sepolicy: Fix fingerprint hal denials

2025-10-03 09:49:16 +02:00 · 2018-06-25 22:29:40 +05:30 · 2018-06-25 22:29:40 +05:30 · 17538ad9f2
commit 17538ad9f2
parent cbb745f1c4
11 changed files with 51 additions and 6 deletions
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@ -1,2 +1,7 @@
-type ir_dev_file, file_type;
+type ir_dev_file, file_type, dev_type;
-type fp_device, file_type;
+
 # Fingerprint
 type fingerprintd_device, file_type, dev_type;
 type fingerprint_data_file, data_file_type, file_type;
 type fingerprint_persist_file, file_type;
 type sysfs_fpc_dev, sysfs_type, fs_type;
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@ -2,7 +2,7 @@
 /dev/spidev7\.1  u:object_r:ir_dev_file:s0
 # Fingerprint
-/dev/goodix_fp  u:object_r:fp_device:s0
+/dev/goodix_fp  u:object_r:fingerprintd_device:s0
 # HVDCP
 /sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0
@ -12,3 +12,14 @@
 # Fingerprint HIDL
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_default_exec:s0
 # Fingerprint
 /data/vendor/fpc(/.*)?                                        u:object_r:fingerprint_data_file:s0
 /data/vendor/goodix(/.*)?                                     u:object_r:fingerprint_data_file:s0
 /data/misc/gf_data(/.*)?                                      u:object_r:fingerprint_data_file:s0
 /data/gf_data(/.*)?                                           u:object_r:fingerprint_data_file:s0
 /data/misc/goodix(/.*)?                                       u:object_r:fingerprint_data_file:s0
 /persist/fpc(/.*)?                                            u:object_r:fingerprint_persist_file:s0
 /sys/devices/soc/soc:fpc1020.*/irq                            u:object_r:sysfs_fpc_dev:s0
 /sys/devices/soc/soc:fpc1020.*/hw_reset                       u:object_r:sysfs_fpc_dev:s0
 /sys/devices/soc/soc:fpc1020.*/wakeup_enable                  u:object_r:sysfs_fpc_dev:s0
--- a/sepolicy/hal_fingerprint_default.te
+++ b/sepolicy/hal_fingerprint_default.te
@ -1,11 +1,27 @@
 r_dir_file(hal_fingerprint_default, firmware_file)
 allow hal_fingerprint_default storage_file:dir rw_dir_perms;
 allow hal_fingerprint_default init:unix_stream_socket connectto;
 allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
 allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
-allow hal_fingerprint_default fp_device:chr_file rw_file_perms;
+allow hal_fingerprint_default fingerprintd_device:chr_file rw_file_perms;
 allow hal_fingerprint_default hal_perf_hwservice:hwservice_manager find;
 allow hal_fingerprint_default hal_perf_default:binder call;
 allow hal_fingerprint_default sysfs_fpc_dev:dir r_dir_perms;
 allow hal_fingerprint_default sysfs_fpc_dev:file rw_file_perms;
 allow hal_fingerprint_default fingerprint_data_file:dir rw_dir_perms;
 allow hal_fingerprint_default fingerprint_data_file:file create_file_perms;
 allow hal_fingerprint_default fingerprint_persist_file:file r_file_perms;
 binder_call(hal_fingerprint_default, goodix_fingerprint_vndservice)
 allow hal_fingerprint_default goodix_fingerprint_vndservice:service_manager add;
 allow hal_fingerprint_default goodixfingerprintd_service:service_manager add;
 allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
 set_prop(hal_fingerprint_default, fingerprint_prop)
--- a/sepolicy/hwservice_contexts
+++ b/sepolicy/hwservice_contexts
@ -0,0 +1 @@
 vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint         u:object_r:hal_fingerprint_hwservice:s0
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@ -0,0 +1 @@
 allow init fingerprintd_device:chr_file setattr;
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@ -0,0 +1,4 @@
 # Fingerprint
 persist.sys.fp.                                               u:object_r:fingerprint_prop:s0
 ro.boot.fp.                                                   u:object_r:fingerprint_prop:s0
 sys.fp.                                                       u:object_r:fingerprint_prop:s0
--- a/sepolicy/service.te
+++ b/sepolicy/service.te
@ -0,0 +1,2 @@
 type goodixfingerprintd_service, service_manager_type;
 type goodix_fingerprint_service, service_manager_type;
--- a/sepolicy/service_contexts
+++ b/sepolicy/service_contexts
@ -0,0 +1,2 @@
 com.goodix.FingerprintService u:object_r:goodix_fingerprint_service:s0
 android.hardware.fingerprint.IGoodixFingerprintDaemon u:object_r:goodixfingerprintd_service:s0
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@ -0,0 +1 @@
 add_service(system_app, goodix_fingerprint_service)
--- a/sepolicy/vndservice.te
+++ b/sepolicy/vndservice.te
@ -0,0 +1 @@
 type goodix_fingerprint_vndservice, vndservice_manager_type;
--- a/sepolicy/vndservice_contexts
+++ b/sepolicy/vndservice_contexts
@ -0,0 +1 @@
 android.hardware.fingerprint.IGoodixFingerprintDaemon    u:object_r:goodix_fingerprint_vndservice:s0
		`@ -0,0 +1 @@`
							`vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0`
		`@ -0,0 +1 @@`
							`allow init fingerprintd_device:chr_file setattr;`
		`@ -0,0 +1,2 @@`
							`type goodixfingerprintd_service, service_manager_type;`
							`type goodix_fingerprint_service, service_manager_type;`
		`@ -0,0 +1,2 @@`
							`com.goodix.FingerprintService u:object_r:goodix_fingerprint_service:s0`
							`android.hardware.fingerprint.IGoodixFingerprintDaemon u:object_r:goodixfingerprintd_service:s0`
		`@ -0,0 +1 @@`
							`add_service(system_app, goodix_fingerprint_service)`
		`@ -0,0 +1 @@`
							`type goodix_fingerprint_vndservice, vndservice_manager_type;`