fingerprintd.te: neverallow fingerprint data file access

Only fingerprintd should be creating/reading/writing/etc from /data/system/users/[0-9]+/fpdata(/.*)? . Add a neverallow rule (compile time assertion + CTS test) to ensure no regressions. Change-Id: I30261a4bd880f5c4f3d90d1686a6267f60bdd413

fingerprintd.te: neverallow fingerprint data file access
604a8cae · Nick Kralevich · 107c5539 · 604a8cae
Commit 604a8cae authored 9 years ago by Nick Kralevich
--- a/fingerprintd.te
+++ b/fingerprintd.te
@@ -21,3 +21,12 @@ allow fingerprintd keystore:keystore_key { add_auth };
 # For permissions checking
 binder_call(fingerprintd, system_server);
 allow fingerprintd permission_service:service_manager find;
+
+###
+### Neverallow rules
+###
+
+# Protect fingerprint data files from access by anything other
+# than fingerprintd and init
+neverallow { domain -fingerprintd -init } fingerprintd_data_file:file
+  { append create link relabelfrom rename setattr write open read ioctl lock };