From 10fda56cd13e84a8b5525a72f9a7d58755350b5e Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Thu, 18 Mar 2021 19:23:54 +0800
Subject: [PATCH] Allow fingerprint hal to access fingerprint device

Fixes the following avc denials:
03-18 10:57:10.612   947   947 I android.hardwar: type=1400 audit(0.0:8): avc: denied { open } for path="/dev/goodix_fp" dev="tmpfs" ino=482 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
03-18 10:57:10.632   947   947 I android.hardwar: type=1400 audit(0.0:9): avc: denied { ioctl } for path="/dev/goodix_fp" dev="tmpfs" ino=482 ioctlcmd=0x6707 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
03-18 10:57:13.672   947   947 I android.hardwar: type=1400 audit(0.0:14): avc: denied { ioctl } for path="/dev/goodix_fp" dev="tmpfs" ino=482 ioctlcmd=0x6706 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
03-18 10:57:32.704   947   947 I HwBinder:947_1: type=1400 audit(0.0:26): avc: denied { ioctl } for path="/dev/goodix_fp" dev="tmpfs" ino=482 ioctlcmd=0x6705 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1

Bug: 171943101
Test: No above avc denials in logcat.
Change-Id: I254a01a2c11fcaba9ad3f387862a8d0ddafffd38
---
 whitechapel/vendor/google/device.te                  | 3 +++
 whitechapel/vendor/google/file_contexts              | 3 +++
 whitechapel/vendor/google/hal_fingerprint_default.te | 2 ++
 3 files changed, 8 insertions(+)
 create mode 100644 whitechapel/vendor/google/hal_fingerprint_default.te

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 9287dd13..6741c49b 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -53,3 +53,6 @@ type sscoredump_device, dev_type;
 
 # AOC device
 type aoc_device, dev_type;
+
+# Fingerprint device
+type fingerprint_device, dev_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 0c1822ae..9777744e 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -415,3 +415,6 @@
 
 # BigOcean
 /dev/bigocean                                                                  u:object_r:video_device:s0
+
+# Fingerprint
+/dev/goodix_fp                                                                 u:object_r:fingerprint_device:s0
diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
new file mode 100644
index 00000000..9e2ecb96
--- /dev/null
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -0,0 +1,2 @@
+allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
+