From d8d8580281d568517d8706d9c6a6db9306c48615 Mon Sep 17 00:00:00 2001
From: Andrew LeCain <alecain@google.com>
Date: Wed, 14 Jul 2021 20:40:03 -0700
Subject: [PATCH] sepolicy allow fingerprint hal to read mfg_data

declares new device context for mfg_data_block_device
give fp HAL permission to read/write/open
give fp HAL permission to search block_device dir

Bug: 189135413
Test: sideload calibration in enforcing mode.
Change-Id: I19e0cd13fc452b42c3f35772c4bafd433dbcc8b1
---
 whitechapel/vendor/google/device.te                  | 1 +
 whitechapel/vendor/google/file_contexts              | 1 +
 whitechapel/vendor/google/hal_fingerprint_default.te | 4 ++++
 whitechapel/vendor/google/vendor_init.te             | 1 +
 4 files changed, 7 insertions(+)

diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
index 609e117e..bd62647d 100644
--- a/whitechapel/vendor/google/device.te
+++ b/whitechapel/vendor/google/device.te
@@ -6,6 +6,7 @@ type modem_userdata_block_device, dev_type;
 type persist_block_device, dev_type;
 type vendor_block_device, dev_type;
 type sda_block_device, dev_type;
+type mfg_data_block_device, dev_type;
 
 # Exynos devices
 type vendor_m2m1shot_device, dev_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 86af0a91..1a7e422a 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -73,6 +73,7 @@
 /dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab]         u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab]  u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab]    u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/mfg_data            u:object_r:mfg_data_block_device:s0
 /dev/block/sda                                                u:object_r:sda_block_device:s0
 /dev/sys/block/bootdevice(/.*)?                               u:object_r:bootdevice_sysdev:s0
 
diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index a7f769bf..6dedfce8 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -18,3 +18,7 @@ hal_client_domain(hal_fingerprint_default, hal_power);
 
 # Allow access to the files of CDT information.
 r_dir_file(hal_fingerprint_default, sysfs_chosen)
+
+# Allow fingerprint to access calibration blk device.
+allow hal_fingerprint_default mfg_data_block_device:blk_file { rw_file_perms };
+allow hal_fingerprint_default block_device:dir search;
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
index 63f98f83..12768769 100644
--- a/whitechapel/vendor/google/vendor_init.te
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -16,6 +16,7 @@ set_prop(vendor_init, vendor_logger_prop)
 allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;
 allow vendor_init bootdevice_sysdev:file create_file_perms;
+allow vendor_init block_device:lnk_file setattr;
 
 userdebug_or_eng(`
   set_prop(vendor_init, logpersistd_logging_prop)