android_system_sepolicy/public/hal_fingerprint.te

# HwBinder IPC from client to server, and callbacks
binder_call(hal_fingerprint_client, hal_fingerprint_server)
binder_call(hal_fingerprint_server, hal_fingerprint_client)

hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)

# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;

allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };
allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;

r_dir_file(hal_fingerprint, cgroup)
r_dir_file(hal_fingerprint, sysfs)
Switch Fingerprint HAL policy to _client/_server This switches Fingerprint HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Bluetooth HAL. Domains which are clients of Fingerprint HAL, such as system_server domain, are granted rules targeting hal_fingerprint only when the Fingerprint HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_fingerprint are not granted to client domains. Domains which offer a binderized implementation of Fingerprint HAL, such as hal_fingerprint_default domain, are always granted rules targeting hal_fingerprint. NOTE: This commit also removes unnecessary allow rules from Fingerprint HAL, such access to servicemanager (not hwservicemanager) and access to keystore daemon over Binder IPC. Fingerprint HAL does not use this functionality anyway and shouldn't use it either. Test: Enable fingerprint + PIN secure lock screen, confirm it unlocks with fingerprint or PIN Test: Disable PIN (and thus fingerprint) secure lock screen Test: make FingerprintDialog, install, make a fake purchase Test: Add fingerprint_hidl_hal_test to device.mk, build & add to device, adb shell stop, adb shell /data/nativetest64/fingerprint_hidl_hal_test/fingerprint_hidl_hal_test -- all tests pass Bug: 34170079 Change-Id: I6951c0f0640194c743ff7049357c77f5f21b71a1 2017-02-21 15:35:16 -08:00			`# HwBinder IPC from client to server, and callbacks`
			`binder_call(hal_fingerprint_client, hal_fingerprint_server)`
			`binder_call(hal_fingerprint_server, hal_fingerprint_client)`

hal_attribute_hwservice_client drop '_client' Since this attribute just associates a hal_attribute with a given hwservice in the standard way. Bug: 80319537 Test: boot + sanity + test for denials Change-Id: I545de165515387317e6920ce8f5e8c491f9ab24e 2018-06-06 09:30:18 -07:00			`hal_attribute_hwservice(hal_fingerprint, hal_fingerprint_hwservice)`
Restrict access to hwservicemanager This adds fine-grained policy about who can register and find which HwBinder services in hwservicemanager. Test: Play movie in Netflix and Google Play Movies Test: Play video in YouTube app and YouTube web page Test: In Google Camera app, take photo (HDR+ and conventional), record video (slow motion and normal), and check that photos look fine and videos play back with sound. Test: Cast screen to a Google Cast device Test: Get location fix in Google Maps Test: Make and receive a phone call, check that sound works both ways and that disconnecting the call frome either end works fine. Test: Run RsHelloCompute RenderScript demo app Test: Run fast subset of media CTS tests: make and install CtsMediaTestCases.apk adb shell am instrument -e size small \ -w 'android.media.cts/android.support.test.runner.AndroidJUnitRunner' Test: Play music using Google Play music Test: Adjust screen brightness via the slider in Quick Settings Test: adb bugreport Test: Enroll in fingerprint screen unlock, unlock screen using fingerprint Test: Apply OTA update: Make some visible change, e.g., rename Settings app. make otatools && \ make dist Ensure device has network connectivity ota_call.py -s <serial here> --file out/dist/sailfish-ota-*.zip Confirm the change is now live on the device Bug: 34454312 (cherry picked from commit 632bc494f199d9d85c37c1751667fe41f4b094cb) Merged-In: Iecf74000e6c68f01299667486f3c767912c076d3 Change-Id: I7a9a487beaf6f30c52ce08e04d415624da49dd31 2017-04-13 19:05:27 -07:00
New SeLinux policy for fingerprint HIDL Move from fingerprintd to new fingerprint_hal and update SeLinux policy. Test: Boot with no errors related to fingerprint sepolicy Bug: 33199080 Change-Id: Idfde0cb0530e75e705033042f64f3040f6df22d6 2016-12-15 19:46:43 -08:00			`# For memory allocation`
			`allow hal_fingerprint ion_device:chr_file r_file_perms;`

Revert "Add placeholder iris and face policy for vold data directory" This reverts commit 92bde4b941b7078a5fdf8aec6660ca44d0ffbb49. Reason for revert: Rebooting after OTA fails due to the filesystem still seeing the old label on the device. Bug: 116528212 Bug: 119747564 Change-Id: Ib5f920f85c7e305e89c377369dca038d2c6c738c Test: rollback change 2018-11-19 10:42:11 -08:00			`allow hal_fingerprint fingerprint_vendor_data_file:file { create_file_perms };`
			`allow hal_fingerprint fingerprint_vendor_data_file:dir rw_dir_perms;`
Fingerprint data is now stored in one of two ways depending on the shipping API version: For devices shipped on O-MR1 nothing changes, data is stored under /data/system/users/<user-id>/fpdata/... Devices shipped from now on will instead store fingerprint data under /data/vendor_de/<user-id>/fpdata. Support for /data/vendor_de and /data/vendor_ce has been added to vold. Bug: 36997597 Change-Id: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514 Merged-In: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514 Test: manually (cherry picked from commit 6116daa71a226dc848978717064b805272801ff4) 2018-01-22 13:24:10 -08:00
New SeLinux policy for fingerprint HIDL Move from fingerprintd to new fingerprint_hal and update SeLinux policy. Test: Boot with no errors related to fingerprint sepolicy Bug: 33199080 Change-Id: Idfde0cb0530e75e705033042f64f3040f6df22d6 2016-12-15 19:46:43 -08:00			`r_dir_file(hal_fingerprint, cgroup)`
hal_fingerprint: grant read access to /sys avc: denied { read } for name="modalias" dev="sysfs" ino=17624 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:sysfs:s0 tclass=file Test: Marlin builds and boots without this denial. Bug: 35197529 Change-Id: I3b64db571ac10c843f3765ed557ceac07bc6580e 2017-02-10 13:20:52 -08:00			`r_dir_file(hal_fingerprint, sysfs)`
Fingerprint data is now stored in one of two ways depending on the shipping API version: For devices shipped on O-MR1 nothing changes, data is stored under /data/system/users/<user-id>/fpdata/... Devices shipped from now on will instead store fingerprint data under /data/vendor_de/<user-id>/fpdata. Support for /data/vendor_de and /data/vendor_ce has been added to vold. Bug: 36997597 Change-Id: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514 Merged-In: Ibc7cc33b756f64abe68a749c0ada0ca4f6d92514 Test: manually (cherry picked from commit 6116daa71a226dc848978717064b805272801ff4) 2018-01-22 13:24:10 -08:00