From b7b20467fa8b8c2542422cf6347b3bb840969aa2 Mon Sep 17 00:00:00 2001 From: LuK1337 Date: Sun, 14 Jul 2019 21:23:15 +0200 Subject: [PATCH] sdm845-common: sepolicy: Add FOD related rules Change-Id: I8fd985bf4eab1747351f9e717cc33fa6d5ab1517 --- sepolicy/private/attributes | 1 + sepolicy/private/file.te | 1 + sepolicy/private/file_contexts | 1 + sepolicy/private/genfs_contexts | 2 ++ sepolicy/private/hal_display_default.te | 1 + sepolicy/private/hal_fod_sdm845.te | 20 ++++++++++++++++++++ sepolicy/private/hwservice.te | 1 + 7 files changed, 27 insertions(+) create mode 100644 sepolicy/private/attributes create mode 100644 sepolicy/private/hal_display_default.te create mode 100644 sepolicy/private/hal_fod_sdm845.te create mode 100644 sepolicy/private/hwservice.te diff --git a/sepolicy/private/attributes b/sepolicy/private/attributes new file mode 100644 index 0000000..1326031 --- /dev/null +++ b/sepolicy/private/attributes @@ -0,0 +1 @@ +hal_attribute(display) diff --git a/sepolicy/private/file.te b/sepolicy/private/file.te index 9295686..9d9f84e 100644 --- a/sepolicy/private/file.te +++ b/sepolicy/private/file.te @@ -11,6 +11,7 @@ type proc_touchpanel, fs_type, proc_type; # sysfs type sysfs_battery_supply, sysfs_type, fs_type; +type sysfs_fod, sysfs_type, fs_type; type sysfs_fpc_proximity, sysfs_type, fs_type; type sysfs_graphics, sysfs_type, fs_type; type sysfs_oem, sysfs_type, fs_type; diff --git a/sepolicy/private/file_contexts b/sepolicy/private/file_contexts index 31f4fa9..6f68e8d 100644 --- a/sepolicy/private/file_contexts +++ b/sepolicy/private/file_contexts @@ -17,6 +17,7 @@ # HALs /system/bin/hw/android\.hardware\.light@2\.0-service\.oneplus_sdm845 u:object_r:hal_light_sdm845_exec:s0 +/system/bin/hw/lineage\.biometrics\.fingerprint\.inscreen@1.0-service\.oneplus_fajita u:object_r:hal_fod_sdm845_exec:s0 /system/bin/hw/lineage\.livedisplay@2\.0-service\.oneplus_sdm845 u:object_r:hal_livedisplay_sdm845_exec:s0 /system/bin/hw/lineage\.touch@1\.0-service\.oneplus_sdm845 u:object_r:hal_touch_sdm845_exec:s0 /system/bin/hw/lineage\.trust@1\.0-service u:object_r:hal_trust_default_exec:s0 diff --git a/sepolicy/private/genfs_contexts b/sepolicy/private/genfs_contexts index f514631..2a51d9d 100644 --- a/sepolicy/private/genfs_contexts +++ b/sepolicy/private/genfs_contexts @@ -1,4 +1,6 @@ genfscon proc /touchpanel u:object_r:proc_touchpanel:s0 +genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/dim_alpha u:object_r:sysfs_fod:s0 +genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/op_friginer_print_hbm u:object_r:sysfs_fod:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/dc u:object_r:sysfs_battery_supply:s0 genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/main u:object_r:sysfs_battery_supply:s0 genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display@18/hbm u:object_r:sysfs_livedisplay_tuneable:s0 diff --git a/sepolicy/private/hal_display_default.te b/sepolicy/private/hal_display_default.te new file mode 100644 index 0000000..f0d48c3 --- /dev/null +++ b/sepolicy/private/hal_display_default.te @@ -0,0 +1 @@ +type hal_display_default, domain; diff --git a/sepolicy/private/hal_fod_sdm845.te b/sepolicy/private/hal_fod_sdm845.te new file mode 100644 index 0000000..0fc5add --- /dev/null +++ b/sepolicy/private/hal_fod_sdm845.te @@ -0,0 +1,20 @@ +type hal_fod_sdm845, coredomain, domain; +hal_server_domain(hal_fod_sdm845, hal_lineage_fod) + +type hal_fod_sdm845_exec, exec_type, file_type; +init_daemon_domain(hal_fod_sdm845) + +# Allow binder communication with hal_display_default +binder_call(hal_fod_sdm845, hal_display_default) + +# Allow binder communication with hal_fingerprint +binder_call(hal_fod_sdm845, hal_fingerprint) + +# Allow hal_fod_sdm845 to hal_display_hwservice +allow hal_fod_sdm845 hal_display_hwservice:hwservice_manager find; + +# Allow hal_fod_sdm845 to hal_fingerprint_hwservice +allow hal_fod_sdm845 hal_fingerprint_hwservice:hwservice_manager find; + +# Allow hal_fod_sdm845 to read and write to sysfs_fod +allow hal_fod_sdm845 sysfs_fod:file rw_file_perms; diff --git a/sepolicy/private/hwservice.te b/sepolicy/private/hwservice.te new file mode 100644 index 0000000..ef1ca66 --- /dev/null +++ b/sepolicy/private/hwservice.te @@ -0,0 +1 @@ +type hal_display_hwservice, hwservice_manager_type;