land: Initial sepolicy

sepolicy/device.te

@@ -0,0 +1,2 @@
+type gx_fpd_device, dev_type;
+type lirc_device, dev_type;

sepolicy/file.te

@@ -0,0 +1,5 @@
+type fpc_data_file, file_type, data_file_type;
+type fpce_socket, file_type;
+type fpc_sysfs, fs_type, sysfs_type;
+type netmgrd_data_file, file_type;
+type gx_fpd_data_file, file_type, data_file_type;

sepolicy/file_contexts

@@ -0,0 +1,24 @@
+# Block devices
+/dev/block/bootdevice/by-name/persist		u:object_r:persist_block_device:s0
+/dev/block/bootdevice/by-name/userdata          u:object_r:userdata_block_device:s0
+
+# Data files
+/data/misc/netmgr/log\.txt			u:object_r:netmgrd_data_file:s0
+
+# Fpc Fingerprint
+/data/fpc(/.*)?					u:object_r:fpc_data_file:s0
+/dev/socket/fpce(/.*)?				u:object_r:fpce_socket:s0
+/sys/devices/soc/soc:fpc1020(/.*)?		u:object_r:fpc_sysfs:s0
+
+# For Goodix fingerprint
+/dev/gf66xx-spi                                 u:object_r:gx_fpd_device:s0
+/dev/ttyACM[0-9]*                               u:object_r:gx_fpd_device:s0
+/dev/goodix_fp*                                 u:object_r:gx_fpd_device:s0
+/system/bin/gx_fpd                              u:object_r:gx_fpd_exec:s0
+
+# Goodix Fingerprint data
+/data/system/fingerprint(/.*)?                  u:object_r:gx_fpd_data_file:s0
+/persist/data/gxfp(/.*)?                        u:object_r:gx_fpd_data_file:s0
+
+# Ir
+/dev/lirc[0-9]*					u:object_r:lirc_device:s0

sepolicy/fingerprintd.te

@@ -0,0 +1,11 @@
+allow fingerprintd gx_fpd:binder { transfer call };
+allow fingerprintd gx_fpd_service:service_manager find;
+allow fingerprintd fingerprint_service:service_manager find;
+allow fingerprintd fpc_sysfs:file rw_file_perms;
+allow fingerprintd fpc_sysfs:dir rw_dir_perms;
+allow fingerprintd tee_device:chr_file rw_file_perms;
+allow fingerprintd uhid_device:chr_file rw_file_perms;
+allow fingerprintd fpc_data_file:dir rw_dir_perms;
+allow fingerprintd fpc_data_file:sock_file create_file_perms;
+set_prop(fingerprintd, system_prop)
+r_dir_file(fingerprintd, firmware_file)

sepolicy/fsck.te

@@ -0,0 +1 @@
+allow fsck persist_block_device:blk_file rw_file_perms;

sepolicy/gx_fpd.te

@@ -0,0 +1,49 @@
+type gx_fpd, domain;
+type gx_fpd_exec, exec_type, file_type;
+
+# gx_fpd
+init_daemon_domain(gx_fpd)
+binder_use(gx_fpd)
+
+# need to find KeyStore and add self
+allow gx_fpd fingerprintd_service:service_manager { add find };
+
+# allow HAL module to read dir contents
+allow gx_fpd gx_fpd_data_file:file create_file_perms;
+
+# allow HAL module to read/write/unlink contents of this dir
+allow gx_fpd gx_fpd_data_file:dir create_dir_perms;
+
+# Need to add auth tokens to KeyStore
+use_keystore(gx_fpd)
+allow gx_fpd keystore:keystore_key { add_auth };
+
+# For permissions checking
+binder_call(gx_fpd, system_server);
+allow gx_fpd permission_service:service_manager find;
+
+#Allow access to goodix device
+allow gx_fpd gx_fpd_device:chr_file rw_file_perms;
+
+#Allow access to tee device
+allow gx_fpd tee_device:chr_file rw_file_perms;
+
+# Allow access to ion device
+allow gx_fpd ion_device:chr_file rw_file_perms;
+
+#allow create socket
+allow gx_fpd self:socket create_socket_perms;
+allow gx_fpd self:{ netlink_socket netlink_generic_socket } create_socket_perms;
+
+#allow read/write property
+set_prop(gx_fpd, system_prop)
+
+allow gx_fpd gx_fpd_service:service_manager { add find };
+
+allow gx_fpd fingerprintd:binder { transfer call };
+allow gx_fpd fuse:dir search;
+allow gx_fpd fuse:file { getattr open append };
+allow gx_fpd self:capability dac_override;
+allow gx_fpd storage_file:dir search;
+allow gx_fpd storage_file:lnk_file read;
+r_dir_file(gx_fpd, firmware_file)

sepolicy/netmgrd.te

@@ -0,0 +1,4 @@
+type_transition netmgrd system_data_file:file netmgrd_data_file "log.txt";
+
+allow netmgrd self:capability dac_override;
+allow netmgrd netmgrd_data_file:file create_file_perms;

sepolicy/qti_init_shell.te

@@ -0,0 +1,2 @@
+allow qti_init_shell bluetooth_data_file:file r_file_perms;
+allow qti_init_shell bluetooth_loader_exec:file { read open };

sepolicy/service.te

@@ -0,0 +1 @@
+type gx_fpd_service, service_manager_type;

sepolicy/service_contexts

@@ -0,0 +1 @@
+goodix.fp                        u:object_r:gx_fpd_service:s0

sepolicy/system_server.te

@@ -0,0 +1 @@
+allow system_server lirc_device:chr_file rw_file_perms;

sepolicy/tee.te

@@ -0,0 +1,6 @@
+# /data/goodix labeling
+type_transition tee system_data_file:{ dir file } gx_fpd_data_file;
+
+allow tee gx_fpd_data_file:dir create_dir_perms;
+allow tee gx_fpd_data_file:file create_file_perms;
+allow tee system_data_file:dir create_dir_perms;

sepolicy/ueventd.te

@@ -0,0 +1 @@
+allow ueventd fpc_sysfs:file rw_file_perms;