49e3588429
Addresses the following denials and auditallows:
avc: denied { read } for pid=561 comm="hwservicemanage" name="hw"
dev="dm-0" ino=1883 scontext=u:r:hwservicemanager:s0
tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
avc: denied { read } for pid=748 comm="gatekeeperd" name="hw" dev="dm-0"
ino=1883 scontext=u:r:gatekeeperd:s0 tcontext=u:object_r:system_file:s0
tclass=dir permissive=0
avc: granted { read open } for pid=735 comm="fingerprintd"
path="/system/lib64/hw" dev="dm-0" ino=1883 scontext=u:r:fingerprintd:s0
tcontext=u:object_r:system_file:s0 tclass=dir
Test: no denials on boot
Change-Id: Ic363497e3ae5078e564d7195f3739a654860a32f
28 lines
942 B
Text
28 lines
942 B
Text
type fingerprintd, domain, domain_deprecated;
|
|
type fingerprintd_exec, exec_type, file_type;
|
|
|
|
binder_use(fingerprintd)
|
|
|
|
# Scan through /system/lib64/hw looking for installed HALs
|
|
allow fingerprintd system_file:dir r_dir_perms;
|
|
|
|
# need to find KeyStore and add self
|
|
allow fingerprintd fingerprintd_service:service_manager { add find };
|
|
|
|
# allow HAL module to read dir contents
|
|
allow fingerprintd fingerprintd_data_file:file { create_file_perms };
|
|
|
|
# allow HAL module to read/write/unlink contents of this dir
|
|
allow fingerprintd fingerprintd_data_file:dir rw_dir_perms;
|
|
|
|
# Need to add auth tokens to KeyStore
|
|
use_keystore(fingerprintd)
|
|
allow fingerprintd keystore:keystore_key { add_auth };
|
|
|
|
# For permissions checking
|
|
binder_call(fingerprintd, system_server);
|
|
allow fingerprintd permission_service:service_manager find;
|
|
|
|
r_dir_file(fingerprintd, cgroup)
|
|
r_dir_file(fingerprintd, sysfs_type)
|
|
allow fingerprintd ion_device:chr_file r_file_perms;
|