From 090928722eb595f483f8c34d3cffb850c4b5591c Mon Sep 17 00:00:00 2001
From: chenkris <chenkris@google.com>
Date: Tue, 28 May 2024 10:43:36 +0000
Subject: [PATCH] Add sepolicy for fingerprint HAL to check NSP file

Fix the following avc denials:
avc:  denied  { search } for  name="copied" dev="dm-58" ino=428
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:modem_efs_image_file:s0 tclass=dir

avc:  denied  { search } for  name="persist" dev="dm-58" ino=443
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:persist_file:s0 tclass=dir

avc:  denied  { search } for  name="ss" dev="dm-58" ino=445
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:persist_ss_file:s0 tclass=dir

avc:  denied  { read } for  name="nsp" dev="dm-58" ino=15500
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:persist_ss_file:s0 tclass=file

avc:  denied  { open } for  path="/data/vendor/copied/persist/ss/nsp"
dev="dm-58" ino=15500
scontext=u:r:hal_fingerprint_default:s0
tcontext=u:object_r:persist_ss_file:s0 tclass=file

Bug: 335525798
Test: Use UDFPS repair tool to update calibration files
Change-Id: Ic233a07ced8fd828c0e4b4ae1cffa93763a83b42
---
 vendor/hal_fingerprint_default.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index b0a81160..2e9368ac 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -41,3 +41,9 @@ allow hal_fingerprint_default sysfs_leds:dir r_dir_perms;
 # Allow fingerprint to access sysfs_aoc_udfps
 allow hal_fingerprint_default sysfs_aoc:dir search;
 allow hal_fingerprint_default sysfs_aoc_udfps:file rw_file_perms;
+
+# Allow fingerprint to read nsp file
+allow hal_fingerprint_default modem_efs_image_file:dir search;
+allow hal_fingerprint_default persist_file:dir search;
+allow hal_fingerprint_default persist_ss_file:dir search;
+allow hal_fingerprint_default persist_ss_file:file r_file_perms;