ac26d97317
Fix the following avc denial:
avc: denied { search } for name="17000000.aoc" dev="sysfs" ino=26962 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=dir permissive=1
avc: denied { write } for name="udfps_set_clock_source" dev="sysfs" ino=110484 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
avc: denied { read } for name="udfps_get_disp_freq" dev="sysfs" ino=110486 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc:s0 tclass=file permissive=1
avc: denied { write } for name="udfps_set_clock_source" dev="sysfs" ino=109423 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs_aoc_udfps:s0 tclass=file permissive=0
Bug: 357976286
Test: Verify fingerprint HAL process can read/write to the sysfs node.
Flag: EXEMPT NDK
Change-Id: Ia8d6288812ef47dad2018d384f43374da7005a4a
66 lines
2.9 KiB
Text
66 lines
2.9 KiB
Text
# SE policies for fingerprint
|
|
allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
|
|
allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
|
|
allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
|
|
allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms;
|
|
|
|
allow hal_fingerprint_default fwk_stats_service:service_manager find;
|
|
set_prop(hal_fingerprint_default, vendor_fingerprint_prop)
|
|
add_hwservice(hal_fingerprint_default, hal_fingerprint_ext_hwservice)
|
|
|
|
# allow fingerprint to access power hal
|
|
hal_client_domain(hal_fingerprint_default, hal_power);
|
|
|
|
# Allow access to the files of CDT information.
|
|
r_dir_file(hal_fingerprint_default, sysfs_chosen)
|
|
|
|
# Allow fingerprint to access calibration blk device.
|
|
allow hal_fingerprint_default mfg_data_block_device:blk_file rw_file_perms;
|
|
allow hal_fingerprint_default block_device:dir search;
|
|
|
|
# Allow fingerprint to access fwk_sensor_hwservice
|
|
allow hal_fingerprint_default fwk_sensor_hwservice:hwservice_manager find;
|
|
|
|
# Allow fingerprint to access sysfs_display
|
|
allow hal_fingerprint_default sysfs_display:file rw_file_perms;
|
|
|
|
# Allow fingerprint to access trusty sysfs
|
|
allow hal_fingerprint_default sysfs_trusty:file rw_file_perms;
|
|
|
|
# Allow fingerprint to access display hal
|
|
allow hal_fingerprint_default hal_pixel_display_service:service_manager find;
|
|
binder_call(hal_fingerprint_default, hal_graphics_composer_default)
|
|
|
|
# allow fingerprint to access thermal hal
|
|
hal_client_domain(hal_fingerprint_default, hal_thermal);
|
|
|
|
# allow fingerprint to read sysfs_leds
|
|
allow hal_fingerprint_default sysfs_leds:file r_file_perms;
|
|
allow hal_fingerprint_default sysfs_leds:dir r_dir_perms;
|
|
|
|
# allow fingerprint to wakeup to trigger calibration scans and sleep after
|
|
allow hal_fingerprint_default self:capability2 wake_alarm;
|
|
allow hal_fingerprint_default self:capability2 block_suspend;
|
|
|
|
# allow fingerprint to search for files
|
|
# TODO: b/297562630 - remove unecessary permissions once not needed
|
|
allow hal_fingerprint_default mnt_vendor_file:dir search;
|
|
allow hal_fingerprint_default vendor_misc_data_file:dir search;
|
|
allow hal_fingerprint_default persist_file:dir search;
|
|
|
|
# allow fingerprint to rw config and calibration files in persist
|
|
# TODO: b/297562630 - remove unecessary permissions once not needed
|
|
allow hal_fingerprint_default persist_fingerprint_file:dir search;
|
|
allow hal_fingerprint_default persist_fingerprint_file:file create_file_perms;
|
|
|
|
# allow fingerprint to rw data files
|
|
# TODO: b/297562630 - remove unecessary permissions once not needed
|
|
allow hal_fingerprint_default vendor_fingerprint_data_file:dir create_dir_perms;
|
|
allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perms;
|
|
|
|
# Allow fingerprint to rw lhbm files
|
|
allow hal_fingerprint_default sysfs_lhbm:file rw_file_perms;
|
|
|
|
# Allow fingerprint to access sysfs_aoc_udfps
|
|
allow hal_fingerprint_default sysfs_aoc:dir search;
|
|
allow hal_fingerprint_default sysfs_aoc_udfps:file rw_file_perms;
|