Added placeholder SELinux policy for the biometric face HAL.

Notes: - Added face hal domain, context and file types for the default SELinux policy. - Please see aosp/q/topic:"Face+Authentication" Bug: 80155388 Test: Built successfully. Change-Id: I2e02cf6df009c5ca476dfd842b493c6b76b7712a
2018-05-24 00:59:40 -07:00 · 2018-05-24 00:59:40 -07:00 · 893272d883
commit 893272d883
parent ca86169422
7 changed files with 22 additions and 0 deletions
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@ -35,6 +35,7 @@
    fwk_stats_hwservice
    color_display_service
    hal_atrace_hwservice
+    hal_face_hwservice
    hal_health_storage_hwservice
    hal_power_stats_hwservice
    hal_system_suspend_default
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts
@ -10,6 +10,7 @@ android.hardware.authsecret::IAuthSecret                        u:object_r:hal_a
 android.hardware.automotive.audiocontrol::IAudioControl         u:object_r:hal_audiocontrol_hwservice:s0
 android.hardware.automotive.evs::IEvsEnumerator                 u:object_r:hal_evs_hwservice:s0
 android.hardware.automotive.vehicle::IVehicle                   u:object_r:hal_vehicle_hwservice:s0
+android.hardware.biometrics.face::IBiometricsFace               u:object_r:hal_face_hwservice:s0
 android.hardware.biometrics.fingerprint::IBiometricsFingerprint u:object_r:hal_fingerprint_hwservice:s0
 android.hardware.bluetooth::IBluetoothHci                       u:object_r:hal_bluetooth_hwservice:s0
 android.hardware.bluetooth.a2dp::IBluetoothAudioOffload         u:object_r:hal_audio_hwservice:s0
--- a/private/system_server.te
+++ b/private/system_server.te
@ -205,6 +205,7 @@ hal_client_domain(system_server, hal_authsecret)
 hal_client_domain(system_server, hal_broadcastradio)
 hal_client_domain(system_server, hal_configstore)
 hal_client_domain(system_server, hal_contexthub)
+hal_client_domain(system_server, hal_face)
 hal_client_domain(system_server, hal_fingerprint)
 hal_client_domain(system_server, hal_gnss)
 hal_client_domain(system_server, hal_graphics_allocator)
--- a/public/attributes
+++ b/public/attributes
@ -258,6 +258,7 @@ hal_attribute(contexthub);
 hal_attribute(drm);
 hal_attribute(dumpstate);
 hal_attribute(evs);
+hal_attribute(face);
 hal_attribute(fingerprint);
 hal_attribute(gatekeeper);
 hal_attribute(gnss);
--- a/public/hal_face.te
+++ b/public/hal_face.te
@ -0,0 +1,12 @@
+# Allow HwBinder IPC from client to server, and vice versa for callbacks.
+binder_call(hal_face_client, hal_face_server)
+binder_call(hal_face_server, hal_face_client)
+
+hal_attribute_hwservice(hal_face, hal_face_hwservice)
+
+# Allow access to the ion memory allocation device.
+allow hal_face ion_device:chr_file r_file_perms;
+
+# Allow read/write access to the face template directory.
+allow hal_face face_vendor_data_file:file create_file_perms;
+allow hal_face face_vendor_data_file:dir rw_dir_perms;
--- a/public/hwservice.te
+++ b/public/hwservice.te
@ -20,6 +20,7 @@ type hal_drm_hwservice, hwservice_manager_type;
 type hal_cas_hwservice, hwservice_manager_type;
 type hal_dumpstate_hwservice, hwservice_manager_type;
 type hal_evs_hwservice, hwservice_manager_type;
+type hal_face_hwservice, hwservice_manager_type;
 type hal_fingerprint_hwservice, hwservice_manager_type;
 type hal_gatekeeper_hwservice, hwservice_manager_type;
 type hal_gnss_hwservice, hwservice_manager_type;
--- a/vendor/hal_face_default.te
+++ b/vendor/hal_face_default.te
@ -0,0 +1,5 @@
+type hal_face_default, domain;
+hal_server_domain(hal_face_default, hal_face)
+
+type hal_face_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_face_default)