From 893272d883b87869033071846f8883794833b4f4 Mon Sep 17 00:00:00 2001
From: Zachary Iqbal <zacharyi@google.com>
Date: Thu, 24 May 2018 00:59:40 -0700
Subject: [PATCH] Added placeholder SELinux policy for the biometric face HAL.

Notes:
- Added face hal domain, context and file types for the default
  SELinux policy.
- Please see aosp/q/topic:"Face+Authentication"

Bug: 80155388
Test: Built successfully.
Change-Id: I2e02cf6df009c5ca476dfd842b493c6b76b7712a
---
 private/compat/28.0/28.0.ignore.cil |  1 +
 private/hwservice_contexts          |  1 +
 private/system_server.te            |  1 +
 public/attributes                   |  1 +
 public/hal_face.te                  | 12 ++++++++++++
 public/hwservice.te                 |  1 +
 vendor/hal_face_default.te          |  5 +++++
 7 files changed, 22 insertions(+)
 create mode 100644 public/hal_face.te
 create mode 100644 vendor/hal_face_default.te

diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 9df4f120d..824761481 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -35,6 +35,7 @@
     fwk_stats_hwservice
     color_display_service
     hal_atrace_hwservice
+    hal_face_hwservice
     hal_health_storage_hwservice
     hal_power_stats_hwservice
     hal_system_suspend_default
diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index f64eccd0b..1fead4098 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@@ -10,6 +10,7 @@ android.hardware.authsecret::IAuthSecret                        u:object_r:hal_a
 android.hardware.automotive.audiocontrol::IAudioControl         u:object_r:hal_audiocontrol_hwservice:s0
 android.hardware.automotive.evs::IEvsEnumerator                 u:object_r:hal_evs_hwservice:s0
 android.hardware.automotive.vehicle::IVehicle                   u:object_r:hal_vehicle_hwservice:s0
+android.hardware.biometrics.face::IBiometricsFace               u:object_r:hal_face_hwservice:s0
 android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
 android.hardware.bluetooth::IBluetoothHci                       u:object_r:hal_bluetooth_hwservice:s0
 android.hardware.bluetooth.a2dp::IBluetoothAudioOffload         u:object_r:hal_audio_hwservice:s0
diff --git a/private/system_server.te b/private/system_server.te
index ed864f589..b8e051117 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -205,6 +205,7 @@ hal_client_domain(system_server, hal_authsecret)
 hal_client_domain(system_server, hal_broadcastradio)
 hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)
+hal_client_domain(system_server, hal_face)
 hal_client_domain(system_server, hal_fingerprint)
 hal_client_domain(system_server, hal_gnss)
 hal_client_domain(system_server, hal_graphics_allocator)
diff --git a/public/attributes b/public/attributes
index 37c2b94c0..bc3723c5f 100644
--- a/public/attributes
+++ b/public/attributes
@@ -258,6 +258,7 @@ hal_attribute(contexthub);
 hal_attribute(drm);
 hal_attribute(dumpstate);
 hal_attribute(evs);
+hal_attribute(face);
 hal_attribute(fingerprint);
 hal_attribute(gatekeeper);
 hal_attribute(gnss);
diff --git a/public/hal_face.te b/public/hal_face.te
new file mode 100644
index 000000000..b25058642
--- /dev/null
+++ b/public/hal_face.te
@@ -0,0 +1,12 @@
+# Allow HwBinder IPC from client to server, and vice versa for callbacks.
+binder_call(hal_face_client, hal_face_server)
+binder_call(hal_face_server, hal_face_client)
+
+hal_attribute_hwservice(hal_face, hal_face_hwservice)
+
+# Allow access to the ion memory allocation device.
+allow hal_face ion_device:chr_file r_file_perms;
+
+# Allow read/write access to the face template directory.
+allow hal_face face_vendor_data_file:file create_file_perms;
+allow hal_face face_vendor_data_file:dir rw_dir_perms;
diff --git a/public/hwservice.te b/public/hwservice.te
index 09808b33a..a51198164 100644
--- a/public/hwservice.te
+++ b/public/hwservice.te
@@ -20,6 +20,7 @@ type hal_drm_hwservice, hwservice_manager_type;
 type hal_cas_hwservice, hwservice_manager_type;
 type hal_dumpstate_hwservice, hwservice_manager_type;
 type hal_evs_hwservice, hwservice_manager_type;
+type hal_face_hwservice, hwservice_manager_type;
 type hal_fingerprint_hwservice, hwservice_manager_type;
 type hal_gatekeeper_hwservice, hwservice_manager_type;
 type hal_gnss_hwservice, hwservice_manager_type;
diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te
new file mode 100644
index 000000000..891d1f4fd
--- /dev/null
+++ b/vendor/hal_face_default.te
@@ -0,0 +1,5 @@
+type hal_face_default, domain;
+hal_server_domain(hal_face_default, hal_face)
+
+type hal_face_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_face_default)
-- 
GitLab