From 357641de5be92dcf1d452094e564520962cfafc3 Mon Sep 17 00:00:00 2001 From: Marc Bourgoin Date: Wed, 14 Sep 2022 22:13:09 -0600 Subject: [PATCH] sm7325-common: Address dubai's Egistec UDFPS selinux denials Change-Id: Ibfd955256d95384bda17ad5404bc269d769ae347 --- sepolicy/vendor/device.te | 1 + sepolicy/vendor/file.te | 1 + sepolicy/vendor/file_contexts | 6 +++++- sepolicy/vendor/hal_fingerprint_default.te | 4 ++++ sepolicy/vendor/hwservice_contexts | 1 + sepolicy/vendor/tee.te | 2 ++ sepolicy/vendor/vendor_init_fingerprint.te | 4 +++- 7 files changed, 17 insertions(+), 2 deletions(-) create mode 100644 sepolicy/vendor/tee.te diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te index 2376d9d..fc470fd 100644 --- a/sepolicy/vendor/device.te +++ b/sepolicy/vendor/device.te @@ -1,4 +1,5 @@ # Fingerprint +type egis_device, dev_type; type etsd_device, dev_type; type goodix_device, dev_type; diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te index 8e72855..c5a1c80 100644 --- a/sepolicy/vendor/file.te +++ b/sepolicy/vendor/file.te @@ -10,6 +10,7 @@ type cutback_data_file, file_type, data_file_type; type cutback_socket, file_type; # Fingerprint +type vendor_persist_egis_file, file_type, vendor_persist_type; type vendor_persist_fps_file, file_type, vendor_persist_type; # Input Devices diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts index 090aefa..75525fe 100644 --- a/sepolicy/vendor/file_contexts +++ b/sepolicy/vendor/file_contexts @@ -40,13 +40,17 @@ /(vendor|system/vendor)/bin/charge_only_mode u:object_r:charge_only_exec:s0 # Fingerprint +/(mnt/vendor/persist|persist)/egis(/.*)? u:object_r:vendor_persist_egis_file:s0 /(mnt/vendor/persist|persist)/fps(/.*)? u:object_r:vendor_persist_fps_file:s0 /(vendor|system/vendor)/bin/fpc_ident u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.3-service\.dubai u:object_r:hal_fingerprint_default_exec:s0 +/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service-ets u:object_r:hal_fingerprint_default_exec:s0 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.berlin u:object_r:hal_fingerprint_default_exec:s0 -/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.dubai u:object_r:hal_fingerprint_default_exec:s0 /data/vendor/.fps(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/data/vendor/egis(/.*)? u:object_r:fingerprint_vendor_data_file:s0 /data/vendor/fpc(/.*)? u:object_r:fingerprint_vendor_data_file:s0 /data/vendor/gf_data(/.*)? u:object_r:fingerprint_vendor_data_file:s0 +/dev/esfp0 u:object_r:egis_device:s0 /dev/goodix_fp u:object_r:goodix_device:s0 # IFAA diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te index 11eba25..e70cf70 100644 --- a/sepolicy/vendor/hal_fingerprint_default.te +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -1,13 +1,17 @@ allow hal_fingerprint_default { etsd_device + egis_device goodix_device tee_device }: chr_file rw_file_perms; +allow hal_fingerprint_default self:binder { call transfer }; allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl; r_dir_file(hal_fingerprint_default, firmware_file) get_prop(hal_fingerprint_default, build_bootimage_prop) set_prop(hal_fingerprint_default, vendor_mot_fingerprint_prop) +allow hal_fingerprint_default vendor_sysfs_battery_supply:dir r_dir_perms; +allow hal_fingerprint_default vendor_sysfs_battery_supply:file r_file_perms; allow hal_fingerprint_default vendor_sysfs_fingerprint:dir r_dir_perms; allow hal_fingerprint_default vendor_sysfs_fingerprint:file rw_file_perms; allow hal_fingerprint_default uhid_device:chr_file rw_file_perms; diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts index 4bf62a9..c84a906 100644 --- a/sepolicy/vendor/hwservice_contexts +++ b/sepolicy/vendor/hwservice_contexts @@ -4,6 +4,7 @@ motorola.hardware.camera.desktop::ICameraDesktop u:object # Fingerprint com.motorola.hardware.biometric.fingerprint::IMotoFingerPrint u:object_r:hal_fingerprint_hwservice:s0 com.motorola.hardware.biometric.fingerprint::IMotoFingerPrintSensorTest u:object_r:hal_fingerprint_hwservice:s0 +vendor.egistec.hardware.fingerprint::IBiometricsFingerprintRbs u:object_r:hal_fingerprint_hwservice:s0 # IFAA vendor.zui.hardware.ifaa::IIFAADevice u:object_r:hal_ifaa_hwservice:s0 diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te new file mode 100644 index 0000000..82b18f8 --- /dev/null +++ b/sepolicy/vendor/tee.te @@ -0,0 +1,2 @@ +allow tee vendor_persist_egis_file:dir rw_dir_perms; +allow tee vendor_persist_egis_file:file create_file_perms; diff --git a/sepolicy/vendor/vendor_init_fingerprint.te b/sepolicy/vendor/vendor_init_fingerprint.te index 743ef31..e1ccdd7 100644 --- a/sepolicy/vendor/vendor_init_fingerprint.te +++ b/sepolicy/vendor/vendor_init_fingerprint.te @@ -5,6 +5,8 @@ init_daemon_domain(vendor_init_fingerprint) allow vendor_init_fingerprint self:capability { kill sys_module }; allow vendor_init_fingerprint vendor_file:system module_load; allow vendor_init_fingerprint vendor_toolbox_exec:file rx_file_perms; +allow vendor_init_fingerprint vendor_persist_egis_file:file create_file_perms; +allow vendor_init_fingerprint vendor_persist_egis_file:dir rw_dir_perms; allow vendor_init_fingerprint vendor_persist_fps_file:file create_file_perms; allow vendor_init_fingerprint vendor_persist_fps_file:dir rw_dir_perms; allow vendor_init_fingerprint mnt_vendor_file:dir search; @@ -12,4 +14,4 @@ allow vendor_init_fingerprint mnt_vendor_file:dir search; set_prop(vendor_init_fingerprint, ctl_start_prop) set_prop(vendor_init_fingerprint, vendor_mot_fingerprint_prop) -allow vendor_init_fingerprint vendor_file:file execute_no_trans; \ No newline at end of file +allow vendor_init_fingerprint vendor_file:file execute_no_trans;