wayne: sepolicy: Add sepolicy for goodix script

Change-Id: Ic8b7dba6a5660c17f5db1c743e5d22f31ae1b1b3
2018-07-09 20:46:22 +05:30 · 2018-07-09 20:46:22 +05:30 · 80a669c55a
commit 80a669c55a
parent cff97f0832
3 changed files with 19 additions and 1 deletions
--- a/biometrics/android.hardware.biometrics.fingerprint@2.1-service.xiaomi_wayne.rc
+++ b/biometrics/android.hardware.biometrics.fingerprint@2.1-service.xiaomi_wayne.rc
@ -18,5 +18,5 @@ service fps_hal /vendor/bin/hw/android.hardware.biometrics.fingerprint@2.1-servi

 service goodix_script /vendor/bin/init.goodix.sh
    class late_start
-    user root
+    user system
    oneshot
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@ -16,3 +16,6 @@

 # Light HAL
 /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_wayne u:object_r:hal_light_default_exec:s0
+
+# Shell Script
+/(vendor|system/vendor)/bin/init\.goodix\.sh    u:object_r:init_fingerprint_exec:s0
--- a/sepolicy/init_fingerprint.te
+++ b/sepolicy/init_fingerprint.te
@ -0,0 +1,15 @@
+type init_fingerprint, domain;
+type init_fingerprint_exec, exec_type, vendor_file_type, file_type;
+
+# Allow for transition from init domain to init_fingerprint
+init_daemon_domain(init_fingerprint)
+
+# Shell script needs to execute /vendor/bin/sh
+allow init_fingerprint vendor_shell_exec:file rx_file_perms;
+allow init_fingerprint vendor_toolbox_exec:file rx_file_perms;
+
+# Allow to delete file
+allow init_fingerprint persist_file:dir search;
+allow init_fingerprint persist_drm_file:dir { read search open write remove_name };
+allow init_fingerprint persist_drm_file:file { getattr unlink };
+allow init_fingerprint system_data_file:file r_file_perms;