sm6375-common: sepolicy: Fix fingerprint labels

Also incorporate fix from 839b9cd5a2 (commitcomment-99088748) Change-Id: I66188247ce9268929763236c0ac2fa483273f1cc Signed-off-by: Ahmad Rulim <personal@rulim34.dev>
2026-01-27 16:47:35 +00:00 · 2022-06-17 22:57:27 +03:00
parent 5764745153
commit b58a74ac4f
5 changed files with 45 additions and 36 deletions
--- a/sepolicy/vendor/device.te
+++ b/sepolicy/vendor/device.te
@@ -2,7 +2,7 @@
 type sound_device, dev_type;

 # Fingerprint device
-type vendor_fingerprint_device, dev_type;
+type fingerprint_device, dev_type;

 # IR device
 type ir_spi_device, dev_type;
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -8,7 +8,7 @@ type persist_subsys_file, vendor_persist_type, file_type;
 type camera_persist_file, vendor_persist_type, file_type;

 # Fingerprint
-type vendor_fingerprint_data_file, data_file_type, file_type;
+type fingerprint_data_file, data_file_type, core_data_file_type, file_type;

 # Thermal
 type thermal_data_file, data_file_type, file_type;
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -21,18 +21,18 @@
 /mnt/vendor/dsp/fastrpc_shell_3                 u:object_r:public_adsprpcd_file:s0

 # Fingerprint
-/dev/goodix_fp                                  u:object_r:vendor_fingerprint_device:s0
-/dev/silead_fp                                  u:object_r:vendor_fingerprint_device:s0
-/dev/silead_s.*                                 u:object_r:vendor_fingerprint_device:s0
-/dev/silead_stub                                u:object_r:vendor_fingerprint_device:s0
-/dev/spidev.*                                   u:object_r:vendor_fingerprint_device:s0
-/data/vendor/fpc(/.*)?                          u:object_r:vendor_fingerprint_data_file:s0
-/data/vendor/fpdump(/.*)?                       u:object_r:vendor_fingerprint_data_file:s0
-/data/vendor/goodix(/.*)?                       u:object_r:vendor_fingerprint_data_file:s0
-/data/vendor/goodix/gf_data(/.*)?               u:object_r:vendor_fingerprint_data_file:s0
-/data/vendor/silead(/.*)?                       u:object_r:vendor_fingerprint_data_file:s0
-/mnt/vendor/persist/silead(/.*)?                u:object_r:vendor_fingerprint_data_file:s0
-/mnt/vendor/persist/goodix(/.*)?                u:object_r:vendor_fingerprint_data_file:s0
+/dev/goodix_fp                                  u:object_r:fingerprint_device:s0
+/dev/silead_fp                                  u:object_r:fingerprint_device:s0
+/dev/silead_s.*                                 u:object_r:fingerprint_device:s0
+/dev/silead_stub                                u:object_r:fingerprint_device:s0
+/dev/spidev.*                                   u:object_r:fingerprint_device:s0
+/data/gf_data(/.*)?                             u:object_r:fingerprint_data_file:s0
+/data/vendor/fpc(/.*)?                          u:object_r:fingerprint_vendor_data_file:s0
+/data/vendor/fpdump(/.*)?                       u:object_r:fingerprint_vendor_data_file:s0
+/data/vendor/goodix(/.*)?                       u:object_r:fingerprint_vendor_data_file:s0
+/data/vendor_de/[0-9]+/goodix(/.*)?             u:object_r:fingerprint_vendor_data_file:s0
+/data/vendor/goodix/gf_data(/.*)?               u:object_r:fingerprint_vendor_data_file:s0
+/data/vendor/silead(/.*)?                       u:object_r:fingerprint_vendor_data_file:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2.3-service\.xiaomi   u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/vendor\.silead\.hardware\.fingerprintext@1\.0-service            u:object_r:hal_fingerprint_default_exec:s0

--- a/sepolicy/vendor/hal_fingerprint_default.te
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -1,17 +1,24 @@
+typeattribute hal_fingerprint_default data_between_core_and_vendor_violators;
+
 # Binder
 allow hal_fingerprint_default vendor_hal_perf_default:binder call;
 allow hal_fingerprint_default vendor_hal_perf_hwservice:hwservice_manager find;

-# Props
-set_prop(hal_fingerprint_default, vendor_fingerprint_prop)
+# Data
+allow hal_fingerprint_default fingerprint_data_file:dir rw_dir_perms;
+allow hal_fingerprint_default fingerprint_data_file:file create_file_perms;
+
+# Dev nodes
+allow hal_fingerprint_default {
+  fingerprint_device
+  input_device
+  tee_device
+  uhid_device
+}: chr_file rw_file_perms;
+
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;

 # Sysfs
-allow hal_fingerprint_default {
-  sysfs_rtc
-  vendor_sysfs_fingerprint
-  vendor_sysfs_spss
-}: file rw_file_perms;
-
 allow hal_fingerprint_default {
  input_device
  sysfs_rtc
@@ -19,18 +26,13 @@ allow hal_fingerprint_default {
  vendor_sysfs_spss
 }: dir r_dir_perms;

-# Dev nodes
 allow hal_fingerprint_default {
-  input_device
-  tee_device
-  uhid_device
-  vendor_fingerprint_device
-}: chr_file rw_file_perms;
-
-# Data
-allow hal_fingerprint_default vendor_fingerprint_data_file:dir rw_dir_perms;
-allow hal_fingerprint_default vendor_fingerprint_data_file:file create_file_perms;
-
-allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+  sysfs_rtc
+  vendor_sysfs_fingerprint
+  vendor_sysfs_spss
+}: file rw_file_perms;

 r_dir_file(hal_fingerprint_default, firmware_file)
+
+# Props
+set_prop(hal_fingerprint_default, vendor_fingerprint_prop)
--- a/sepolicy/vendor/tee.te
+++ b/sepolicy/vendor/tee.te
@@ -1,2 +1,9 @@
-allow tee vendor_fingerprint_data_file:dir create_dir_perms;
-allow tee vendor_fingerprint_data_file:file create_file_perms;
+typeattribute tee data_between_core_and_vendor_violators;
+
+allow tee fingerprint_data_file:dir create_dir_perms;
+allow tee {
+  fingerprint_data_file
+  mnt_vendor_file
+}:file create_file_perms;
+
+allow tee mnt_vendor_file:dir rw_dir_perms;