From ac26d97317bce895532199075a5800a6e51bcbc9 Mon Sep 17 00:00:00 2001
From: Leo Hsieh <leohsieh@google.com>
Date: Wed, 7 Aug 2024 15:23:25 +0800
Subject: [PATCH] Allow hal_fingerprint_default to access sysfs_aoc_udfps

Fix the following avc denial:
avc:  denied  { search } for  name="17000000.aoc" dev="sysfs" ino=26962 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=dir permissive=1
avc:  denied  { write } for  name="udfps_set_clock_source" dev="sysfs" ino=110484 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
avc:  denied  { read } for  name="udfps_get_disp_freq" dev="sysfs" ino=110486 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
avc:  denied  { write } for  name="udfps_set_clock_source" dev="sysfs" ino=109423 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc_udfps:s0 tclass=file permissive=0

Bug: 357976286
Test: Verify fingerprint HAL process can read/write to the sysfs node.
Flag: EXEMPT NDK
Change-Id: Ia8d6288812ef47dad2018d384f43374da7005a4a
---
 vendor/file.te                    | 1 +
 vendor/genfs_contexts             | 3 +++
 vendor/hal_fingerprint_default.te | 4 ++++
 3 files changed, 8 insertions(+)

diff --git a/vendor/file.te b/vendor/file.te
index b4d0c51..46f792e 100644
--- a/vendor/file.te
+++ b/vendor/file.te
@@ -18,6 +18,7 @@ type sysfs_fabric, sysfs_type, fs_type;
 type sysfs_em_profile, sysfs_type, fs_type;
 type sysfs_ospm, sysfs_type, fs_type;
 type sysfs_lhbm, sysfs_type, fs_type;
+type sysfs_aoc_udfps, sysfs_type, fs_type;
 
 # debugfs
 type vendor_regmap_debugfs, fs_type, debugfs_type;
diff --git a/vendor/genfs_contexts b/vendor/genfs_contexts
index d70476c..f5d7758 100644
--- a/vendor/genfs_contexts
+++ b/vendor/genfs_contexts
@@ -464,6 +464,9 @@ genfscon sysfs /devices/platform/17000000.aoc/control/memory_exception      u:ob
 genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_a32      u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/17000000.aoc/control/memory_votes_ff1      u:object_r:sysfs_aoc_dumpstate:s0
 genfscon sysfs /devices/platform/17000000.aoc/notify_timeout_aoc_status     u:object_r:sysfs_aoc_notifytimeout:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/udfps_set_clock_source    u:object_r:sysfs_aoc_udfps:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_osc_freq        u:object_r:sysfs_aoc_udfps:s0
+genfscon sysfs /devices/platform/17000000.aoc/control/udfps_get_disp_freq       u:object_r:sysfs_aoc_udfps:s0
 
 # OTA
 genfscon sysfs /devices/platform/13200000.ufs/pixel/boot_lun_enabled           u:object_r:sysfs_ota:s0
diff --git a/vendor/hal_fingerprint_default.te b/vendor/hal_fingerprint_default.te
index b3df80e..d101c16 100644
--- a/vendor/hal_fingerprint_default.te
+++ b/vendor/hal_fingerprint_default.te
@@ -60,3 +60,7 @@ allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perm
 
 # Allow fingerprint to rw lhbm files
 allow hal_fingerprint_default sysfs_lhbm:file rw_file_perms;
+
+# Allow fingerprint to access sysfs_aoc_udfps
+allow hal_fingerprint_default sysfs_aoc:dir search;
+allow hal_fingerprint_default sysfs_aoc_udfps:file rw_file_perms;