Add IFingerprintDebug service context and Overlay permissions

avc: denied { add } for pid=2023 uid=1000 name=com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 avc: denied { find } for pid=5125 uid=10181 name=com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1 avc: denied { call } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:hal_fingerprint_default:s0 tclass=binder permissive=1 app=com.google.android.apps.overlay avc: denied { transfer } for scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:hal_fingerprint_default:s0 tclass=binder permissive=1 app=com.google.android.apps.overlay avc: denied { call } for scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=binder permissive=1 Test: Compile for userdebug and user. Verify above avc denials no longer seen. Bug: 332777935 Bug: 388112743 Flag: EXEMPT SEPolicy change. Change-Id: Ibc879badca5ff745671e3a7050ba70cadb8ac92e
2025-01-30 19:37:44 +00:00 · 2025-01-30 19:37:44 +00:00 · 2299ef16ef
commit 2299ef16ef
parent 2cea35ed07
2 changed files with 25 additions and 0 deletions
--- a/vendor/hal_fingerprint_debug.te
+++ b/vendor/hal_fingerprint_debug.te
@ -0,0 +1,24 @@
+# SE policies for IFingerprintDebug
+type hal_fingerprint_debug_service, hal_service_type, protected_service, service_manager_type;
+
+userdebug_or_eng(`
+    # Declare domains for the debug host HAL server/client.
+    hal_attribute(fingerprint_debug)
+
+    hal_server_domain(hal_fingerprint_default, hal_fingerprint_debug)
+
+    # Ensure that the server and client can communicate with each other,
+    # bi-directionally (in the case of callbacks from server to client, for
+    # example).
+    binder_call(hal_fingerprint_debug_client, hal_fingerprint_debug_server)
+    binder_call(hal_fingerprint_debug_server, hal_fingerprint_debug_client)
+
+    binder_call(hal_fingerprint_debug_server, servicemanager)
+    hal_attribute_service(hal_fingerprint_debug, hal_fingerprint_debug_service)
+
+    # Allow all priv-apps to communicate with the fingerprint debug HAL on
+    # userdebug or eng builds.
+    hal_client_domain(priv_app, hal_fingerprint_debug)
+
+    binder_call(priv_app, hal_fingerprint_default)
+')
--- a/vendor/service_contexts
+++ b/vendor/service_contexts
@ -1,4 +1,5 @@
 vendor.qti.hardware.fingerprint.IQfpExtendedFingerprint/default   u:object_r:hal_fingerprint_service:s0
+com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default   u:object_r:hal_fingerprint_debug_service:s0
 com.google.hardware.pixel.display.IDisplay/default                u:object_r:hal_pixel_display_service:s0
 vendor.google.wireless_charger.IWirelessCharger/default           u:object_r:hal_wireless_charger_service:s0
 hardware.qorvo.uwb.IUwbVendor/default                             u:object_r:hal_uwb_vendor_service:s0