device_google_zumapro/sepolicy/vendor/hal_fingerprint_default.te

# SE policies for fingerprint
allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms;

allow hal_fingerprint_default fwk_stats_service:service_manager find;
set_prop(hal_fingerprint_default, vendor_fingerprint_prop)
add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)

# allow fingerprint to access power hal
hal_client_domain(hal_fingerprint_default, hal_power);

# Allow access to the files of CDT information.
r_dir_file(hal_fingerprint_default, sysfs_chosen)

# Allow fingerprint to access calibration blk device.
allow hal_fingerprint_default mfg_data_block_device:blk_file rw_file_perms;
allow hal_fingerprint_default block_device:dir search;

# Allow fingerprint to access fwk_sensor_hwservice
allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find;

# Allow fingerprint to access sysfs_display
allow hal_fingerprint_default sysfs_display:file rw_file_perms;

# Allow fingerprint to access trusty sysfs
allow hal_fingerprint_default sysfs_trusty:file rw_file_perms;

# Allow fingerprint to access display hal
allow hal_fingerprint_default hal_pixel_display_service:service_manager find;
binder_call(hal_fingerprint_default, hal_graphics_composer_default)

# allow fingerprint to access thermal hal
hal_client_domain(hal_fingerprint_default, hal_thermal);

# allow fingerprint to read sysfs_leds
allow hal_fingerprint_default sysfs_leds:file r_file_perms;
allow hal_fingerprint_default sysfs_leds:dir r_dir_perms;

# allow fingerprint to wakeup to trigger calibration scans and sleep after
allow hal_fingerprint_default self:capability2 wake_alarm;
allow hal_fingerprint_default self:capability2 block_suspend;

# allow fingerprint to search for files
# TODO: b/297562630 - remove unecessary permissions once not needed
allow hal_fingerprint_default mnt_vendor_file:dir search;
allow hal_fingerprint_default vendor_misc_data_file:dir search;
allow hal_fingerprint_default persist_file:dir search;

# allow fingerprint to rw config and calibration files in persist
# TODO: b/297562630 - remove unecessary permissions once not needed
allow hal_fingerprint_default persist_fingerprint_file:dir search;
allow hal_fingerprint_default persist_fingerprint_file:file create_file_perms;

# allow fingerprint to rw data files
# TODO: b/297562630 - remove unecessary permissions once not needed
allow hal_fingerprint_default vendor_fingerprint_data_file:dir create_dir_perms;
allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perms;

# Allow fingerprint to rw lhbm files
allow hal_fingerprint_default sysfs_lhbm:file rw_file_perms;

# Allow fingerprint to access sysfs_aoc_udfps
allow hal_fingerprint_default sysfs_aoc:dir search;
allow hal_fingerprint_default sysfs_aoc_udfps:file rw_file_perms;