From a7bb762dc5fc4588ec877f6cde60e1931d5da5f3 Mon Sep 17 00:00:00 2001
From: Albert Chen <albchen@google.com>
Date: Thu, 14 Nov 2024 00:50:25 +0000
Subject: [PATCH] Add IFingerprintDebug service context and Overlay
 permissions.

avc:  denied  { add } for pid=2023 uid=1000 name=com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1
avc:  denied  { find } for pid=5125 uid=10181 name=com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default scontext=u:r:priv_app:s0:c512,c768 tcontext=u:object_r:default_android_service:s0 tclass=service_manager permissive=1
avc:  denied  { call } for  scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:hal_fingerprint_default:s0 tclass=binder permissive=1 app=com.google.android.apps.overlay
avc:  denied  { transfer } for  scontext=u:r:priv_app:s0:c512,c768 tcontext=u:r:hal_fingerprint_default:s0 tclass=binder permissive=1 app=com.google.android.apps.overlay
avc:  denied  { call } for  scontext=u:r:hal_fingerprint_default:s0 tcontext=u:r:priv_app:s0:c512,c768 tclass=binder permissive=1

Test: Verify above avc denials no longer seen.
Bug: 332777935
Bug: 388112743
Flag: EXEMPT SEPolicy change.
Change-Id: I5cedc00c3be03f5ee1b6e1168917fccc9538421e
---
 vendor/hal_fingerprint_debug.te | 27 +++++++++++++++++++++++++++
 vendor/service_contexts         |  1 +
 2 files changed, 28 insertions(+)
 create mode 100644 vendor/hal_fingerprint_debug.te

diff --git a/vendor/hal_fingerprint_debug.te b/vendor/hal_fingerprint_debug.te
new file mode 100644
index 0000000..d8cb4bc
--- /dev/null
+++ b/vendor/hal_fingerprint_debug.te
@@ -0,0 +1,27 @@
+# SE policies for IFingerprintDebug
+userdebug_or_eng(`
+    type hal_fingerprint_debug_service, hal_service_type, protected_service, service_manager_type;
+
+    # Declare domains for the debug host HAL server/client.
+    hal_attribute(fingerprint_debug)
+
+    hal_server_domain(hal_fingerprint_default, hal_fingerprint_debug)
+
+    # Ensure that the server and client can communicate with each other,
+    # bi-directionally (in the case of callbacks from server to client, for
+    # example).
+    binder_call(hal_fingerprint_debug_client, hal_fingerprint_debug_server)
+    binder_call(hal_fingerprint_debug_server, hal_fingerprint_debug_client)
+
+    binder_call(hal_fingerprint_debug_server, servicemanager)
+    hal_attribute_service(hal_fingerprint_debug, hal_fingerprint_debug_service)
+
+    # Declare a domain for the debug application (Overlay).
+    type fingerprint_debug_app, domain;
+
+    # Allow all priv-apps to communicate with the fingerprint debug HAL on
+    # userdebug or eng builds.
+    hal_client_domain(priv_app, hal_fingerprint_debug)
+
+    binder_call(priv_app, hal_fingerprint_default)
+')
diff --git a/vendor/service_contexts b/vendor/service_contexts
index c50b46f..b889a00 100644
--- a/vendor/service_contexts
+++ b/vendor/service_contexts
@@ -1,4 +1,5 @@
 vendor.qti.hardware.fingerprint.IQfpExtendedFingerprint/default   u:object_r:hal_fingerprint_service:s0
+com.google.hardware.biometrics.fingerprint.debug.IFingerprintDebug/default   u:object_r:hal_fingerprint_debug_service:s0
 com.google.hardware.pixel.display.IDisplay/default                u:object_r:hal_pixel_display_service:s0
 vendor.google.wireless_charger.IWirelessCharger/default           u:object_r:hal_wireless_charger_service:s0
 hardware.qorvo.uwb.IUwbVendor/default                             u:object_r:hal_uwb_vendor_service:s0