From 0017642efe146104ee71d8e7693176e45a6a26eb Mon Sep 17 00:00:00 2001 From: eddielan Date: Wed, 19 Apr 2023 13:20:45 +0800 Subject: [PATCH] sepolicy: Add sepolicy for FPS Bug: 277843284 Test: make selinux_policy Change-Id: I29b7ea88b001ec2dd4fdb56d8a6b8ae598478c0f --- comet-sepolicy.mk | 2 ++ fingerprint_capacitance/file.te | 1 + fingerprint_capacitance/file_contexts | 5 +++ .../fingerprint_factory_service.te | 3 ++ fingerprint_capacitance/genfs_contexts | 1 + .../hal_fingerprint_capacitance.te | 35 +++++++++++++++++++ fingerprint_capacitance/hwservice.te | 1 + fingerprint_capacitance/hwservice_contexts | 2 ++ fingerprint_capacitance/servicemanager.te | 1 + 9 files changed, 51 insertions(+) create mode 100644 fingerprint_capacitance/file.te create mode 100644 fingerprint_capacitance/file_contexts create mode 100644 fingerprint_capacitance/fingerprint_factory_service.te create mode 100644 fingerprint_capacitance/genfs_contexts create mode 100644 fingerprint_capacitance/hal_fingerprint_capacitance.te create mode 100644 fingerprint_capacitance/hwservice.te create mode 100644 fingerprint_capacitance/hwservice_contexts create mode 100644 fingerprint_capacitance/servicemanager.te diff --git a/comet-sepolicy.mk b/comet-sepolicy.mk index 72aa4b3..20454d2 100644 --- a/comet-sepolicy.mk +++ b/comet-sepolicy.mk @@ -1,3 +1,5 @@ # sepolicy exclusively for comet. BOARD_SEPOLICY_DIRS += device/google/comet-sepolicy/vendor +# Fingerprint +BOARD_SEPOLICY_DIRS += device/google/comet-sepolicy/fingerprint_capacitance diff --git a/fingerprint_capacitance/file.te b/fingerprint_capacitance/file.te new file mode 100644 index 0000000..0218b46 --- /dev/null +++ b/fingerprint_capacitance/file.te @@ -0,0 +1 @@ +type sysfs_fingerprint, sysfs_type, fs_type; diff --git a/fingerprint_capacitance/file_contexts b/fingerprint_capacitance/file_contexts new file mode 100644 index 0000000..338b8a2 --- /dev/null +++ b/fingerprint_capacitance/file_contexts @@ -0,0 +1,5 @@ +# FPC AIDL HAL +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc42 u:object_r:hal_fingerprint_capacitance_exec:s0 + +# FPC HIDL HAL +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc u:object_r:fingerprint_factory_service_exec:s0 diff --git a/fingerprint_capacitance/fingerprint_factory_service.te b/fingerprint_capacitance/fingerprint_factory_service.te new file mode 100644 index 0000000..86ab35c --- /dev/null +++ b/fingerprint_capacitance/fingerprint_factory_service.te @@ -0,0 +1,3 @@ +type fingerprint_factory_service, service_manager_type; +type fingerprint_factory_service_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(fingerprint_factory_service) diff --git a/fingerprint_capacitance/genfs_contexts b/fingerprint_capacitance/genfs_contexts new file mode 100644 index 0000000..9fe2a86 --- /dev/null +++ b/fingerprint_capacitance/genfs_contexts @@ -0,0 +1 @@ +genfscon sysfs /devices/platform/odm/odm:fp_fpc1020 u:object_r:sysfs_fingerprint:s0 diff --git a/fingerprint_capacitance/hal_fingerprint_capacitance.te b/fingerprint_capacitance/hal_fingerprint_capacitance.te new file mode 100644 index 0000000..52073d0 --- /dev/null +++ b/fingerprint_capacitance/hal_fingerprint_capacitance.te @@ -0,0 +1,35 @@ +# hal_fingerprint_capacitance definition +type hal_fingerprint_capacitance, domain; +#hal_server_domain(hal_fingerprint_capacitance, hal_fingerprint) + +type hal_fingerprint_capacitance_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_fingerprint_capacitance) + +#set_prop(hal_fingerprint_capacitance, vendor_fingerprint_prop) + +# allow fingerprint to access file +#allow hal_fingerprint_capacitance fingerprint_device:chr_file rw_file_perms; +#allow hal_fingerprint_capacitance tee_device:chr_file rw_file_perms; +#allow hal_fingerprint_capacitance sysfs_fingerprint:dir r_dir_perms; +#allow hal_fingerprint_capacitance sysfs_fingerprint:file rw_file_perms; + +# allow fingerprint to access power hal +#hal_client_domain(hal_fingerprint_capacitance, hal_power); + +# allow fingerprint to find fwk service +#allow hal_fingerprint_capacitance fwk_stats_service:service_manager find; + +# allow fingerprint to access sysfs_leds +#allow hal_fingerprint_capacitance sysfs_leds:dir search; +#allow hal_fingerprint_capacitance sysfs_leds:file rw_file_perms; + +# allow fingerprint to access input_device +#allow hal_fingerprint_capacitance input_device:dir r_dir_perms; +#allow hal_fingerprint_capacitance input_device:chr_file rw_file_perms; + +# allow fingerprint to access hwservice +#hwbinder_use(hal_fingerprint_capacitance) +#add_hwservice(hal_fingerprint_capacitance, hal_fingerprint_capacitance_ext_hwservice) + +# allow fingerprint to access fwk sensor hwservice +#allow hal_fingerprint_capacitance fwk_sensor_hwservice:hwservice_manager find; diff --git a/fingerprint_capacitance/hwservice.te b/fingerprint_capacitance/hwservice.te new file mode 100644 index 0000000..68c51ab --- /dev/null +++ b/fingerprint_capacitance/hwservice.te @@ -0,0 +1 @@ +type hal_fingerprint_capacitance_ext_hwservice, hwservice_manager_type; diff --git a/fingerprint_capacitance/hwservice_contexts b/fingerprint_capacitance/hwservice_contexts new file mode 100644 index 0000000..ed09300 --- /dev/null +++ b/fingerprint_capacitance/hwservice_contexts @@ -0,0 +1,2 @@ +com.fingerprints42.extension::IFingerprintEngineering u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0 +com.fingerprints42.extension::IFingerprintSensorTest u:object_r:hal_fingerprint_capacitance_ext_hwservice:s0 diff --git a/fingerprint_capacitance/servicemanager.te b/fingerprint_capacitance/servicemanager.te new file mode 100644 index 0000000..5297448 --- /dev/null +++ b/fingerprint_capacitance/servicemanager.te @@ -0,0 +1 @@ +#binder_call(servicemanager, hal_fingerprint_capacitance)