Merge "Allow system server and uncrypt to operate pipe file" into mnc-dev
diff --git a/access_vectors b/access_vectors
index e79ad1b..c280f08 100644
--- a/access_vectors
+++ b/access_vectors
@@ -890,25 +890,22 @@
 
 class keystore_key
 {
-	test
+	get_state
 	get
 	insert
 	delete
 	exist
-	saw
+	list
 	reset
 	password
 	lock
 	unlock
-	zero
+	is_empty
 	sign
 	verify
 	grant
 	duplicate
 	clear_uid
-	reset_uid
-	sync_uid
-	password_uid
 	add_auth
 	user_changed
 }
diff --git a/app.te b/app.te
index af8c508..40de074 100644
--- a/app.te
+++ b/app.te
@@ -185,7 +185,7 @@
 # application inherit logd write socket (urge is to deprecate this long term)
 allow appdomain zygote:unix_dgram_socket write;
 
-allow { appdomain -isolated_app } keystore:keystore_key { test get insert delete exist saw sign verify };
+allow { appdomain -isolated_app } keystore:keystore_key { get_state get insert delete exist list sign verify };
 
 use_keystore({ appdomain -isolated_app })
 
diff --git a/binderservicedomain.te b/binderservicedomain.te
index 82c733d..0bfd33a 100644
--- a/binderservicedomain.te
+++ b/binderservicedomain.te
@@ -13,6 +13,6 @@
 allow binderservicedomain appdomain:fd use;
 allow binderservicedomain appdomain:fifo_file write;
 
-allow binderservicedomain keystore:keystore_key { test get insert delete exist saw sign verify };
+allow binderservicedomain keystore:keystore_key { get_state get insert delete exist list sign verify };
 
 use_keystore(binderservicedomain)
diff --git a/device.te b/device.te
index c155fcc..b2f4f1d 100644
--- a/device.te
+++ b/device.te
@@ -12,6 +12,7 @@
 type pmsg_device, dev_type, mlstrustedobject;
 type radio_device, dev_type;
 type ram_device, dev_type;
+type rtc_device, dev_type;
 type vold_device, dev_type;
 type console_device, dev_type;
 type cpuctl_device, dev_type;
diff --git a/file.te b/file.te
index 5e8687a..3ecb143 100644
--- a/file.te
+++ b/file.te
@@ -154,6 +154,8 @@
 # vary per device, so this type is used in per
 # device policy
 type bluetooth_efs_file, file_type;
+# Type for fingerprint template file.
+type fingerprintd_data_file, file_type, data_file_type;
 
 # Socket types
 type adbd_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 9f895da..bcb4ae0 100644
--- a/file_contexts
+++ b/file_contexts
@@ -77,6 +77,7 @@
 /dev/random		u:object_r:random_device:s0
 /dev/rpmsg-omx[0-9]	u:object_r:rpmsg_device:s0
 /dev/rproc_user	u:object_r:rpmsg_device:s0
+/dev/rtc[0-9]      u:object_r:rtc_device:s0
 /dev/snd(/.*)?		u:object_r:audio_device:s0
 /dev/socket(/.*)?	u:object_r:socket_device:s0
 /dev/socket/adbd	u:object_r:adbd_socket:s0
@@ -148,6 +149,7 @@
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
+/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
 /system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
 /system/bin/debuggerd	u:object_r:debuggerd_exec:s0
 /system/bin/debuggerd64	u:object_r:debuggerd_exec:s0
@@ -253,6 +255,9 @@
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
 /data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 
+# Fingerprint data
+/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
+
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 
diff --git a/fingerprintd.te b/fingerprintd.te
new file mode 100644
index 0000000..4ceb68d
--- /dev/null
+++ b/fingerprintd.te
@@ -0,0 +1,23 @@
+type fingerprintd, domain;
+type fingerprintd_exec, exec_type, file_type;
+
+# fingerprintd
+init_daemon_domain(fingerprintd)
+binder_use(fingerprintd)
+
+# need to find KeyStore and add self
+allow fingerprintd fingerprintd_service:service_manager { add find };
+
+# allow HAL module to read dir contents
+allow fingerprintd fingerprintd_data_file:file { create_file_perms };
+
+# allow HAL module to read/write/unlink contents of this dir
+allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(fingerprintd)
+allow fingerprintd keystore:keystore_key { add_auth };
+
+# For permissions checking
+binder_call(fingerprintd, system_server);
+allow fingerprintd permission_service:service_manager find;
diff --git a/mediaserver.te b/mediaserver.te
index cb0995c..0299466 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -80,6 +80,7 @@
 
 allow mediaserver activity_service:service_manager find;
 allow mediaserver appops_service:service_manager find;
+allow mediaserver cameraproxy_service:service_manager find;
 allow mediaserver batterystats_service:service_manager find;
 allow mediaserver drmserver_service:service_manager find;
 allow mediaserver mediaserver_service:service_manager { add find };
diff --git a/security_classes b/security_classes
index 9cd3f1c..c0c9659 100644
--- a/security_classes
+++ b/security_classes
@@ -132,7 +132,6 @@
 class db_language		# userspace
 
 class binder
-class zygote
 
 # Property service
 class property_service          # userspace
diff --git a/service.te b/service.te
index 66bf566..56478d0 100644
--- a/service.te
+++ b/service.te
@@ -2,6 +2,7 @@
 type default_android_service,   service_manager_type;
 type drmserver_service,         service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
+type fingerprintd_service,      service_manager_type;
 type healthd_service,           service_manager_type;
 type inputflinger_service,      service_manager_type;
 type keystore_service,          service_manager_type;
@@ -24,6 +25,7 @@
 type batterystats_service, app_api_service, system_server_service, service_manager_type;
 type battery_service, system_server_service, service_manager_type;
 type bluetooth_manager_service, system_api_service, system_server_service, service_manager_type;
+type cameraproxy_service, system_server_service, service_manager_type;
 type clipboard_service, app_api_service, system_server_service, service_manager_type;
 type IProxyService_service, system_api_service, system_server_service, service_manager_type;
 type commontime_management_service, system_server_service, service_manager_type;
diff --git a/service_contexts b/service_contexts
index e782c7d..85dcd3d 100644
--- a/service_contexts
+++ b/service_contexts
@@ -39,6 +39,7 @@
 dropbox                                   u:object_r:dropbox_service:s0
 ethernet                                  u:object_r:ethernet_service:s0
 fingerprint                               u:object_r:fingerprint_service:s0
+android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
 gfxinfo                                   u:object_r:gfxinfo_service:s0
 graphicsstats                             u:object_r:graphicsstats_service:s0
 hardware                                  u:object_r:hardware_service:s0
@@ -62,6 +63,7 @@
 media.audio_flinger                       u:object_r:mediaserver_service:s0
 media.audio_policy                        u:object_r:mediaserver_service:s0
 media.camera                              u:object_r:mediaserver_service:s0
+media.camera.proxy                        u:object_r:cameraproxy_service:s0
 media.log                                 u:object_r:mediaserver_service:s0
 media.player                              u:object_r:mediaserver_service:s0
 media.resource_manager                    u:object_r:mediaserver_service:s0
diff --git a/system_app.te b/system_app.te
index 811f436..3720c3d 100644
--- a/system_app.te
+++ b/system_app.te
@@ -57,17 +57,17 @@
 allow system_app system_api_service:service_manager find;
 
 allow system_app keystore:keystore_key {
-	test
+	get_state
 	get
 	insert
 	delete
 	exist
-	saw
+	list
 	reset
 	password
 	lock
 	unlock
-	zero
+	is_empty
 	sign
 	verify
 	grant
diff --git a/system_server.te b/system_server.te
index b83c14a..0b18eb4 100644
--- a/system_server.te
+++ b/system_server.te
@@ -128,6 +128,7 @@
 binder_use(system_server)
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, gatekeeperd)
+binder_call(system_server, fingerprintd)
 binder_call(system_server, appdomain)
 binder_call(system_server, dumpstate)
 binder_service(system_server)
@@ -167,6 +168,7 @@
 allow system_server video_device:dir r_dir_perms;
 allow system_server video_device:chr_file rw_file_perms;
 allow system_server adbd_socket:sock_file rw_file_perms;
+allow system_server rtc_device:chr_file rw_file_perms;
 allow system_server audio_device:dir r_dir_perms;
 
 # write access needed for MIDI
@@ -375,6 +377,7 @@
 allow system_server healthd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
+allow system_server fingerprintd_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
@@ -382,25 +385,22 @@
 allow system_server surfaceflinger_service:service_manager find;
 
 allow system_server keystore:keystore_key {
-	test
+	get_state
 	get
 	insert
 	delete
 	exist
-	saw
+	list
 	reset
 	password
 	lock
 	unlock
-	zero
+	is_empty
 	sign
 	verify
 	grant
 	duplicate
 	clear_uid
-	reset_uid
-	sync_uid
-	password_uid
 	add_auth
 	user_changed
 };
@@ -427,6 +427,9 @@
 # Traverse into expanded storage
 allow system_server mnt_expand_file:dir r_dir_perms;
 
+# Allow system process to relabel the fingerprint directory after mkdir
+allow system_server fingerprintd_data_file:dir {r_dir_perms relabelto};
+
 ###
 ### Neverallow rules
 ###
diff --git a/untrusted_app.te b/untrusted_app.te
index 79eb752..e451c5d 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -72,6 +72,10 @@
 allow untrusted_app media_rw_data_file:dir create_dir_perms;
 allow untrusted_app media_rw_data_file:file create_file_perms;
 
+# Traverse into /mnt/media_rw for bypassing FUSE daemon
+# TODO: narrow this to just MediaProvider
+allow untrusted_app mnt_media_rw_file:dir search;
+
 # Write to /cache.
 allow untrusted_app cache_file:dir create_dir_perms;
 allow untrusted_app cache_file:file create_file_perms;