msm8937-common: sepolicy: Initial O denial

Signed-off-by: Isaac Chen <isaacchen@isaacchen.cn>

biometrics/fingerprintd/IFingerprintDaemon.cpp

@@ -329,6 +329,6 @@ class BpFingerprintDaemon : public BpInterface<IFingerprintDaemon> {
         }
 };
 
-IMPLEMENT_META_INTERFACE(FingerprintDaemon, "android.hardware.fingerprint.IFingerprintDaemon");
+IMPLEMENT_META_INTERFACE(FingerprintDaemon, "android.hardware.fingerprint.IFingerprintCustomDaemon");
 
 }; // namespace android

sepolicy/camera.te

@@ -0,0 +1 @@
+allow mm-qcamerad { sysfs sysfs_graphics }:file r_file_perms;

sepolicy/file.te

@@ -1,5 +1,4 @@
 type fpc_data_file, file_type, data_file_type;
 type fpce_socket, file_type;
 type fpc_sysfs, fs_type, sysfs_type;
-type netmgrd_data_file, file_type;
 type gx_fpd_data_file, file_type, data_file_type;

sepolicy/file_contexts

@@ -5,9 +5,6 @@
 /dev/block/bootdevice/by-name/persist		u:object_r:persist_block_device:s0
 /dev/block/bootdevice/by-name/userdata          u:object_r:userdata_block_device:s0
 
-# Data files
-/data/misc/netmgr/log\.txt			u:object_r:netmgrd_data_file:s0
-
 # Fpc Fingerprint
 /data/fpc(/.*)?					u:object_r:fpc_data_file:s0
 /dev/socket/fpce(/.*)?				u:object_r:fpce_socket:s0
@@ -17,7 +14,7 @@
 /dev/gf66xx-spi                                 u:object_r:gx_fpd_device:s0
 /dev/ttyACM[0-9]*                               u:object_r:gx_fpd_device:s0
 /dev/goodix_fp*                                 u:object_r:gx_fpd_device:s0
-/system/bin/gx_fpd                              u:object_r:gx_fpd_exec:s0
+/(vendor|system/vendor)/bin/gx_fpd              u:object_r:gx_fpd_exec:s0
 
 # Goodix Fingerprint data
 /data/system/fingerprint(/.*)?                  u:object_r:gx_fpd_data_file:s0
@@ -25,3 +22,6 @@
 
 # Ir
 /dev/lirc[0-9]*					u:object_r:lirc_device:s0
+
+# Light
+/sys/devices/soc/78b6000\.i2c/i2c-2/2-[0-9a-f]+/leds(/.*)?    u:object_r:sysfs_leds:s0

sepolicy/fingerprintd.te

@@ -1,12 +0,0 @@
-allow fingerprintd gx_fpd:binder { transfer call };
-allow fingerprintd gx_fpd_service:service_manager find;
-allow fingerprintd fingerprint_service:service_manager find;
-allow fingerprintd fpc_sysfs:file rw_file_perms;
-allow fingerprintd fpc_sysfs:dir rw_dir_perms;
-allow fingerprintd tee_device:chr_file rw_file_perms;
-allow fingerprintd uhid_device:chr_file rw_file_perms;
-allow fingerprintd fpc_data_file:dir rw_dir_perms;
-allow fingerprintd fpc_data_file:sock_file create_file_perms;
-allow fingerprintd storage_file:dir search;
-set_prop(fingerprintd, system_prop)
-r_dir_file(fingerprintd, firmware_file)

sepolicy/fsck.te

@@ -1 +1,3 @@
 allow fsck persist_block_device:blk_file rw_file_perms;
+
+dontaudit fsck block_device:blk_file rw_file_perms;

sepolicy/gx_fpd.te

@@ -6,7 +6,7 @@ init_daemon_domain(gx_fpd)
 binder_use(gx_fpd)
 
 # need to find KeyStore and add self
-allow gx_fpd fingerprintd_service:service_manager { add find };
+add_service(hal_fingerprint_default, gx_fpd)
 
 # allow HAL module to read dir contents
 allow gx_fpd gx_fpd_data_file:file create_file_perms;
@@ -32,8 +32,8 @@ allow gx_fpd tee_device:chr_file rw_file_perms;
 allow gx_fpd ion_device:chr_file rw_file_perms;
 
 #allow create socket
-allow gx_fpd self:socket create_socket_perms;
+allow gx_fpd self:socket create_socket_perms_no_ioctl;
-allow gx_fpd self:{ netlink_socket netlink_generic_socket } create_socket_perms;
+allow gx_fpd self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
 
 #allow read/write property
 set_prop(gx_fpd, system_prop)

sepolicy/hal_camera_default.te

@@ -0,0 +1 @@
+allow hal_camera_default camera_data_file:sock_file rw_file_perms;

sepolicy/hal_fingerprint_default.te

@@ -0,0 +1,21 @@
+binder_use(hal_fingerprint_default)
+add_service(hal_fingerprint_default, hal_fingerprint_service)
+binder_call(hal_fingerprint_default, gx_fpd)
+
+allow hal_fingerprint_default gx_fpd_service:service_manager find;
+
+allow gx_fpd hal_fingerprint_default:binder call;
+
+allow hal_fingerprint_default fingerprint_service:service_manager find;
+allow hal_fingerprint_default keystore_service:service_manager find;
+
+allow hal_fingerprint_default fpc_sysfs:file rw_file_perms;
+allow hal_fingerprint_default fpc_sysfs:dir rw_dir_perms;
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
+allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms;
+allow hal_fingerprint_default fpc_data_file:sock_file create_file_perms;
+
+r_dir_file(hal_fingerprint_default, firmware_file)
+
+use_keystore(hal_fingerprint_default)

sepolicy/netmgrd.te

@@ -1,3 +0,0 @@
-type_transition netmgrd system_data_file:file netmgrd_data_file "log.txt";
-
-allow netmgrd netmgrd_data_file:file create_file_perms;

sepolicy/qti_init_shell.te

@@ -1,3 +1,4 @@
 allow qti_init_shell bluetooth_data_file:file r_file_perms;
 allow qti_init_shell bluetooth_loader_exec:file { read open };
 allow qti_init_shell proc:dir setattr;
+allow qti_init_shell sysfs:file write;

sepolicy/rild.te

@@ -0,0 +1 @@
+allow rild vendor_file:file ioctl;

sepolicy/service_contexts

@@ -1 +1,2 @@
 goodix.fp                        u:object_r:gx_fpd_service:s0
+android.hardware.fingerprint.IFingerprintCustomDaemon u:object_r:hal_fingerprint_service:s0