 @@
allow mediaserver activity_service:service_manager find;
allow mediaserver appops_service:service_manager find;
+allow mediaserver cameraproxy_service:service_manager find;
allow mediaserver batterystats_service:service_manager find;
allow mediaserver drmserver_service:service_manager find;
allow mediaserver mediaserver_service:service_manager { add find };
diff --git a/security_classes b/security_classes
index 9cd3f1c..c0c9659 100644
--- a/security_classes
+++ b/security_classes
@@ -132,7 +132,6 @@
class db_language # userspace
class binder
-class zygote
# Property service
class property_service # userspace
diff --git a/service.te b/service.te
index 66bf566..56478d0 100644
--- a/service.te
+++ b/service.te
@@ -2,6 +2,7 @@
type default_android_service, service_manager_type;
type drmserver_service, service_manager_type;
type gatekeeper_service, app_api_service, service_manager_type;
+type fingerprintd_service, service_manager_type;
type healthd_service, service_manager_type;
type inputflinger_service, service_manager_type;
type keystore_service, service_manager_type;
@@ -24,6 +25,7 @@
type batterystats_service, app_api_service, system_server_service, service_manager_type;
type battery_service, system_server_service, service_manager_type;
type bluetooth_manager_service, system_api_service, system_server_service, service_manager_type;
+type cameraproxy_service, system_server_service, service_manager_type;
type clipboard_service, app_api_service, system_server_service, service_manager_type;
type IProxyService_service, system_api_service, system_server_service, service_manager_type;
type commontime_management_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index e782c7d..85dcd3d 100644
--- a/service_contexts
+++ b/service_contexts
@@ -39,6 +39,7 @@
dropbox u:object_r:dropbox_service:s0
ethernet u:object_r:ethernet_service:s0
fingerprint u:object_r:fingerprint_service:s0
+android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
gfxinfo u:object_r:gfxinfo_service:s0
graphicsstats u:object_r:graphicsstats_service:s0
hardware u:object_r:hardware_service:s0
@@ -62,6 +63,7 @@
media.audio_flinger u:object_r:mediaserver_service:s0
media.audio_policy u:object_r:mediaserver_service:s0
media.camera u:object_r:mediaserver_service:s0
+media.camera.proxy u:object_r:cameraproxy_service:s0
media.log u:object_r:mediaserver_service:s0
media.player u:object_r:mediaserver_service:s0
media.resource_manager u:object_r:mediaserver_service:s0
diff --git a/system_app.te b/system_app.te
index 811f436..3720c3d 100644
--- a/system_app.te
+++ b/system_app.te
@@ -57,17 +57,17 @@
allow system_app system_api_service:service_manager find;
allow system_app keystore:keystore_key {
- test
+ get_state
get
insert
delete
exist
- saw
+ list
reset
password
lock
unlock
- zero
+ is_empty
sign
verify
grant
diff --git a/system_server.te b/system_server.te
index b83c14a..0b18eb4 100644
--- a/system_server.te
+++ b/system_server.te
@@ -128,6 +128,7 @@
binder_use(system_server)
binder_call(system_server, binderservicedomain)
binder_call(system_server, gatekeeperd)
+binder_call(system_server, fingerprintd)
binder_call(system_server, appdomain)
binder_call(system_server, dumpstate)
binder_service(system_server)
@@ -167,6 +168,7 @@
allow system_server video_device:dir r_dir_perms;
allow system_server video_device:chr_file rw_file_perms;
allow system_server adbd_socket:sock_file rw_file_perms;
+allow system_server rtc_device:chr_file rw_file_perms;
allow system_server audio_device:dir r_dir_perms;
# write access needed for MIDI
@@ -375,6 +377,7 @@
allow system_server healthd_service:service_manager find;
allow system_server keystore_service:service_manager find;
allow system_server gatekeeper_service:service_manager find;
+allow system_server fingerprintd_service:service_manager find;
allow system_server mediaserver_service:service_manager find;
allow system_server nfc_service:service_manager find;
allow system_server radio_service:service_manager find;
@@ -382,25 +385,22 @@
allow system_server surfaceflinger_service:service_manager find;
allow system_server keystore:keystore_key {
- test
+ get_state
get
insert
delete
exist
- saw
+ list
reset
password
lock
unlock
- zero
+ is_empty
sign
verify
grant
duplicate
clear_uid
- reset_uid
- sync_uid
- password_uid
add_auth
user_changed
};
@@ -427,6 +427,9 @@
# Traverse into expanded storage
allow system_server mnt_expand_file:dir r_dir_perms;
+# Allow system process to relabel the fingerprint directory after mkdir
+allow system_server fingerprintd_data_file:dir {r_dir_perms relabelto};
+
###
### Neverallow rules
###
diff --git a/untrusted_app.te b/untrusted_app.te
index 79eb752..e451c5d 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -72,6 +72,10 @@
allow untrusted_app media_rw_data_file:dir create_dir_perms;
allow untrusted_app media_rw_data_file:file create_file_perms;
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_app mnt_media_rw_file:dir search;
+
# Write to /cache.
allow untrusted_app cache_file:dir create_dir_perms;
allow untrusted_app cache_file:file create_file_perms;