From 4d6a5e87001772493b8bcad2061e48b662dcb598 Mon Sep 17 00:00:00 2001
From: Andreas Huber <andih@google.com>
Date: Mon, 22 Jan 2018 13:24:10 -0800
Subject: [PATCH] Fingerprint data is now stored in one of two ways depending
 on the

shipping API version:

For devices shipped on O-MR1 nothing changes, data is stored
under /data/system/users/<user-id>/fpdata/...

Devices shipped from now on will instead store fingerprint data under
/data/vendor_de/<user-id>/fpdata.

Support for /data/vendor_de and /data/vendor_ce has been added to vold.

Bug: 36997597
Change-Id: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Merged-In: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514
Test: manually
(cherry picked from commit 6116daa71a226dc848978717064b805272801ff4)
---
 private/compat/26.0/26.0.ignore.cil | 1 +
 private/file_contexts               | 3 +++
 private/vold_prepare_subdirs.te     | 2 ++
 public/domain.te                    | 2 ++
 public/file.te                      | 2 ++
 public/hal_fingerprint.te           | 5 +++++
 public/tee.te                       | 4 ++++
 7 files changed, 19 insertions(+)

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index b0b5f19b4..8b4d69ca5 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -43,6 +43,7 @@
     exported3_default_prop
     exported3_radio_prop
     exported3_system_prop
+    fingerprint_vendor_data_file
     fs_bpf
     hal_audiocontrol_hwservice
     hal_authsecret_hwservice
diff --git a/private/file_contexts b/private/file_contexts
index b55fb9d38..4381f9129 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -455,6 +455,9 @@
 # Fingerprint data
 /data/system/users/[0-9]+/fpdata(/.*)? u:object_r:fingerprintd_data_file:s0
 
+# Fingerprint vendor data file
+/data/vendor_de/[0-9]+/fpdata(/.*)? u:object_r:fingerprint_vendor_data_file:s0
+
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0
 
diff --git a/private/vold_prepare_subdirs.te b/private/vold_prepare_subdirs.te
index 4e89d6488..0a115584a 100644
--- a/private/vold_prepare_subdirs.te
+++ b/private/vold_prepare_subdirs.te
@@ -14,10 +14,12 @@ allow vold_prepare_subdirs {
   vendor_data_file
 }:dir { open read write add_name remove_name rmdir relabelfrom };
 allow vold_prepare_subdirs {
+    fingerprint_vendor_data_file
     storaged_data_file
     vold_data_file
 }:dir { create_dir_perms relabelto };
 allow vold_prepare_subdirs {
+    fingerprint_vendor_data_file
     storaged_data_file
     system_data_file
     vold_data_file
diff --git a/public/domain.te b/public/domain.te
index cef538fd3..f58b4567c 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -814,6 +814,7 @@ full_treble_only(`
     -appdomain # TODO(b/34980020) remove exemption for appdomain
     -data_between_core_and_vendor_violators
     -init
+    -vold_prepare_subdirs
   } {
     data_file_type
     -core_data_file_type
@@ -825,6 +826,7 @@ full_treble_only(`
     -appdomain # TODO(b/34980020) remove exemption for appdomain
     -data_between_core_and_vendor_violators
     -init
+    -vold_prepare_subdirs
     } {
       data_file_type
       -core_data_file_type
diff --git a/public/file.te b/public/file.te
index 47beab632..8c33bedb9 100644
--- a/public/file.te
+++ b/public/file.te
@@ -312,6 +312,8 @@ type backup_data_file, file_type, data_file_type, core_data_file_type, mlstruste
 type bluetooth_efs_file, file_type;
 # Type for fingerprint template file
 type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
+# Type for _new_ fingerprint template file
+type fingerprint_vendor_data_file, file_type, data_file_type;
 # Type for appfuse file.
 type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
index 36de76191..ebe0b0c82 100644
--- a/public/hal_fingerprint.te
+++ b/public/hal_fingerprint.te
@@ -8,5 +8,10 @@ allow hal_fingerprint_client hal_fingerprint_hwservice:hwservice_manager find;
 # For memory allocation
 allow hal_fingerprint ion_device:chr_file r_file_perms;
 
+allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
+allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;
+
 r_dir_file(hal_fingerprint, cgroup)
 r_dir_file(hal_fingerprint, sysfs)
+
+
diff --git a/public/tee.te b/public/tee.te
index f023d5c23..0f9b32dc9 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -5,3 +5,7 @@ type tee, domain;
 
 # Device(s) for communicating with the TEE
 type tee_device, dev_type;
+
+allow tee fingerprint_vendor_data_file:dir rw_dir_perms;
+allow tee fingerprint_vendor_data_file:file create_file_perms;
+
-- 
GitLab