From 8d3c4a7b4efa248086199b3f73ec4dbd86f5a847 Mon Sep 17 00:00:00 2001
From: Kris Chen <chenkris@google.com>
Date: Sun, 14 Nov 2021 20:48:27 +0800
Subject: [PATCH] fingerprint: Fix avc errors

Bug: 207062260
Test: boot with no relevant error on C10
Change-Id: I6d3b74c34d2344c4e889afaf8bb99278785e5416
---
 tracking_denials/hal_fingerprint_default.te | 31 ---------------------
 whitechapel_pro/device.te                   |  1 +
 whitechapel_pro/file_contexts               |  1 +
 whitechapel_pro/hal_fingerprint_default.te  | 18 ++++++++++--
 whitechapel_pro/property.te                 |  2 ++
 whitechapel_pro/property_contexts           |  3 ++
 whitechapel_pro/vendor_init.te              |  2 ++
 7 files changed, 25 insertions(+), 33 deletions(-)
 delete mode 100644 tracking_denials/hal_fingerprint_default.te

diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te
deleted file mode 100644
index 6698865e..00000000
--- a/tracking_denials/hal_fingerprint_default.te
+++ /dev/null
@@ -1,31 +0,0 @@
-# b/205073231
-dontaudit hal_fingerprint_default default_prop:file { getattr };
-dontaudit hal_fingerprint_default default_prop:file { map };
-dontaudit hal_fingerprint_default default_prop:file { open };
-dontaudit hal_fingerprint_default default_prop:file { read };
-dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { getattr };
-dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { map };
-dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { open };
-dontaudit hal_fingerprint_default fingerprint_ghbm_prop:file { read };
-# b/205656936
-dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { ioctl };
-dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { open };
-dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { read };
-dontaudit hal_fingerprint_default fingerprint_device:chr_file { ioctl };
-dontaudit hal_fingerprint_default fingerprint_device:chr_file { open };
-dontaudit hal_fingerprint_default fingerprint_device:chr_file { read write };
-dontaudit hal_fingerprint_default tee_device:chr_file { ioctl };
-dontaudit hal_fingerprint_default tee_device:chr_file { open };
-dontaudit hal_fingerprint_default tee_device:chr_file { read write };
-# b/205904310
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write };
-# b/207062260
-dontaudit hal_fingerprint_default default_prop:property_service { set };
-dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
-dontaudit hal_fingerprint_default init:unix_stream_socket { connectto };
-dontaudit hal_fingerprint_default property_socket:sock_file { write };
-dontaudit hal_fingerprint_default sysfs_chosen:dir { search };
-dontaudit hal_fingerprint_default sysfs_chosen:file { open };
-dontaudit hal_fingerprint_default sysfs_chosen:file { read };
diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te
index e6bb4fe0..d84d4c31 100644
--- a/whitechapel_pro/device.te
+++ b/whitechapel_pro/device.te
@@ -5,6 +5,7 @@ type custom_ab_block_device, dev_type;
 type persist_block_device, dev_type;
 type efs_block_device, dev_type;
 type modem_userdata_block_device, dev_type;
+type mfg_data_block_device, dev_type;
 type sg_device, dev_type;
 type vendor_toe_device, dev_type;
 type lwis_device, dev_type;
diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts
index 990bb541..b50d2f10 100644
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@@ -155,6 +155,7 @@
 /dev/block/platform/14700000\.ufs/by-name/gsa_[ab]                          u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/ldfw_[ab]                         u:object_r:custom_ab_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/metadata                          u:object_r:metadata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/mfg_data                          u:object_r:mfg_data_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/misc                              u:object_r:misc_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/modem_[ab]                        u:object_r:modem_block_device:s0
 /dev/block/platform/14700000\.ufs/by-name/modem_userdata                    u:object_r:modem_userdata_block_device:s0
diff --git a/whitechapel_pro/hal_fingerprint_default.te b/whitechapel_pro/hal_fingerprint_default.te
index 4ddef392..8cb3ea83 100644
--- a/whitechapel_pro/hal_fingerprint_default.te
+++ b/whitechapel_pro/hal_fingerprint_default.te
@@ -1,5 +1,19 @@
-hal_client_domain(hal_fingerprint_default, hal_power)
-add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)
+allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms;
 
 allow hal_fingerprint_default fwk_stats_service:service_manager find;
+get_prop(hal_fingerprint_default, fingerprint_ghbm_prop)
+set_prop(hal_fingerprint_default, vendor_fingerprint_prop)
+add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)
+
+# allow fingerprint to access power hal
+hal_client_domain(hal_fingerprint_default, hal_power);
+
+# Allow access to the files of CDT information.
+r_dir_file(hal_fingerprint_default, sysfs_chosen)
+
+# Allow fingerprint to access calibration blk device.
+allow hal_fingerprint_default mfg_data_block_device:blk_file rw_file_perms;
 allow hal_fingerprint_default block_device:dir search;
diff --git a/whitechapel_pro/property.te b/whitechapel_pro/property.te
index c7c31aa3..4cc19982 100644
--- a/whitechapel_pro/property.te
+++ b/whitechapel_pro/property.te
@@ -21,3 +21,5 @@ vendor_internal_prop(vendor_ro_sys_default_prop)
 vendor_internal_prop(vendor_persist_sys_default_prop)
 vendor_internal_prop(vendor_logger_prop)
 
+# Fingerprint
+vendor_internal_prop(vendor_fingerprint_prop)
diff --git a/whitechapel_pro/property_contexts b/whitechapel_pro/property_contexts
index 417f0e43..f07c0112 100644
--- a/whitechapel_pro/property_contexts
+++ b/whitechapel_pro/property_contexts
@@ -80,3 +80,6 @@ persist.vendor.sys.                        u:object_r:vendor_persist_sys_default
 # for gps
 vendor.gps                                 u:object_r:vendor_gps_prop:s0
 
+# Fingerprint
+vendor.fingerprint.                        u:object_r:vendor_fingerprint_prop:s0
+vendor.gf.                                 u:object_r:vendor_fingerprint_prop:s0
diff --git a/whitechapel_pro/vendor_init.te b/whitechapel_pro/vendor_init.te
index e2ec60fa..d3f89291 100644
--- a/whitechapel_pro/vendor_init.te
+++ b/whitechapel_pro/vendor_init.te
@@ -16,3 +16,5 @@ set_prop(vendor_init, vendor_nfc_prop)
 set_prop(vendor_init, vendor_secure_element_prop)
 allow vendor_init sysfs_st33spi:file w_file_perms;
 
+# Fingerprint property
+set_prop(vendor_init, vendor_fingerprint_prop)