From 54e0e5af8f4f0b4fd46cb1a015af079f6859e638 Mon Sep 17 00:00:00 2001
From: Jim Miller <jaggies@google.com>
Date: Thu, 15 Dec 2016 19:46:43 -0800
Subject: [PATCH] New SeLinux policy for fingerprint HIDL

Move from fingerprintd to new fingerprint_hal and update SeLinux policy.

Test: Boot with no errors related to fingerprint sepolicy
Bug: 33199080
Change-Id: Idfde0cb0530e75e705033042f64f3040f6df22d6
---
 private/file_contexts              |  1 +
 private/hal_fingerprint_default.te |  5 +++++
 public/attributes                  |  1 +
 public/file.te                     |  2 +-
 public/hal_fingerprint.te          | 23 +++++++++++++++++++++++
 public/service.te                  |  1 +
 public/system_server.te            |  2 ++
 7 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 private/hal_fingerprint_default.te
 create mode 100644 public/hal_fingerprint.te

diff --git a/private/file_contexts b/private/file_contexts
index 87673126b..450101614 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -238,6 +238,7 @@
 /system/bin/hw/android\.hardware\.bluetooth@1\.0-service      u:object_r:hal_bluetooth_default_exec:s0
 /system/bin/hw/android\.hardware\.boot@1\.0-service           u:object_r:hal_boot_exec:s0
 /system/bin/hw/android\.hardware\.contexthub@1\.0-service     u:object_r:hal_contexthub_default_exec:s0
+/system/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service u:object_r:hal_fingerprint_default_exec:s0
 /system/bin/hw/android\.hardware\.dumpstate@1\.0-service      u:object_r:hal_dumpstate_default_exec:s0
 /system/bin/hw/android\.hardware\.gatekeeper@1\.0-service     u:object_r:hal_gatekeeper_default_exec:s0
 /system/bin/hw/android\.hardware\.gnss@1\.0-service           u:object_r:hal_gnss_default_exec:s0
diff --git a/private/hal_fingerprint_default.te b/private/hal_fingerprint_default.te
new file mode 100644
index 000000000..3903f8533
--- /dev/null
+++ b/private/hal_fingerprint_default.te
@@ -0,0 +1,5 @@
+type hal_fingerprint_default, hal_fingerprint, domain;
+type hal_fingerprint_default_exec, exec_type, file_type;
+# type_transition must be private policy the domain_trans rules could stay
+# public, but conceptually should go with this
+init_daemon_domain(hal_fingerprint_default)
diff --git a/public/attributes b/public/attributes
index b310c1da1..30a6014cc 100644
--- a/public/attributes
+++ b/public/attributes
@@ -118,6 +118,7 @@ attribute update_engine_common;
 attribute hal_audio;
 attribute hal_bluetooth;
 attribute hal_dumpstate;
+attribute hal_fingerprint;
 attribute hal_gatekeeper;
 attribute hal_gnss;
 attribute hal_graphics_allocator;
diff --git a/public/file.te b/public/file.te
index 0365dc9e6..8b3b62c83 100644
--- a/public/file.te
+++ b/public/file.te
@@ -208,7 +208,7 @@ type backup_data_file, file_type, data_file_type, mlstrustedobject;
 # vary per device, so this type is used in per
 # device policy
 type bluetooth_efs_file, file_type;
-# Type for fingerprint template file.
+# Type for fingerprint template file
 type fingerprintd_data_file, file_type, data_file_type;
 # Type for appfuse file.
 type app_fuse_file, file_type, data_file_type, mlstrustedobject;
diff --git a/public/hal_fingerprint.te b/public/hal_fingerprint.te
new file mode 100644
index 000000000..426b73ad2
--- /dev/null
+++ b/public/hal_fingerprint.te
@@ -0,0 +1,23 @@
+hwbinder_use(hal_fingerprint)
+
+# Scan through /system/lib64/hw looking for installed HALs
+allow hal_fingerprint system_file:dir r_dir_perms;
+
+# allow HAL module to read dir contents
+allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
+
+# allow HAL module to read/write/unlink contents of this dir
+allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(hal_fingerprint)
+allow hal_fingerprint keystore:keystore_key add_auth;
+
+# For permissions checking
+binder_call(hal_fingerprint, system_server);
+allow hal_fingerprint permission_service:service_manager find;
+
+# For memory allocation
+allow hal_fingerprint ion_device:chr_file r_file_perms;
+
+r_dir_file(hal_fingerprint, cgroup)
diff --git a/public/service.te b/public/service.te
index 8fcf5d077..1b65b5aaf 100644
--- a/public/service.te
+++ b/public/service.te
@@ -6,6 +6,7 @@ type default_android_service,   service_manager_type;
 type drmserver_service,         service_manager_type;
 type dumpstate_service,         service_manager_type;
 type fingerprintd_service,      service_manager_type;
+type hal_fingerprint_service,   service_manager_type;
 type gatekeeper_service,        app_api_service, service_manager_type;
 type gpu_service,               service_manager_type;
 type inputflinger_service,      service_manager_type;
diff --git a/public/system_server.te b/public/system_server.te
index 5cb46d5d3..ee552630b 100644
--- a/public/system_server.te
+++ b/public/system_server.te
@@ -162,6 +162,7 @@ hwbinder_use(system_server)
 binder_call(system_server, hal_bluetooth)
 binder_call(system_server, hal_boot)
 binder_call(system_server, hal_contexthub)
+binder_call(system_server, hal_fingerprint)
 binder_call(system_server, hal_gnss);
 binder_call(system_server, hal_ir)
 binder_call(system_server, hal_light)
@@ -477,6 +478,7 @@ allow system_server cameraserver_service:service_manager find;
 allow system_server drmserver_service:service_manager find;
 allow system_server dumpstate_service:service_manager find;
 allow system_server fingerprintd_service:service_manager find;
+allow system_server hal_fingerprint_service:service_manager find;
 allow system_server gatekeeper_service:service_manager find;
 allow system_server installd_service:service_manager find;
 allow system_server keystore_service:service_manager find;
-- 
GitLab