From 893272d883b87869033071846f8883794833b4f4 Mon Sep 17 00:00:00 2001 From: Zachary Iqbal Date: Thu, 24 May 2018 00:59:40 -0700 Subject: [PATCH] Added placeholder SELinux policy for the biometric face HAL. Notes: - Added face hal domain, context and file types for the default SELinux policy. - Please see aosp/q/topic:"Face+Authentication" Bug: 80155388 Test: Built successfully. Change-Id: I2e02cf6df009c5ca476dfd842b493c6b76b7712a --- private/compat/28.0/28.0.ignore.cil | 1 + private/hwservice_contexts | 1 + private/system_server.te | 1 + public/attributes | 1 + public/hal_face.te | 12 ++++++++++++ public/hwservice.te | 1 + vendor/hal_face_default.te | 5 +++++ 7 files changed, 22 insertions(+) create mode 100644 public/hal_face.te create mode 100644 vendor/hal_face_default.te diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil index 9df4f120d..824761481 100644 --- a/private/compat/28.0/28.0.ignore.cil +++ b/private/compat/28.0/28.0.ignore.cil @@ -35,6 +35,7 @@ fwk_stats_hwservice color_display_service hal_atrace_hwservice + hal_face_hwservice hal_health_storage_hwservice hal_power_stats_hwservice hal_system_suspend_default diff --git a/private/hwservice_contexts b/private/hwservice_contexts index f64eccd0b..1fead4098 100644 --- a/private/hwservice_contexts +++ b/private/hwservice_contexts @@ -10,6 +10,7 @@ android.hardware.authsecret::IAuthSecret u:object_r:hal_a android.hardware.automotive.audiocontrol::IAudioControl u:object_r:hal_audiocontrol_hwservice:s0 android.hardware.automotive.evs::IEvsEnumerator u:object_r:hal_evs_hwservice:s0 android.hardware.automotive.vehicle::IVehicle u:object_r:hal_vehicle_hwservice:s0 +android.hardware.biometrics.face::IBiometricsFace u:object_r:hal_face_hwservice:s0 android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0 android.hardware.bluetooth::IBluetoothHci u:object_r:hal_bluetooth_hwservice:s0 android.hardware.bluetooth.a2dp::IBluetoothAudioOffload u:object_r:hal_audio_hwservice:s0 diff --git a/private/system_server.te b/private/system_server.te index ed864f589..b8e051117 100644 --- a/private/system_server.te +++ b/private/system_server.te @@ -205,6 +205,7 @@ hal_client_domain(system_server, hal_authsecret) hal_client_domain(system_server, hal_broadcastradio) hal_client_domain(system_server, hal_configstore) hal_client_domain(system_server, hal_contexthub) +hal_client_domain(system_server, hal_face) hal_client_domain(system_server, hal_fingerprint) hal_client_domain(system_server, hal_gnss) hal_client_domain(system_server, hal_graphics_allocator) diff --git a/public/attributes b/public/attributes index 37c2b94c0..bc3723c5f 100644 --- a/public/attributes +++ b/public/attributes @@ -258,6 +258,7 @@ hal_attribute(contexthub); hal_attribute(drm); hal_attribute(dumpstate); hal_attribute(evs); +hal_attribute(face); hal_attribute(fingerprint); hal_attribute(gatekeeper); hal_attribute(gnss); diff --git a/public/hal_face.te b/public/hal_face.te new file mode 100644 index 000000000..b25058642 --- /dev/null +++ b/public/hal_face.te @@ -0,0 +1,12 @@ +# Allow HwBinder IPC from client to server, and vice versa for callbacks. +binder_call(hal_face_client, hal_face_server) +binder_call(hal_face_server, hal_face_client) + +hal_attribute_hwservice(hal_face, hal_face_hwservice) + +# Allow access to the ion memory allocation device. +allow hal_face ion_device:chr_file r_file_perms; + +# Allow read/write access to the face template directory. +allow hal_face face_vendor_data_file:file create_file_perms; +allow hal_face face_vendor_data_file:dir rw_dir_perms; diff --git a/public/hwservice.te b/public/hwservice.te index 09808b33a..a51198164 100644 --- a/public/hwservice.te +++ b/public/hwservice.te @@ -20,6 +20,7 @@ type hal_drm_hwservice, hwservice_manager_type; type hal_cas_hwservice, hwservice_manager_type; type hal_dumpstate_hwservice, hwservice_manager_type; type hal_evs_hwservice, hwservice_manager_type; +type hal_face_hwservice, hwservice_manager_type; type hal_fingerprint_hwservice, hwservice_manager_type; type hal_gatekeeper_hwservice, hwservice_manager_type; type hal_gnss_hwservice, hwservice_manager_type; diff --git a/vendor/hal_face_default.te b/vendor/hal_face_default.te new file mode 100644 index 000000000..891d1f4fd --- /dev/null +++ b/vendor/hal_face_default.te @@ -0,0 +1,5 @@ +type hal_face_default, domain; +hal_server_domain(hal_face_default, hal_face) + +type hal_face_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_face_default)