platform_system_sepolicy/public/hal_fingerprint.te

16 lines
560 B
Text
Raw Normal View History

Switch Fingerprint HAL policy to _client/_server This switches Fingerprint HAL policy to the design which enables us to conditionally remove unnecessary rules from domains which are clients of Bluetooth HAL. Domains which are clients of Fingerprint HAL, such as system_server domain, are granted rules targeting hal_fingerprint only when the Fingerprint HAL runs in passthrough mode (i.e., inside the client's process). When the HAL runs in binderized mode (i.e., in another process/domain, with clients talking to the HAL over HwBinder IPC), rules targeting hal_fingerprint are not granted to client domains. Domains which offer a binderized implementation of Fingerprint HAL, such as hal_fingerprint_default domain, are always granted rules targeting hal_fingerprint. NOTE: This commit also removes unnecessary allow rules from Fingerprint HAL, such access to servicemanager (not hwservicemanager) and access to keystore daemon over Binder IPC. Fingerprint HAL does not use this functionality anyway and shouldn't use it either. Test: Enable fingerprint + PIN secure lock screen, confirm it unlocks with fingerprint or PIN Test: Disable PIN (and thus fingerprint) secure lock screen Test: make FingerprintDialog, install, make a fake purchase Test: Add fingerprint_hidl_hal_test to device.mk, build & add to device, adb shell stop, adb shell /data/nativetest64/fingerprint_hidl_hal_test/fingerprint_hidl_hal_test -- all tests pass Bug: 34170079 Change-Id: I6951c0f0640194c743ff7049357c77f5f21b71a1
2017-02-22 00:35:16 +01:00
# HwBinder IPC from client to server, and callbacks
binder_call(hal_fingerprint_client, hal_fingerprint_server)
binder_call(hal_fingerprint_server, hal_fingerprint_client)
# allow HAL module to read dir contents
allow hal_fingerprint fingerprintd_data_file:file create_file_perms;
# allow HAL module to read/write/unlink contents of this dir
allow hal_fingerprint fingerprintd_data_file:dir rw_dir_perms;
# For memory allocation
allow hal_fingerprint ion_device:chr_file r_file_perms;
r_dir_file(hal_fingerprint, cgroup)
r_dir_file(hal_fingerprint, sysfs)