From 49e3588429bcc5b0eddb0ffa5431d37bcc1990bf Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 25 Nov 2016 18:00:38 -0800
Subject: [PATCH] Add directory read permissions to certain domains.

Addresses the following denials and auditallows:

avc: denied { read } for pid=561 comm="hwservicemanage" name="hw"
dev="dm-0" ino=1883 scontext=u:r:hwservicemanager:s0
tcontext=u:object_r:system_file:s0 tclass=dir permissive=0

avc: denied { read } for pid=748 comm="gatekeeperd" name="hw" dev="dm-0"
ino=1883 scontext=u:r:gatekeeperd:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0

avc: granted { read open } for pid=735 comm="fingerprintd"
path="/system/lib64/hw" dev="dm-0" ino=1883 scontext=u:r:fingerprintd:s0
tcontext=u:object_r:system_file:s0 tclass=dir

Test: no denials on boot
Change-Id: Ic363497e3ae5078e564d7195f3739a654860a32f
---
 public/domain_deprecated.te | 1 +
 public/fingerprintd.te      | 3 +++
 public/gatekeeperd.te       | 3 +++
 public/hwservicemanager.te  | 3 +++
 4 files changed, 10 insertions(+)

diff --git a/public/domain_deprecated.te b/public/domain_deprecated.te
index b19870368..a8320b51d 100644
--- a/public/domain_deprecated.te
+++ b/public/domain_deprecated.te
@@ -27,6 +27,7 @@ allow domain_deprecated system_file:file r_file_perms;
 auditallow {
   domain_deprecated
   -appdomain
+  -fingerprintd
   -init
   -installd
   -rild
diff --git a/public/fingerprintd.te b/public/fingerprintd.te
index b541e34ef..b27f014cf 100644
--- a/public/fingerprintd.te
+++ b/public/fingerprintd.te
@@ -3,6 +3,9 @@ type fingerprintd_exec, exec_type, file_type;
 
 binder_use(fingerprintd)
 
+# Scan through /system/lib64/hw looking for installed HALs
+allow fingerprintd system_file:dir r_dir_perms;
+
 # need to find KeyStore and add self
 allow fingerprintd fingerprintd_service:service_manager { add find };
 
diff --git a/public/gatekeeperd.te b/public/gatekeeperd.te
index 13d2db729..f6ec1abbf 100644
--- a/public/gatekeeperd.te
+++ b/public/gatekeeperd.te
@@ -10,6 +10,9 @@ allow gatekeeperd ion_device:chr_file r_file_perms;
 # need to find KeyStore and add self
 allow gatekeeperd gatekeeper_service:service_manager { add find };
 
+# Scan through /system/lib64/hw looking for installed HALs
+allow gatekeeperd system_file:dir r_dir_perms;
+
 # Need to add auth tokens to KeyStore
 use_keystore(gatekeeperd)
 allow gatekeeperd keystore:keystore_key { add_auth };
diff --git a/public/hwservicemanager.te b/public/hwservicemanager.te
index cbb47e525..f179599b2 100644
--- a/public/hwservicemanager.te
+++ b/public/hwservicemanager.te
@@ -13,6 +13,9 @@ allow hwservicemanager { domain -init }:binder transfer;
 
 set_prop(hwservicemanager, hwservicemanager_prop)
 
+# Scan through /system/lib64/hw looking for installed HALs
+allow hwservicemanager system_file:dir r_dir_perms;
+
 # TODO once hwservicemanager checks whether HALs are
 # allowed to register a certain service, add policy here
 # for allowing to check SELinux permissions.
-- 
GitLab