fingerprint: Fix avc errors

Bug: 207062260 Test: boot with no relevant error on C10 Change-Id: I6d3b74c34d2344c4e889afaf8bb99278785e5416
2021-11-14 20:48:27 +08:00 · 2021-11-14 20:48:27 +08:00 · 8d3c4a7b4e
commit 8d3c4a7b4e
parent 2720d2ac38
7 changed files with 25 additions and 33 deletions
--- a/tracking_denials/hal_fingerprint_default.te
+++ b/tracking_denials/hal_fingerprint_default.te
@ -1,31 +0,0 @@
-# b/205073231
-dontaudit hal_fingerprint_default default_prop:file { getattr };
-dontaudit hal_fingerprint_default default_prop:file { map };
-dontaudit hal_fingerprint_default default_prop:file { open };
-dontaudit hal_fingerprint_default default_prop:file { read };
-dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { getattr };
-dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { map };
-dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { open };
-dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { read };
-# b/205656936
-dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { ioctl };
-dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { open };
-dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { read };
-dontaudit hal_fingerprint_default fingerprint_device:chr_file { ioctl };
-dontaudit hal_fingerprint_default fingerprint_device:chr_file { open };
-dontaudit hal_fingerprint_default fingerprint_device:chr_file { read write };
-dontaudit hal_fingerprint_default tee_device:chr_file { ioctl };
-dontaudit hal_fingerprint_default tee_device:chr_file { open };
-dontaudit hal_fingerprint_default tee_device:chr_file { read write };
-# b/205904310
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write };
-# b/207062260
-dontaudit hal_fingerprint_default default_prop:property_service { set };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
-dontaudit hal_fingerprint_default init:unix_stream_socket { connectto };
-dontaudit hal_fingerprint_default property_socket:sock_file { write };
-dontaudit hal_fingerprint_default sysfs_chosen:dir { search };
-dontaudit hal_fingerprint_default sysfs_chosen:file { open };
-dontaudit hal_fingerprint_default sysfs_chosen:file { read };
--- a/whitechapel_pro/device.te
+++ b/whitechapel_pro/device.te
@ -5,6 +5,7 @@ type custom_ab_block_device, dev_type;
 type persist_block_device, dev_type;
 type efs_block_device, dev_type;
 type modem_userdata_block_device, dev_type;
+type mfg_data_block_device, dev_type;
 type sg_device, dev_type;
 type vendor_toe_device, dev_type;
 type lwis_device, dev_type;
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@ -155,6 +155,7 @@
 /dev/block/platform/14700000\.ufs/by-name/gsa_[ab]                          u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/ldfw_[ab]                         u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/metadata                          u:object_r:metadata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/mfg_data                          u:object_r:mfg_data_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/misc                              u:object_r:misc_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/modem_[ab]                        u:object_r:modem_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/modem_userdata                    u:object_r:modem_userdata_block_device:s0
--- a/whitechapel_pro/hal_fingerprint_default.te
+++ b/whitechapel_pro/hal_fingerprint_default.te
@ -1,5 +1,19 @@
-hal_client_domain(hal_fingerprint_default, hal_power)
-add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)
+allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms;

 allow hal_fingerprint_default fwk_stats_service:service_manager find;
+get_prop(hal_fingerprint_default, fingerprint_ghbm_prop)
+set_prop(hal_fingerprint_default, vendor_fingerprint_prop)
+add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)
+
+# allow fingerprint to access power hal
+hal_client_domain(hal_fingerprint_default, hal_power);
+
+# Allow access to the files of CDT information.
+r_dir_file(hal_fingerprint_default, sysfs_chosen)
+
+# Allow fingerprint to access calibration blk device.
+allow hal_fingerprint_default mfg_data_block_device:blk_file rw_file_perms;
 allow hal_fingerprint_default block_device:dir search;
--- a/whitechapel_pro/property.te
+++ b/whitechapel_pro/property.te
@ -21,3 +21,5 @@ vendor_internal_prop(vendor_ro_sys_default_prop)
 vendor_internal_prop(vendor_persist_sys_default_prop)
 vendor_internal_prop(vendor_logger_prop)

+# Fingerprint
+vendor_internal_prop(vendor_fingerprint_prop)
--- a/whitechapel_pro/property_contexts
+++ b/whitechapel_pro/property_contexts
@ -80,3 +80,6 @@ persist.vendor.sys.                        u:object_r:vendor_persist_sys_default
 # for gps
 vendor.gps                                 u:object_r:vendor_gps_prop:s0

+# Fingerprint
+vendor.fingerprint.                        u:object_r:vendor_fingerprint_prop:s0
+vendor.gf.                                 u:object_r:vendor_fingerprint_prop:s0
--- a/whitechapel_pro/vendor_init.te
+++ b/whitechapel_pro/vendor_init.te
@ -16,3 +16,5 @@ set_prop(vendor_init, vendor_nfc_prop)
 set_prop(vendor_init, vendor_secure_element_prop)
 allow vendor_init sysfs_st33spi:file w_file_perms;

+# Fingerprint property
+set_prop(vendor_init, vendor_fingerprint_prop)