From 264eb6566ae75ba1ae37835f0ba83f951550fe85 Mon Sep 17 00:00:00 2001
From: Jim Miller <jaggies@google.com>
Date: Tue, 12 May 2015 15:16:06 -0700
Subject: [PATCH] Add selinux policy for fingerprintd

Change-Id: Ibcb714248c28abf21272986facaade376dcbd7ef
---
 file.te          |  2 ++
 file_contexts    |  4 ++++
 fingerprintd.te  | 23 +++++++++++++++++++++++
 service.te       |  1 +
 service_contexts |  1 +
 system_server.te |  2 ++
 6 files changed, 33 insertions(+)
 create mode 100644 fingerprintd.te

diff --git a/file.te b/file.te
index 5e8687a72..3ecb14343 100644
--- a/file.te
+++ b/file.te
@@ -154,6 +154,8 @@ type security_file, file_type;
 # vary per device, so this type is used in per
 # device policy
 type bluetooth_efs_file, file_type;
+# Type for fingerprint template file.
+type fingerprintd_data_file, file_type, data_file_type;
 
 # Socket types
 type adbd_socket, file_type;
diff --git a/file_contexts b/file_contexts
index 03be7b68f..b298f9800 100644
--- a/file_contexts
+++ b/file_contexts
@@ -149,6 +149,7 @@
 /system/bin/mdnsd	u:object_r:mdnsd_exec:s0
 /system/bin/installd	u:object_r:installd_exec:s0
 /system/bin/keystore	u:object_r:keystore_exec:s0
+/system/bin/fingerprintd u:object_r:fingerprintd_exec:s0
 /system/bin/gatekeeperd u:object_r:gatekeeperd_exec:s0
 /system/bin/debuggerd	u:object_r:debuggerd_exec:s0
 /system/bin/debuggerd64	u:object_r:debuggerd_exec:s0
@@ -254,6 +255,9 @@
 /data/misc/perfprofd(/.*)?      u:object_r:perfprofd_data_file:s0
 /data/system/heapdump(/.*)?     u:object_r:heapdump_data_file:s0
 
+# Fingerprint data
+/data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
+
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 
diff --git a/fingerprintd.te b/fingerprintd.te
new file mode 100644
index 000000000..4ceb68dd3
--- /dev/null
+++ b/fingerprintd.te
@@ -0,0 +1,23 @@
+type fingerprintd, domain;
+type fingerprintd_exec, exec_type, file_type;
+
+# fingerprintd
+init_daemon_domain(fingerprintd)
+binder_use(fingerprintd)
+
+# need to find KeyStore and add self
+allow fingerprintd fingerprintd_service:service_manager { add find };
+
+# allow HAL module to read dir contents
+allow fingerprintd fingerprintd_data_file:file { create_file_perms };
+
+# allow HAL module to read/write/unlink contents of this dir
+allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(fingerprintd)
+allow fingerprintd keystore:keystore_key { add_auth };
+
+# For permissions checking
+binder_call(fingerprintd, system_server);
+allow fingerprintd permission_service:service_manager find;
diff --git a/service.te b/service.te
index 66bf5668c..35145febc 100644
--- a/service.te
+++ b/service.te
@@ -2,6 +2,7 @@ type bluetooth_service,         service_manager_type;
 type default_android_service,   service_manager_type;
 type drmserver_service,         service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
+type fingerprintd_service,      service_manager_type;
 type healthd_service,           service_manager_type;
 type inputflinger_service,      service_manager_type;
 type keystore_service,          service_manager_type;
diff --git a/service_contexts b/service_contexts
index e782c7d99..c412e1b70 100644
--- a/service_contexts
+++ b/service_contexts
@@ -39,6 +39,7 @@ drm.drmManager                            u:object_r:drmserver_service:s0
 dropbox                                   u:object_r:dropbox_service:s0
 ethernet                                  u:object_r:ethernet_service:s0
 fingerprint                               u:object_r:fingerprint_service:s0
+android.hardware.fingerprint.IFingerprintDaemon u:object_r:fingerprintd_service:s0
 gfxinfo                                   u:object_r:gfxinfo_service:s0
 graphicsstats                             u:object_r:graphicsstats_service:s0
 hardware                                  u:object_r:hardware_service:s0
diff --git a/system_server.te b/system_server.te
index c95a1f028..150103ef5 100644
--- a/system_server.te
+++ b/system_server.te
@@ -128,6 +128,7 @@ allow system_server surfaceflinger:unix_stream_socket { read write setopt };
 binder_use(system_server)
 binder_call(system_server, binderservicedomain)
 binder_call(system_server, gatekeeperd)
+binder_call(system_server, fingerprintd)
 binder_call(system_server, appdomain)
 binder_call(system_server, dumpstate)
 binder_service(system_server)
@@ -375,6 +376,7 @@ allow system_server drmserver_service:service_manager find;
 allow system_server healthd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
+allow system_server fingerprintd_service:service_manager find;
 allow system_server mediaserver_service:service_manager find;
 allow system_server nfc_service:service_manager find;
 allow system_server radio_service:service_manager find;
-- 
GitLab