From 604a8cae620b1bb31e954c54049c22dbd137795c Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 17 Dec 2015 14:02:49 -0800
Subject: [PATCH] fingerprintd.te: neverallow fingerprint data file access

Only fingerprintd should be creating/reading/writing/etc from
/data/system/users/[0-9]+/fpdata(/.*)? . Add a neverallow rule
(compile time assertion + CTS test) to ensure no regressions.

Change-Id: I30261a4bd880f5c4f3d90d1686a6267f60bdd413
---
 fingerprintd.te | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/fingerprintd.te b/fingerprintd.te
index 1c0ab1c9e..41e1aca6b 100644
--- a/fingerprintd.te
+++ b/fingerprintd.te
@@ -21,3 +21,12 @@ allow fingerprintd keystore:keystore_key { add_auth };
 # For permissions checking
 binder_call(fingerprintd, system_server);
 allow fingerprintd permission_service:service_manager find;
+
+###
+### Neverallow rules
+###
+
+# Protect fingerprint data files from access by anything other
+# than fingerprintd and init
+neverallow { domain -fingerprintd -init } fingerprintd_data_file:file
+  { append create link relabelfrom rename setattr write open read ioctl lock };
-- 
GitLab