wayne: sepolicy: Initial denials

Signed-off-by: Isaac Chen <isaacchen@isaacchen.cn>

BoardConfig.mk

@@ -238,6 +238,8 @@ PROTOBUF_SUPPORTED := true
 
 # SELinux
 include device/qcom/sepolicy/sepolicy.mk
+BOARD_SEPOLICY_DIRS += \
+    $(DEVICE_PATH)/sepolicy
 
 # Treble
 PRODUCT_FULL_TREBLE_OVERRIDE := true

sepolicy/bt_firmware_file.te

@@ -0,0 +1,2 @@
+#============= bt_firmware_file ==============
+allow bt_firmware_file rootfs:filesystem associate;

sepolicy/device.te

@@ -0,0 +1 @@
+type fingerprint_device, dev_type;

sepolicy/dpmd.te

@@ -0,0 +1,2 @@
+#============= dpmd ==============
+allow dpmd vendor_file:file { execute getattr open read };

sepolicy/file.te

@@ -0,0 +1,2 @@
+type fingerprint_data_file, file_type, data_file_type;
+type fingerprint_sysfs, fs_type, sysfs_type;

sepolicy/file_contexts

@@ -0,0 +1,18 @@
+# Biometric
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_wayne u:object_r:hal_fingerprint_wayne_exec:s0
+
+# Fpc Fingerprint
+/sys/devices/soc/soc:fpc1020(/.*)?		u:object_r:fingerprint_sysfs:s0
+
+# For Goodix fingerprint
+/dev/goodix_fp*                                 u:object_r:fingerprint_device:s0
+
+# Goodix Fingerprint data
+/data/gf_data/frr_database.db                   u:object_r:fingerprint_data_file:s0
+/persist/data/gf*                               u:object_r:fingerprint_data_file:s0
+
+# HVDCP
+/sys/devices(/platform)?/soc/[a-z0-9]+\.i2c/i2c-[0-9]+/[0-9]+-[a-z0-9]+/[a-z0-9]+\.i2c:qcom,[a-z0-9]+@[a-z0-9]:qcom,smb[a-z0-9]+-parallel-slave@[0-9]+/power_supply/parallel(/.*)? u:object_r:sysfs_usb_supply:s0
+
+# Light HAL
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_wayne u:object_r:hal_light_default_exec:s0

sepolicy/firmware_file.te

@@ -0,0 +1,2 @@
+#============= firmware_file ==============
+allow firmware_file rootfs:filesystem associate;

sepolicy/hal_camera_default.te

@@ -0,0 +1 @@
+allow hal_camera_default sysfs_kgsl:file r_file_perms;

sepolicy/hal_cas_default.te

@@ -0,0 +1,2 @@
+#============= hal_cas_default ==============
+allow hal_cas_default vndbinder_device:chr_file { ioctl open read write };

sepolicy/hal_fingerprint_wayne.te

@@ -0,0 +1,36 @@
+type hal_fingerprint_wayne, domain, binder_in_vendor_violators;
+hal_server_domain(hal_fingerprint_wayne, hal_fingerprint)
+ 
+type hal_fingerprint_wayne_exec, exec_type, vendor_file_type, file_type;
+binder_use(hal_fingerprint_wayne)
+init_daemon_domain(hal_fingerprint_wayne)
+
+allow hal_fingerprint_wayne fingerprint_device:chr_file { read write open ioctl };
+allow hal_fingerprint_wayne { tee_device uhid_device }:chr_file { read write open ioctl };
+allow hal_fingerprint_wayne fingerprint_data_file:file rw_file_perms;
+allow hal_fingerprint_wayne { fuse mnt_user_file storage_file }:dir search;
+allow hal_fingerprint_wayne { mnt_user_file storage_file }:lnk_file read;
+allow hal_fingerprint_wayne fingerprint_sysfs:dir rw_dir_perms;
+allow hal_fingerprint_wayne fingerprint_sysfs:file rw_file_perms;
+
+allow hal_fingerprint_wayne hal_fingerprint_wayne:netlink_socket { create bind write read };
+
+binder_call(hal_fingerprint_wayne, vndservicemanager)
+binder_call(hal_fingerprint_wayne, hal_perf_default)
+
+binder_use(hal_fingerprint_wayne)
+
+r_dir_file(hal_fingerprint_wayne, firmware_file)
+
+add_service(hal_fingerprint_wayne, goodixvnd_service)
+add_hwservice(hal_fingerprint_wayne, goodixhw_service)
+
+allow hal_fingerprint_wayne vndbinder_device:chr_file ioctl;
+
+get_prop(hal_fingerprint_wayne, hal_fingerprint_prop)
+set_prop(hal_fingerprint_wayne, hal_fingerprint_prop)
+
+vndbinder_use(hal_fingerprint_wayne)
+
+dontaudit hal_fingerprint_wayne { media_rw_data_file sdcardfs}:dir search;
+dontaudit hal_fingerprint_wayne media_rw_data_file:dir { read open };

sepolicy/hal_graphics_composer_default.te

@@ -0,0 +1,2 @@
+#============= hal_graphics_composer_default ==============
+allow hal_graphics_composer_default sysfs:file { getattr open read };

sepolicy/hal_power_default.te

@@ -0,0 +1 @@
+allow hal_power_default proc:file rw_file_perms;

sepolicy/hvdcp.te

@@ -0,0 +1,2 @@
+#============= hvdcp ==============
+allow hvdcp sysfs:file { open read };

sepolicy/hwservice.te

@@ -0,0 +1,2 @@
+
+type goodixhw_service, hwservice_manager_type;

sepolicy/hwservice_contexts

@@ -0,0 +1 @@
+vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint u:object_r:goodixhw_service:s0

sepolicy/hwservicemanager.te

@@ -0,0 +1,5 @@
+#============= hwservicemanager ==============
+allow hwservicemanager init:dir search;
+allow hwservicemanager init:file { open read };
+allow hwservicemanager init:process getattr;
+

sepolicy/init.te

@@ -0,0 +1,2 @@
+#============= init ==============
+allow init hwservicemanager:binder { call transfer };

sepolicy/per_mgr.te

@@ -0,0 +1,2 @@
+#============= per_mgr ==============
+allow per_mgr self:capability { dac_override net_raw };

sepolicy/property.te

@@ -0,0 +1 @@
+type hal_fingerprint_prop, property_type;

sepolicy/property_contexts

@@ -0,0 +1,4 @@
+sys.fp.goodix	u:object_r:hal_fingerprint_prop:s0
+sys.fp.vendor   u:object_r:hal_fingerprint_prop:s0
+persist.sys.fp.info u:object_r:hal_fingerprint_prop:s0
+persist.sys.fp.vendor u:object_r:hal_fingerprint_prop:s0

sepolicy/qti_init_shell.te

@@ -0,0 +1,3 @@
+#============= qti_init_shell ==============
+allow qti_init_shell sysfs_cpu_boost:file write;
+allow qti_init_shell sysfs_lowmemorykiller:dir write;

sepolicy/radio.te

@@ -0,0 +1,2 @@
+#============= radio ==============
+allow radio vendor_file:file { execute getattr open read };

sepolicy/rild.te

@@ -0,0 +1,2 @@
+#============= rild ==============
+allow rild vendor_file:file ioctl;

sepolicy/system_server.te

@@ -0,0 +1,2 @@
+#============= system_server ==============
+allow system_server vendor_file:file { execute getattr open read };

sepolicy/tee.te

@@ -0,0 +1,6 @@
+# /data/goodix labeling
+type_transition tee system_data_file:{ dir file } fingerprint_data_file;
+
+allow tee fingerprint_data_file:dir create_dir_perms;
+allow tee fingerprint_data_file:file create_file_perms;
+allow tee system_data_file:dir create_dir_perms;

sepolicy/vndservice.te

@@ -0,0 +1 @@
+type goodixvnd_service, vndservice_manager_type;

sepolicy/vndservice_contexts

@@ -0,0 +1 @@
+android.hardware.fingerprint.IGoodixFingerprintDaemon  u:object_r:goodixvnd_service:s0

sepolicy/vndservicemanager.te

@@ -0,0 +1,3 @@
+allow vndservicemanager hal_fingerprint_default:dir { search read open };
+allow vndservicemanager hal_fingerprint_default:file { read open };
+allow vndservicemanager hal_fingerprint_default:process getattr;