cc39f63773
Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c
25 lines
834 B
Text
25 lines
834 B
Text
type fingerprintd, domain, domain_deprecated;
|
|
type fingerprintd_exec, exec_type, file_type;
|
|
|
|
binder_use(fingerprintd)
|
|
|
|
# need to find KeyStore and add self
|
|
allow fingerprintd fingerprintd_service:service_manager { add find };
|
|
|
|
# allow HAL module to read dir contents
|
|
allow fingerprintd fingerprintd_data_file:file { create_file_perms };
|
|
|
|
# allow HAL module to read/write/unlink contents of this dir
|
|
allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
|
|
|
|
# Need to add auth tokens to KeyStore
|
|
use_keystore(fingerprintd)
|
|
allow fingerprintd keystore:keystore_key { add_auth };
|
|
|
|
# For permissions checking
|
|
binder_call(fingerprintd, system_server);
|
|
allow fingerprintd permission_service:service_manager find;
|
|
|
|
r_dir_file(fingerprintd, cgroup)
|
|
r_dir_file(fingerprintd, sysfs_type)
|
|
allow fingerprintd ion_device:chr_file r_file_perms;
|