Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d68aae657eef4f78c01b3754dfda7045200e19ba^2..d68aae657eef4f78c01b3754dfda7045200e19ba / .
commitd68aae657eef4f78c01b3754dfda7045200e19ba[log] [tgz]
authorTreehugger Robot <treehugger-gerrit@google.com>Wed Feb 22 05:18:37 2017 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Wed Feb 22 05:18:38 2017 +0000
tree513d05ff2f89980a5bc9be7fcee47c5b14525068
parent313dfe7dcf30c302d7792b95d55514ed3af586fc [diff]
parent1625dba935bd80a1dee091928a299b44fde09e60 [diff]
Merge "remove setuid SELinux capability for racoon."
diff --git a/private/system_server.te b/private/system_server.te
index 738a84e..a1f9899 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -170,7 +170,6 @@
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, dumpstate)
 binder_call(system_server, fingerprintd)
-binder_call(system_server, hal_fingerprint)
 binder_call(system_server, gatekeeperd)
 binder_call(system_server, installd)
 binder_call(system_server, incidentd)
@@ -183,7 +182,7 @@
 hwallocator_use(system_server)
 binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)
-binder_call(system_server, hal_fingerprint)
+hal_client_domain(system_server, hal_fingerprint)
 binder_call(system_server, hal_gnss);
 binder_call(system_server, hal_ir)
 binder_call(system_server, hal_light)

diff --git a/public/attributes b/public/attributes
index 281724e..0335922 100644
--- a/public/attributes
+++ b/public/attributes

@@ -139,6 +139,8 @@
 attribute hal_drm_server;
 attribute hal_dumpstate;
 attribute hal_fingerprint;
+attribute hal_fingerprint_client;
+attribute hal_fingerprint_server;
 attribute hal_gatekeeper;
 attribute hal_gnss;
 attribute hal_graphics_allocator;

diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 8405a7e..580ef37 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te

@@ -1,22 +1,15 @@
+# HwBinder IPC from client to server, and callbacks
+binder_call(hal_fingerprint_client, hal_fingerprint_server)
+binder_call(hal_fingerprint_server, hal_fingerprint_client)
+
 # allow HAL module to read dir contents
 allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
 
 # allow HAL module to read/write/unlink contents of this dir
 allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
 
-# Need to add auth tokens to KeyStore
-use_keystore(hal_fingerprint)
-allow hal_fingerprint keystore:keystore_key add_auth;
-
-# For permissions checking
-binder_call(hal_fingerprint, system_server);
-allow hal_fingerprint permission_service:service_manager find;
-
 # For memory allocation
 allow hal_fingerprint ion_device:chr_file r_file_perms;
 
-# Allow fingerprint to find and call keystore binder interfaces
-binder_use(hal_fingerprint);
-
 r_dir_file(hal_fingerprint, cgroup)
 r_dir_file(hal_fingerprint, sysfs)

diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index c392a85..2b9001e 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te

@@ -1,5 +1,5 @@
 type hal_fingerprint_default, domain;
-hal_impl_domain(hal_fingerprint_default, hal_fingerprint)
+hal_server_domain(hal_fingerprint_default, hal_fingerprint)
 
 type hal_fingerprint_default_exec, exec_type, file_type;
 init_daemon_domain(hal_fingerprint_default)