commit 54e0e5af8f4f0b4fd46cb1a015af079f6859e638
author Jim Miller <jaggies@google.com> Thu Dec 15 19:46:43 2016 -0800
committer Sasha Levitskiy <sanek@google.com> Fri Jan 13 13:28:31 2017 -0800
tree 84f3abe7847a22ef4f86a089ab0946cf58597afe
parent 953c439643df097b5aa0dfeb75999e3f1e87f2ff

New SeLinux policy for fingerprint HIDL

Move from fingerprintd to new fingerprint_hal and update SeLinux policy.

Test: Boot with no errors related to fingerprint sepolicy
Bug: 33199080
Change-Id: Idfde0cb0530e75e705033042f64f3040f6df22d6

private/file_contexts

diff --git a/private/file_contexts b/private/file_contexts
index 8767312..4501016 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -238,6 +238,7 @@
 /system/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
 /system/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
 /system/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
+/system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
 /system/bin/hw/android\.hardware\.dumpstate@1\.0-service      u:object_r:hal_dumpstate_default_exec:s0
 /system/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
 /system/bin/hw/android\.hardware\.gnss@1\.0-service           u:object_r:hal_gnss_default_exec:s0

private/hal_fingerprint_default.te

diff --git a/private/hal_fingerprint_default.te b/private/hal_fingerprint_default.te
new file mode 100644
index 0000000..3903f85
--- /dev/null
+++ b/private/hal_fingerprint_default.te
@@ -0,0 +1,5 @@
+type hal_fingerprint_default, hal_fingerprint, domain;
+type hal_fingerprint_default_exec, exec_type, file_type;
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(hal_fingerprint_default)

public/attributes

diff --git a/public/attributes b/public/attributes
index b310c1d..30a6014 100644
--- a/public/attributes
+++ b/public/attributes
@@ -118,6 +118,7 @@
 attribute hal_audio;
 attribute hal_bluetooth;
 attribute hal_dumpstate;
+attribute hal_fingerprint;
 attribute hal_gatekeeper;
 attribute hal_gnss;
 attribute hal_graphics_allocator;

public/file.te

diff --git a/public/file.te b/public/file.te
index 0365dc9..8b3b62c 100644
--- a/public/file.te
+++ b/public/file.te
@@ -208,7 +208,7 @@
 # vary per device, so this type is used in per
 # device policy
 type bluetooth_efs_file, file_type;
-# Type for fingerprint template file.
+# Type for fingerprint template file
 type fingerprintd_data_file, file_type, data_file_type;
 # Type for appfuse file.
 type app_fuse_file, file_type, data_file_type, mlstrustedobject;

public/hal_fingerprint.te

diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
new file mode 100644
index 0000000..426b73a
--- /dev/null
+++ b/public/hal_fingerprint.te
@@ -0,0 +1,23 @@
+hwbinder_use(hal_fingerprint)
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow hal_fingerprint system_file:dir r_dir_perms;
+
+# allow HAL module to read dir contents
+allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
+
+# allow HAL module to read/write/unlink contents of this dir
+allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(hal_fingerprint)
+allow hal_fingerprint keystore:keystore_key add_auth;
+
+# For permissions checking
+binder_call(hal_fingerprint, system_server);
+allow hal_fingerprint permission_service:service_manager find;
+
+# For memory allocation
+allow hal_fingerprint ion_device:chr_file r_file_perms;
+
+r_dir_file(hal_fingerprint, cgroup)

public/service.te

diff --git a/public/service.te b/public/service.te
index 8fcf5d0..1b65b5a 100644
--- a/public/service.te
+++ b/public/service.te
@@ -6,6 +6,7 @@
 type drmserver_service,         service_manager_type;
 type dumpstate_service,         service_manager_type;
 type fingerprintd_service,      service_manager_type;
+type hal_fingerprint_service,   service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
 type gpu_service,               service_manager_type;
 type inputflinger_service,      service_manager_type;

public/system_server.te

diff --git a/public/system_server.te b/public/system_server.te
index 5cb46d5..ee55263 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -162,6 +162,7 @@
 binder_call(system_server, hal_bluetooth)
 binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)
+binder_call(system_server, hal_fingerprint)
 binder_call(system_server, hal_gnss);
 binder_call(system_server, hal_ir)
 binder_call(system_server, hal_light)
@@ -477,6 +478,7 @@
 allow system_server drmserver_service:service_manager find;
 allow system_server dumpstate_service:service_manager find;
 allow system_server fingerprintd_service:service_manager find;
+allow system_server hal_fingerprint_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
 allow system_server installd_service:service_manager find;
 allow system_server keystore_service:service_manager find;