From 09996bc81060567cad8bdca500b350eec1341bca Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Thu, 18 Mar 2021 19:34:42 +0800
Subject: [PATCH] Add sepolicy rules for fingerprint hal

Fixes the following avc denials:
03-18 11:23:15.692   956   956 I android.hardwar: type=1400 audit(0.0:7): avc: denied { read write } for name="trusty-ipc-dev0" dev="tmpfs" ino=691 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file permissive=1
03-18 11:23:15.692   956   956 I android.hardwar: type=1400 audit(0.0:8): avc: denied { open } for path="/dev/trusty-ipc-dev0" dev="tmpfs" ino=691 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file permissive=1
03-18 11:23:15.692   956   956 I android.hardwar: type=1400 audit(0.0:9): avc: denied { ioctl } for path="/dev/trusty-ipc-dev0" dev="tmpfs" ino=691 ioctlcmd=0x7280 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:tee_device:s0 tclass=chr_file permissive=1
03-18 11:40:56.072   973   973 I fingerprint@2.1: type=1400 audit(0.0:39): avc: denied { search } for name="battery" dev="sysfs" ino=66502 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
03-18 11:40:56.072   973   973 I fingerprint@2.1: type=1400 audit(0.0:40): avc: denied { read } for name="temp" dev="sysfs" ino=66520 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
03-18 11:40:56.072   973   973 I fingerprint@2.1: type=1400 audit(0.0:41): avc: denied { open } for path="/sys/devices/platform/google,battery/power_supply/battery/temp" dev="sysfs" ino=66520 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=file permissive=1
03-18 14:11:23.476   979   979 I fingerprint@2.1: type=1400 audit(0.0:13): avc: denied { search } for name="battery" dev="sysfs" ino=66502 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir permissive=1
03-18 12:03:08.248   978   978 I android.hardwar: type=1400 audit(0.0:9): avc: denied { create } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=netlink_socket permissive=1
03-18 12:03:08.248   978   978 I android.hardwar: type=1400 audit(0.0:10): avc: denied { bind } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=netlink_socket permissive=1
03-18 12:03:08.248   978   978 I android.hardwar: type=1400 audit(0.0:11): avc: denied { write } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=netlink_socket permissive=1
03-18 12:03:08.248   978   978 I android.hardwar: type=1400 audit(0.0:12): avc: denied { read } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:hal_fingerprint_default:s0 tclass=netlink_socket permissive=1
03-18 12:56:30.446   404   404 E SELinux : avc:  denied  { add } for interface=vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon sid=u:r:hal_fingerprint_default:s0 pid=967 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:default_android_hwservice:s0 tclass=hwservice_manager permissive=1

Bug: 171943101
Test: No above avc denials in logcat.
Change-Id: I67b397f86c39625b77ebe6d32d37e42cd87b3f93
---
 tracking_denials/hal_fingerprint_default.te   | 52 -------------------
 .../vendor/google/hal_fingerprint_default.te  |  6 ++-
 whitechapel/vendor/google/hwservice.te        |  3 ++
 whitechapel/vendor/google/hwservice_contexts  |  3 ++
 4 files changed, 11 insertions(+), 53 deletions(-)
 delete mode 100644 tracking_denials/hal_fingerprint_default.te

diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te
deleted file mode 100644
index 0fced323..00000000
--- a/tracking_denials/hal_fingerprint_default.te
+++ /dev/null
@@ -1,52 +0,0 @@
-# b/174438167
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
-dontaudit hal_fingerprint_default tee_device:chr_file { ioctl };
-dontaudit hal_fingerprint_default system_data_root_file:file { read };
-dontaudit hal_fingerprint_default system_data_root_file:file { open };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
-dontaudit hal_fingerprint_default tee_device:chr_file { open };
-dontaudit hal_fingerprint_default tee_device:chr_file { ioctl };
-dontaudit hal_fingerprint_default tee_device:chr_file { open };
-dontaudit hal_fingerprint_default tee_device:chr_file { read write };
-dontaudit hal_fingerprint_default device:chr_file { open };
-dontaudit hal_fingerprint_default device:chr_file { read write };
-dontaudit hal_fingerprint_default tee_device:chr_file { read write };
-dontaudit hal_fingerprint_default device:chr_file { ioctl };
-dontaudit hal_fingerprint_default device:chr_file { open };
-dontaudit hal_fingerprint_default system_data_root_file:file { read };
-dontaudit hal_fingerprint_default system_data_root_file:file { open };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
-dontaudit hal_fingerprint_default device:chr_file { ioctl };
-dontaudit hal_fingerprint_default device:chr_file { read write };
-# b/174714991
-dontaudit hal_fingerprint_default system_data_file:file { read };
-dontaudit hal_fingerprint_default system_data_file:file { open };
-dontaudit hal_fingerprint_default system_data_file:file { read };
-dontaudit hal_fingerprint_default system_data_file:file { open };
-# b/177966377
-dontaudit hal_fingerprint_default default_prop:file { getattr };
-dontaudit hal_fingerprint_default default_prop:file { map };
-dontaudit hal_fingerprint_default default_prop:file { open };
-dontaudit hal_fingerprint_default default_prop:file { read };
-dontaudit hal_fingerprint_default default_prop:file { map };
-dontaudit hal_fingerprint_default default_prop:file { getattr };
-dontaudit hal_fingerprint_default default_android_hwservice:hwservice_manager { add };
-dontaudit hal_fingerprint_default default_prop:file { open };
-dontaudit hal_fingerprint_default default_prop:file { read };
-# b/180655836
-dontaudit hal_fingerprint_default system_data_root_file:dir { write };
-dontaudit hal_fingerprint_default system_data_root_file:file { write };
-dontaudit hal_fingerprint_default system_data_root_file:file { create };
-dontaudit hal_fingerprint_default system_data_root_file:dir { create };
-dontaudit hal_fingerprint_default system_data_root_file:dir { write };
-dontaudit hal_fingerprint_default system_data_root_file:file { write };
-dontaudit hal_fingerprint_default system_data_root_file:file { create };
-dontaudit hal_fingerprint_default system_data_root_file:dir { create };
-dontaudit hal_fingerprint_default system_data_root_file:dir { add_name };
-dontaudit hal_fingerprint_default system_data_root_file:dir { add_name };
diff --git a/whitechapel/vendor/google/hal_fingerprint_default.te b/whitechapel/vendor/google/hal_fingerprint_default.te
index 9e2ecb96..d22b6b0f 100644
--- a/whitechapel/vendor/google/hal_fingerprint_default.te
+++ b/whitechapel/vendor/google/hal_fingerprint_default.te
@@ -1,2 +1,6 @@
 allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
-
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default sysfs_batteryinfo:file r_file_perms;
+allow hal_fingerprint_default sysfs_batteryinfo:dir search;
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)
diff --git a/whitechapel/vendor/google/hwservice.te b/whitechapel/vendor/google/hwservice.te
index 0b489022..fc52990a 100644
--- a/whitechapel/vendor/google/hwservice.te
+++ b/whitechapel/vendor/google/hwservice.te
@@ -18,3 +18,6 @@ type hal_wlc_hwservice, hwservice_manager_type;
 
 # Bluetooth HAL extension
 type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type;
+
+# Fingerprint
+type hal_fingerprint_ext_hwservice, hwservice_manager_type;
diff --git a/whitechapel/vendor/google/hwservice_contexts b/whitechapel/vendor/google/hwservice_contexts
index 64a59cb6..dfe9cfb5 100644
--- a/whitechapel/vendor/google/hwservice_contexts
+++ b/whitechapel/vendor/google/hwservice_contexts
@@ -26,3 +26,6 @@ vendor.google.wireless_charger::IWirelessCharger                u:object_r:hal_w
 # Bluetooth HAL extension
 hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance   u:object_r:hal_bluetooth_coexistence_hwservice:s0
 hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
+
+# Fingerprint
+vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon  u:object_r:hal_fingerprint_ext_hwservice:s0