From 4963317cad13314317ef632b0a0dd29e32a2d34f Mon Sep 17 00:00:00 2001 From: Kris Chen Date: Tue, 20 Dec 2022 12:26:48 +0800 Subject: [PATCH] zuma: fingerprint: fix SELinux denails Bug: 261105164 Test: boot with no relevant error on p23 device Change-Id: I8d897693685591a042c5febfeca0121375749b8e --- legacy/whitechapel_pro/device.te | 1 - legacy/whitechapel_pro/file_contexts | 3 -- legacy/whitechapel_pro/hwservice.te | 4 --- legacy/whitechapel_pro/hwservice_contexts | 3 -- legacy/whitechapel_pro/property.te | 3 -- legacy/whitechapel_pro/property_contexts | 4 --- system_ext/private/platform_app.te | 2 ++ tracking_denials/hal_fingerprint_default.te | 31 ------------------ vendor/device.te | 1 + vendor/file.te | 3 ++ vendor/file_contexts | 3 ++ vendor/genfs_contexts | 3 ++ vendor/hal_fingerprint_default.te | 35 +++++++++++++++++++++ vendor/hwservice.te | 2 ++ vendor/hwservice_contexts | 2 ++ vendor/property.te | 2 ++ vendor/property_contexts | 4 +++ vendor/vendor_init.te | 2 ++ 18 files changed, 59 insertions(+), 49 deletions(-) create mode 100644 system_ext/private/platform_app.te delete mode 100644 tracking_denials/hal_fingerprint_default.te create mode 100644 vendor/hal_fingerprint_default.te create mode 100644 vendor/hwservice.te create mode 100644 vendor/hwservice_contexts create mode 100644 vendor/property.te create mode 100644 vendor/vendor_init.te diff --git a/legacy/whitechapel_pro/device.te b/legacy/whitechapel_pro/device.te index 0793bab9..cf3eae0f 100644 --- a/legacy/whitechapel_pro/device.te +++ b/legacy/whitechapel_pro/device.te @@ -3,7 +3,6 @@ type sg_device, dev_type; type vendor_toe_device, dev_type; type lwis_device, dev_type; type rls_device, dev_type; -type fingerprint_device, dev_type; type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type; type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; diff --git a/legacy/whitechapel_pro/file_contexts b/legacy/whitechapel_pro/file_contexts index 70e36b46..12a65bf9 100644 --- a/legacy/whitechapel_pro/file_contexts +++ b/legacy/whitechapel_pro/file_contexts @@ -3,8 +3,6 @@ /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty u:object_r:hal_gatekeeper_default_exec:s0 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty u:object_r:hal_keymint_default_exec:s0 /vendor/bin/hw/android\.hardware\.contexthub-service\.generic u:object_r:hal_contexthub_default_exec:s0 -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 -/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 # Vendor Firmwares @@ -41,7 +39,6 @@ /dev/dma_heap/vscaler-secure u:object_r:vscaler_heap_device:s0 /dev/dma_heap/vstream-secure u:object_r:dmabuf_system_secure_heap_device:s0 /dev/bigwave u:object_r:video_device:s0 -/dev/goodix_fp u:object_r:fingerprint_device:s0 /dev/stmvl53l1_ranging u:object_r:rls_device:s0 /dev/watchdog0 u:object_r:watchdog_device:s0 /dev/dri/card0 u:object_r:graphics_device:s0 diff --git a/legacy/whitechapel_pro/hwservice.te b/legacy/whitechapel_pro/hwservice.te index c4c04fd4..e3493e0d 100644 --- a/legacy/whitechapel_pro/hwservice.te +++ b/legacy/whitechapel_pro/hwservice.te @@ -1,6 +1,2 @@ # WLC type hal_wlc_hwservice, hwservice_manager_type; - -# Fingerprint -type hal_fingerprint_ext_hwservice, hwservice_manager_type; - diff --git a/legacy/whitechapel_pro/hwservice_contexts b/legacy/whitechapel_pro/hwservice_contexts index dbff7ee9..ed13c78b 100644 --- a/legacy/whitechapel_pro/hwservice_contexts +++ b/legacy/whitechapel_pro/hwservice_contexts @@ -1,6 +1,3 @@ -# Fingerprint -vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 - # Wireless charger hal vendor.google.wireless_charger::IWirelessCharger u:object_r:hal_wlc_hwservice:s0 diff --git a/legacy/whitechapel_pro/property.te b/legacy/whitechapel_pro/property.te index 676fa651..d5af6296 100644 --- a/legacy/whitechapel_pro/property.te +++ b/legacy/whitechapel_pro/property.te @@ -13,9 +13,6 @@ vendor_internal_prop(vendor_persist_sys_default_prop) vendor_internal_prop(vendor_logger_prop) vendor_internal_prop(vendor_display_prop) -# Fingerprint -vendor_internal_prop(vendor_fingerprint_prop) - # UWB calibration system_vendor_config_prop(vendor_uwb_calibration_prop) diff --git a/legacy/whitechapel_pro/property_contexts b/legacy/whitechapel_pro/property_contexts index 1a42d9b8..af67353e 100644 --- a/legacy/whitechapel_pro/property_contexts +++ b/legacy/whitechapel_pro/property_contexts @@ -35,10 +35,6 @@ persist.vendor.sys. u:object_r:vendor_persist_sys_default vendor.gps. u:object_r:vendor_gps_prop:s0 persist.vendor.gps. u:object_r:vendor_gps_prop:s0 -# Fingerprint -vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 -vendor.gf. u:object_r:vendor_fingerprint_prop:s0 - #uwb ro.vendor.uwb.calibration. u:object_r:vendor_uwb_calibration_prop:s0 exact string diff --git a/system_ext/private/platform_app.te b/system_ext/private/platform_app.te new file mode 100644 index 00000000..20042f25 --- /dev/null +++ b/system_ext/private/platform_app.te @@ -0,0 +1,2 @@ +# allow systemui access to fingerprint +hal_client_domain(platform_app, hal_fingerprint) diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te deleted file mode 100644 index 51dd2105..00000000 --- a/tracking_denials/hal_fingerprint_default.te +++ /dev/null @@ -1,31 +0,0 @@ -# b/261105164 -dontaudit hal_fingerprint_default block_device:dir { search }; -dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { ioctl }; -dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { open }; -dontaudit hal_fingerprint_default dmabuf_system_heap_device:chr_file { read }; -dontaudit hal_fingerprint_default fingerprint_device:chr_file { ioctl }; -dontaudit hal_fingerprint_default fingerprint_device:chr_file { open }; -dontaudit hal_fingerprint_default fingerprint_device:chr_file { read write }; -dontaudit hal_fingerprint_default fwk_stats_service:service_manager { find }; -dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind }; -dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create }; -dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read }; -dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write }; -dontaudit hal_fingerprint_default hal_power_default:binder { call }; -dontaudit hal_fingerprint_default hal_power_service:service_manager { find }; -dontaudit hal_fingerprint_default mfg_data_block_device:blk_file { open }; -dontaudit hal_fingerprint_default mfg_data_block_device:blk_file { read write }; -dontaudit hal_fingerprint_default sysfs_chosen:dir { search }; -dontaudit hal_fingerprint_default sysfs_chosen:file { open }; -dontaudit hal_fingerprint_default sysfs_chosen:file { read }; -dontaudit hal_fingerprint_default sysfs_display:file { getattr }; -dontaudit hal_fingerprint_default sysfs_display:file { open }; -dontaudit hal_fingerprint_default sysfs_display:file { read }; -dontaudit hal_fingerprint_default tee_device:chr_file { ioctl }; -dontaudit hal_fingerprint_default tee_device:chr_file { open }; -dontaudit hal_fingerprint_default tee_device:chr_file { read write }; -dontaudit hal_fingerprint_default vendor_fingerprint_prop:file { getattr }; -dontaudit hal_fingerprint_default vendor_fingerprint_prop:file { map }; -dontaudit hal_fingerprint_default vendor_fingerprint_prop:file { open }; -dontaudit hal_fingerprint_default vendor_fingerprint_prop:file { read }; -dontaudit hal_fingerprint_default vendor_fingerprint_prop:property_service { set }; diff --git a/vendor/device.te b/vendor/device.te index b94ed73b..d2e086ab 100644 --- a/vendor/device.te +++ b/vendor/device.te @@ -4,6 +4,7 @@ type devinfo_block_device, dev_type; type mfg_data_block_device, dev_type; type logbuffer_device, dev_type; type gxp_device, dev_type; +type fingerprint_device, dev_type; # SecureElement SPI device type st54spi_device, dev_type; diff --git a/vendor/file.te b/vendor/file.te index 3e4f7bef..4c690a2f 100644 --- a/vendor/file.te +++ b/vendor/file.te @@ -3,3 +3,6 @@ type persist_display_file, file_type, vendor_persist_type; #sysfs type sysfs_mfc, sysfs_type, fs_type; + +# Trusty +type sysfs_trusty, sysfs_type, fs_type; diff --git a/vendor/file_contexts b/vendor/file_contexts index 324bf6c9..fd709553 100644 --- a/vendor/file_contexts +++ b/vendor/file_contexts @@ -5,6 +5,8 @@ /vendor/bin/hw/android\.hardware\.gxp\.logging@service-gxp-logging u:object_r:gxp_logging_exec:s0 /vendor/bin/hw/android\.hardware\.power\.stats-service\.pixel u:object_r:hal_power_stats_default_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.usb-service u:object_r:hal_usb_impl_exec:s0 /vendor/bin/hw/android\.hardware\.usb\.gadget-service u:object_r:hal_usb_gadget_impl_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 @@ -65,6 +67,7 @@ /dev/block/platform/13200000\.ufs/by-name/vendor_kernel_boot_[ab] u:object_r:custom_ab_block_device:s0 /dev/gxp u:object_r:gxp_device:s0 /dev/mali0 u:object_r:gpu_device:s0 +/dev/goodix_fp u:object_r:fingerprint_device:s0 /dev/logbuffer_usbpd u:object_r:logbuffer_device:s0 /dev/logbuffer_ssoc u:object_r:logbuffer_device:s0 /dev/logbuffer_wireless u:object_r:logbuffer_device:s0 diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts index 75c4dc63..fe5dc94d 100644 --- a/vendor/genfs_contexts +++ b/vendor/genfs_contexts @@ -211,3 +211,6 @@ genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup genfscon sysfs /devices/platform/sound-aoc/wakeup/wakeup u:object_r:sysfs_wakeup:s0 genfscon sysfs /devices/virtual/wakeup/wakeup u:object_r:sysfs_wakeup:s0 +# Trusty +genfscon sysfs /module/trusty_virtio/parameters/use_high_wq u:object_r:sysfs_trusty:s0 +genfscon sysfs /module/trusty_core/parameters/use_high_wq u:object_r:sysfs_trusty:s0 diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te new file mode 100644 index 00000000..912776dd --- /dev/null +++ b/vendor/hal_fingerprint_default.te @@ -0,0 +1,35 @@ +allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms; +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; +allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; +allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms; + +allow hal_fingerprint_default fwk_stats_service:service_manager find; +get_prop(hal_fingerprint_default, fingerprint_ghbm_prop) +set_prop(hal_fingerprint_default, vendor_fingerprint_prop) +add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice) + +# allow fingerprint to access power hal +hal_client_domain(hal_fingerprint_default, hal_power); + +# Allow access to the files of CDT information. +r_dir_file(hal_fingerprint_default, sysfs_chosen) + +# Allow fingerprint to access calibration blk device. +allow hal_fingerprint_default mfg_data_block_device:blk_file rw_file_perms; +allow hal_fingerprint_default block_device:dir search; + +# Allow fingerprint to access fwk_sensor_hwservice +allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find; + +# Allow fingerprint to read sysfs_display +allow hal_fingerprint_default sysfs_display:file r_file_perms; + +# Allow fingerprint to access trusty sysfs +allow hal_fingerprint_default sysfs_trusty:file rw_file_perms; + +# Allow fingerprint to access display hal +allow hal_fingerprint_default hal_pixel_display_service:service_manager find; +binder_call(hal_fingerprint_default, hal_graphics_composer_default) + +# allow fingerprint to access thermal hal +hal_client_domain(hal_fingerprint_default, hal_thermal); diff --git a/vendor/hwservice.te b/vendor/hwservice.te new file mode 100644 index 00000000..68b8dd7d --- /dev/null +++ b/vendor/hwservice.te @@ -0,0 +1,2 @@ +# Fingerprint +type hal_fingerprint_ext_hwservice, hwservice_manager_type; diff --git a/vendor/hwservice_contexts b/vendor/hwservice_contexts new file mode 100644 index 00000000..9f86e043 --- /dev/null +++ b/vendor/hwservice_contexts @@ -0,0 +1,2 @@ +# Fingerprint +vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 diff --git a/vendor/property.te b/vendor/property.te new file mode 100644 index 00000000..4ec3d495 --- /dev/null +++ b/vendor/property.te @@ -0,0 +1,2 @@ +# Fingerprint +vendor_internal_prop(vendor_fingerprint_prop) diff --git a/vendor/property_contexts b/vendor/property_contexts index a619af72..5ddad15a 100644 --- a/vendor/property_contexts +++ b/vendor/property_contexts @@ -3,3 +3,7 @@ persist.vendor.camera. u:object_r:vendor_camera_prop:s0 vendor.camera. u:object_r:vendor_camera_prop:s0 vendor.camera.debug. u:object_r:vendor_camera_debug_prop:s0 vendor.camera.fatp. u:object_r:vendor_camera_fatp_prop:s0 + +# Fingerprint +vendor.fingerprint. u:object_r:vendor_fingerprint_prop:s0 +vendor.gf. u:object_r:vendor_fingerprint_prop:s0 diff --git a/vendor/vendor_init.te b/vendor/vendor_init.te new file mode 100644 index 00000000..30052a20 --- /dev/null +++ b/vendor/vendor_init.te @@ -0,0 +1,2 @@ +# Fingerprint property +set_prop(vendor_init, vendor_fingerprint_prop)