From 00e1b9a704abd57a160dd27d9caf8ad99bd6780a Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Fri, 7 May 2021 17:46:02 +0800 Subject: [PATCH] Add sepolicy for the UDFPS antispoof property Fixes the following avc denial: /system/bin/init: type=1107 audit(0.0:4): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=fingerprint.disable.fake pid=364 uid=0 gid=0 scontext=u:r:vendor_init:s0 tcontext=u:object_r:default_prop:s0 tclass=property_service permissive=0' android.hardwar: type=1400 audit(0.0:7): avc: denied { read } for name="u:object_r:vendor_fingerprint_fake_prop:s0" dev="tmpfs" ino=307 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:vendor_fingerprint_fake_prop:s0 tclass=file permissive=0 Bug: 187394838 Bug: 187562932 Test: Antispoof is disabled by default. Test: Use the following adb command to manully turn on antispoof. "setprop persist.vendor.fingerprint.disable.fake.override 0" Change-Id: I90d6ea70d5e0e1a125efb902f1fd61ff4b51baa2 --- whitechapel/vendor/google/hal_fingerprint_default.te | 3 +++ whitechapel/vendor/google/property.te | 3 +++ whitechapel/vendor/google/property_contexts | 3 +++ whitechapel/vendor/google/vendor_init.te | 5 +++++ 4 files changed, 14 insertions(+) diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te index a9bfbfc9..c6d64d5d 100644 --- a/whitechapel/vendor/google/hal_fingerprint_default.te +++ b/whitechapel/vendor/google/hal_fingerprint_default.te @@ -8,4 +8,7 @@ allow hal_fingerprint_default sysfs_fingerprint:dir r_dir_perms; allow hal_fingerprint_default sysfs_fingerprint:file rw_file_perms; allow hal_fingerprint_default fwk_stats_service:service_manager find; get_prop(hal_fingerprint_default, fingerprint_ghbm_prop) +userdebug_or_eng(` + get_prop(hal_fingerprint_default, vendor_fingerprint_fake_prop) +') add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te index 739075b9..f1e377f0 100644 --- a/whitechapel/vendor/google/property.te +++ b/whitechapel/vendor/google/property.te @@ -53,3 +53,6 @@ vendor_internal_prop(vendor_touchpanel_prop) # TCP logging vendor_internal_prop(vendor_tcpdump_log_prop) + +# Fingerprint +vendor_internal_prop(vendor_fingerprint_fake_prop) diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts index c542d758..61497257 100644 --- a/whitechapel/vendor/google/property_contexts +++ b/whitechapel/vendor/google/property_contexts @@ -120,3 +120,6 @@ persist.vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_pr vendor.tcpdump.log.ondemand u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump.log.alwayson u:object_r:vendor_tcpdump_log_prop:s0 vendor.tcpdump.output.dir u:object_r:vendor_tcpdump_log_prop:s0 + +# Fingerprint +vendor.fingerprint.disable.fake u:object_r:vendor_fingerprint_fake_prop:s0 diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te index 7bcb38b6..dedeaa7e 100644 --- a/whitechapel/vendor/google/vendor_init.te +++ b/whitechapel/vendor/google/vendor_init.te @@ -29,3 +29,8 @@ set_prop(vendor_init, vendor_secure_element_prop) get_prop(vendor_init, test_harness_prop) get_prop(vendor_init, vendor_battery_profile_prop) set_prop(vendor_init, vendor_battery_defender_prop) + +# Fingerprint property +userdebug_or_eng(` + set_prop(vendor_init, vendor_fingerprint_fake_prop) +')