fingerprintd.te: neverallow fingerprint data file access Only fingerprintd should be creating/reading/writing/etc from /data/system/users/[0-9]+/fpdata(/.*)? . Add a neverallow rule (compile time assertion + CTS test) to ensure no regressions. Change-Id: I30261a4bd880f5c4f3d90d1686a6267f60bdd413

commit: 604a8cae620b1bb31e954c54049c22dbd137795c [log] [tgz]
author: Nick Kralevich <nnk@google.com> Thu Dec 17 14:02:49 2015 -0800
committer: Nick Kralevich <nnk@google.com> Thu Dec 17 14:02:49 2015 -0800
tree: 2a6f2c749e3f91be8c071e146ff797b10bb18c3c
parent: 107c55393c680eb14d5dee11f060b943b8d2e9aa [diff]
diff --git a/fingerprintd.te b/fingerprintd.te
index 1c0ab1c..41e1aca 100644
--- a/fingerprintd.te
+++ b/fingerprintd.te

@@ -21,3 +21,12 @@
 # For permissions checking
 binder_call(fingerprintd, system_server);
 allow fingerprintd permission_service:service_manager find;
+
+###
+### Neverallow rules
+###
+
+# Protect fingerprint data files from access by anything other
+# than fingerprintd and init
+neverallow { domain -fingerprintd -init } fingerprintd_data_file:file
+  { append create link relabelfrom rename setattr write open read ioctl lock };
commit	604a8cae620b1bb31e954c54049c22dbd137795c	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Thu Dec 17 14:02:49 2015 -0800
committer	Nick Kralevich <nnk@google.com>	Thu Dec 17 14:02:49 2015 -0800
tree	2a6f2c749e3f91be8c071e146ff797b10bb18c3c
parent	107c55393c680eb14d5dee11f060b943b8d2e9aa [diff]