android_device_lenovo_msm89.../sepolicy/vendor/gx_fpd.te
Martijn Coenen a85558ea52 msm8937-common: Add selinux/private/service_contexts.
This makes sure that the remaining binder services
for radio end up in plat_service_contexts.

That in turn allows us to enforce that servicemanager
will only serve services from plat_service_contexts
on FULL_TREBLE devices.

Bug: 36866029
Test: boot, verify radio services still work
Change-Id: Ib67b3a03e5599484c5c4fb27a0f323a37dd51636
Signed-off-by: Isaac Chen <isaacchen@isaacchen.cn>
2018-07-09 00:00:21 +08:00

50 lines
1.5 KiB
Text

type gx_fpd, domain, binder_in_vendor_violators;
type gx_fpd_exec, exec_type, vendor_file_type, file_type;
# gx_fpd
init_daemon_domain(gx_fpd)
binder_use(gx_fpd)
# need to find KeyStore and add self
add_service(hal_fingerprint_default, gx_fpd)
# allow HAL module to read dir contents
allow gx_fpd gx_fpd_data_file:file create_file_perms;
# allow HAL module to read/write/unlink contents of this dir
allow gx_fpd gx_fpd_data_file:dir create_dir_perms;
# Need to add auth tokens to KeyStore
use_keystore(gx_fpd)
allow gx_fpd keystore:keystore_key { add_auth };
# For permissions checking
binder_call(gx_fpd, system_server);
allow gx_fpd permission_service:service_manager find;
#Allow access to goodix device
allow gx_fpd gx_fpd_device:chr_file rw_file_perms;
#Allow access to tee device
allow gx_fpd tee_device:chr_file rw_file_perms;
# Allow access to ion device
allow gx_fpd ion_device:chr_file rw_file_perms;
#allow create socket
allow gx_fpd self:socket create_socket_perms_no_ioctl;
allow gx_fpd self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
#allow read/write property
set_prop(gx_fpd, system_prop)
allow gx_fpd gx_fpd_service:service_manager { add find };
allow gx_fpd fingerprintd:binder { transfer call };
allow gx_fpd fuse:dir search;
allow gx_fpd fuse:file { getattr open append };
allow gx_fpd self:capability dac_override;
allow gx_fpd storage_file:dir search;
allow gx_fpd storage_file:lnk_file read;
r_dir_file(gx_fpd, firmware_file)
allow gx_fpd tmpfs:dir search;