Merge "New SeLinux policy for fingerprint HIDL"

am: 597a8a49

Change-Id: I1a055e9dea9317b719ba6bb467679f2e51818755

private/file_contexts

@@ -238,6 +238,7 @@
 /system/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
 /system/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
 /system/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
+/system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
 /system/bin/hw/android\.hardware\.dumpstate@1\.0-service      u:object_r:hal_dumpstate_default_exec:s0
 /system/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
 /system/bin/hw/android\.hardware\.gnss@1\.0-service           u:object_r:hal_gnss_default_exec:s0

private/hal_fingerprint_default.te

+type hal_fingerprint_default, hal_fingerprint, domain;
+type hal_fingerprint_default_exec, exec_type, file_type;
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(hal_fingerprint_default)

public/attributes

@@ -118,6 +118,7 @@ attribute update_engine_common;
 attribute hal_audio;
 attribute hal_bluetooth;
 attribute hal_dumpstate;
+attribute hal_fingerprint;
 attribute hal_gatekeeper;
 attribute hal_gnss;
 attribute hal_graphics_allocator;

public/file.te

@@ -208,7 +208,7 @@ type backup_data_file, file_type, data_file_type, mlstrustedobject;
 # vary per device, so this type is used in per
 # device policy
 type bluetooth_efs_file, file_type;
-# Type for fingerprint template file.
+# Type for fingerprint template file
 type fingerprintd_data_file, file_type, data_file_type;
 # Type for appfuse file.
 type app_fuse_file, file_type, data_file_type, mlstrustedobject;

public/hal_fingerprint.te

+hwbinder_use(hal_fingerprint)
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow hal_fingerprint system_file:dir r_dir_perms;
+
+# allow HAL module to read dir contents
+allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
+
+# allow HAL module to read/write/unlink contents of this dir
+allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(hal_fingerprint)
+allow hal_fingerprint keystore:keystore_key add_auth;
+
+# For permissions checking
+binder_call(hal_fingerprint, system_server);
+allow hal_fingerprint permission_service:service_manager find;
+
+# For memory allocation
+allow hal_fingerprint ion_device:chr_file r_file_perms;
+
+r_dir_file(hal_fingerprint, cgroup)

public/service.te

@@ -6,6 +6,7 @@ type default_android_service,   service_manager_type;
 type drmserver_service,         service_manager_type;
 type dumpstate_service,         service_manager_type;
 type fingerprintd_service,      service_manager_type;
+type hal_fingerprint_service,   service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
 type gpu_service,               service_manager_type;
 type inputflinger_service,      service_manager_type;

public/system_server.te

@@ -162,6 +162,7 @@ hwbinder_use(system_server)
 binder_call(system_server, hal_bluetooth)
 binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)
+binder_call(system_server, hal_fingerprint)
 binder_call(system_server, hal_gnss);
 binder_call(system_server, hal_ir)
 binder_call(system_server, hal_light)
@@ -477,6 +478,7 @@ allow system_server cameraserver_service:service_manager find;
 allow system_server drmserver_service:service_manager find;
 allow system_server dumpstate_service:service_manager find;
 allow system_server fingerprintd_service:service_manager find;
+allow system_server hal_fingerprint_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
 allow system_server installd_service:service_manager find;
 allow system_server keystore_service:service_manager find;