sdm660: sepolicy: Address denials

Change-Id: I8fad5d60ca066b758c526f2027985b63662180cc

sepolicy/private/system_app.te

@@ -0,0 +1 @@
+hal_client_domain(system_app, hal_mlipay)

sepolicy/public/attributes

@@ -0,0 +1,2 @@
+# HALs
+hal_attribute(mlipay)

sepolicy/vendor/app.te

@@ -4,3 +4,5 @@ allow { appdomain -isolated_app } hal_mlipay_hwservice:hwservice_manager find;
 binder_call({ appdomain -isolated_app }, hal_mlipay_default)
 get_prop({ appdomain -isolated_app }, mlipay_prop)
 get_prop({ appdomain -isolated_app }, hal_fingerprint_prop)
+get_prop({ appdomain -isolated_app }, ifaa_prop)
+get_prop({ appdomain -isolated_app }, vendor_fp_prop)

sepolicy/vendor/file.te

@@ -3,6 +3,21 @@ type ir_dev_file, file_type;
 type proc_dt2w, fs_type, proc_type;
 type fingerprint_data_file, file_type, data_file_type, core_data_file_type;
 type fingerprint_sysfs, fs_type, sysfs_type;
+
+allow ueventd ir_dev_file:chr_file { create setattr };
+
+# Touchscreen wake_gesture
+type sysfs_tap_to_wake, sysfs_type, fs_type;
+
+# Fingerprint
+type fingerprintd_device, file_type, dev_type;
+type persist_fingerprint_file, file_type;
+type sysfs_fingerprint, sysfs_type, fs_type;
+
+# Input files
+type idc_file, file_type, vendor_file_type;
+
+# Keylayout
 type vendor_keylayout_file, file_type, vendor_file_type;
 type sysfs_light, fs_type, sysfs_type;
 type thermal_data_file, file_type, data_file_type;

sepolicy/vendor/file_contexts

@@ -13,8 +13,16 @@
 /data/misc/goodix(/.*)?                         u:object_r:fingerprint_data_file:s0
 /persist/data/gf*                               u:object_r:fingerprint_data_file:s0
 
-# Fpc Fingerprint data
-/persist/fpc(/.*)?                              u:object_r:fingerprint_data_file:s0
+# Fingerprint
+/data/misc/goodix(/.*)?                             u:object_r:fingerprintd_data_file:s0
+/data/gf_data(/.*)?                                 u:object_r:fingerprintd_data_file:s0
+/data/vendor/fpc(/.*)?                              u:object_r:fingerprint_vendor_data_file:s0
+/data/vendor/gf_data(/.*)?                          u:object_r:fingerprint_vendor_data_file:s0
+/data/vendor/goodix(/.*)?                           u:object_r:fingerprint_vendor_data_file:s0
+/dev/goodix_fp                                      u:object_r:fingerprintd_device:s0
+/persist/fpc(/.*)?                                  u:object_r:persist_fingerprint_file:s0
+/sys/devices/soc/soc:fpc1020(/.*)?                  u:object_r:sysfs_fingerprint:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660 u:object_r:hal_fingerprint_default_exec:s0
 
 # HVDCP
 /sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0
@@ -23,7 +31,7 @@
 /dev/spidev7.1                                  u:object_r:spidev_device:s0
 
 # Keylayout
-/vendor/usr/idc(/.*)?                           u:object_r:vendor_keylayout_file:s0
+/vendor/usr/idc(/.*)?                           u:object_r:idc_file:s0
 /vendor/usr/keylayout(/.*)?                     u:object_r:vendor_keylayout_file:s0
 
 # Light HAL
@@ -43,3 +51,8 @@
 
 # Thermal
 /data/vendor/thermal(/.*)?                      u:object_r:thermal_data_file:s0
+
+# Video4linux sysfs nodes
+/sys/devices/soc/ca00000\.qcom,msm-cam/video4linux/video0(/.*)? u:object_r:sysfs_graphics:s0
+/sys/devices/soc/caa0000\.qcom,jpeg/video4linux/video1(/.*)?   u:object_r:sysfs_graphics:s0
+/sys/devices/soc/c900000\.qcom,mdss_rotator/video4linux/video2(/.*)?     u:object_r:sysfs_graphics:s0

sepolicy/vendor/hal_perf_default.te

@@ -0,0 +1 @@
+dontaudit hal_perf_default self:capability { dac_override dac_read_search };

sepolicy/vendor/property.te

@@ -1,3 +1,5 @@
 type hal_fingerprint_prop, property_type;
 type mlipay_prop, property_type;
 type thermal_engine_prop, property_type;
+type vendor_fp_prop, property_type;
+type ifaa_prop, property_type;

sepolicy/vendor/property_contexts

@@ -10,3 +10,14 @@ persist.vendor.sys.pay.soter        u:object_r:mlipay_prop:s0
 persist.vendor.sys.provision.status u:object_r:mlipay_prop:s0
 persist.sys.thermal.  u:object_r:thermal_engine_prop:s0
 sys.thermal.          u:object_r:thermal_engine_prop:s0
+
+# Fingerprint
+gf.debug.dump_data                  u:object_r:vendor_fp_prop:s0
+persist.sys.fp.                     u:object_r:vendor_fp_prop:s0
+persist.vendor.sys.fp.              u:object_r:vendor_fp_prop:s0
+ro.boot.fp.                         u:object_r:vendor_fp_prop:s0
+sys.fp.                             u:object_r:vendor_fp_prop:s0
+ro.boot.fpsensor                    u:object_r:vendor_fp_prop:s0
+
+# vendor_default_prop
+fpc_kpi                             u:object_r:vendor_default_prop:s0

sepolicy/vendor/system_app.te

@@ -1,3 +1,5 @@
 allow system_app vendor_default_prop:file { getattr open read };
 allow system_app wificond:binder call;
-add_service(system_app, goodixhw_service)
+allow system_app hal_mlipay_hwservice:hwservice_manager find;
+allow system_app hal_mlipay_default:binder call;
+add_service(system_app, goodix_fingerprint_service)

sepolicy/vendor/system_server.te

@@ -2,3 +2,9 @@ allow system_server vendor_keylayout_file:dir search;
 allow system_server vendor_keylayout_file:file r_file_perms;
 allow system_server sysfs_vibrator:file rw_file_perms;
 allow system_server sysfs_rtc:file r_file_perms;
+allow system_server vendor_camera_prop:file { getattr open read };
+allow system_server vendor_default_prop:file { getattr open read };
+# /vendor/usr/keylayout
+r_dir_file(system_server, idc_file)
+# /vendor/usr/idc
+r_dir_file(system_server, vendor_keylayout_file)