Fingerprint data is now stored in one of two ways depending on the
shipping API version:
For devices shipped on O-MR1 nothing changes, data is stored
under /data/system/users/<user-id>/fpdata/...
Devices shipped from now on will instead store fingerprint data under
/data/vendor_de/<user-id>/fpdata.
Support for /data/vendor_de and /data/vendor_ce has been added to vold.
Bug: 36997597
Change-Id: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Merged-In: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Test: manually
(cherry picked from commit 6116daa71a226dc848978717064b805272801ff4)
diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index b0b5f19..8b4d69c 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -43,6 +43,7 @@
exported3_default_prop
exported3_radio_prop
exported3_system_prop
+ fingerprint_vendor_data_file
fs_bpf
hal_audiocontrol_hwservice
hal_authsecret_hwservice
diff --git a/private/file_contexts b/private/file_contexts
index b55fb9d..4381f91 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -455,6 +455,9 @@
# Fingerprint data
/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
+# Fingerprint vendor data file
+/data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:fingerprint_vendor_data_file:s0
+
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 4e89d64..0a11558 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -14,10 +14,12 @@
vendor_data_file
}:dir { open read write add_name remove_name rmdir relabelfrom };
allow vold_prepare_subdirs {
+ fingerprint_vendor_data_file
storaged_data_file
vold_data_file
}:dir { create_dir_perms relabelto };
allow vold_prepare_subdirs {
+ fingerprint_vendor_data_file
storaged_data_file
system_data_file
vold_data_file
diff --git a/public/domain.te b/public/domain.te
index cef538f..f58b456 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -814,6 +814,7 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
+ -vold_prepare_subdirs
} {
data_file_type
-core_data_file_type
@@ -825,6 +826,7 @@
-appdomain # TODO(b/34980020) remove exemption for appdomain
-data_between_core_and_vendor_violators
-init
+ -vold_prepare_subdirs
} {
data_file_type
-core_data_file_type
diff --git a/public/file.te b/public/file.te
index 47beab6..8c33bed 100644
--- a/public/file.te
+++ b/public/file.te
@@ -312,6 +312,8 @@
type bluetooth_efs_file, file_type;
# Type for fingerprint template file
type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
+# Type for _new_ fingerprint template file
+type fingerprint_vendor_data_file, file_type, data_file_type;
# Type for appfuse file.
type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 36de761..ebe0b0c 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -8,5 +8,10 @@
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
+allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
+allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
+
r_dir_file(hal_fingerprint, cgroup)
r_dir_file(hal_fingerprint, sysfs)
+
+
diff --git a/public/tee.te b/public/tee.te
index f023d5c..0f9b32d 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -5,3 +5,7 @@
# Device(s) for communicating with the TEE
type tee_device, dev_type;
+
+allow tee fingerprint_vendor_data_file:dir rw_dir_perms;
+allow tee fingerprint_vendor_data_file:file create_file_perms;
+