diff options
| author | Anay Wadhera <awadhera@berkeley.edu> | 2022-10-21 03:08:53 +0000 |
|---|---|---|
| committer | alk3pInjection <webmaster@raspii.tech> | 2024-01-19 12:20:00 +0800 |
| commit | cd65034b27878ff98311437090af5a6406b92e1e (patch) | |
| tree | c1818189e1a16a9a9993e4f49e3490e821d4241f | |
| parent | 681270301684076c96e504d08bc8003c9ad556b1 (diff) | |
gs201: sepolicy: Import missing face policy from stock
* Exo camera policy imported from gs101
Also squashed with:
Author: Anay Wadhera <anay1018@gmail.com>
Date: Sun Oct 30 11:15:07 2022 -0400
gs201-sepolicy: Import face policy from coral and strip
Change-Id: I004ff70976d26c08933de8eccedc62d1235072eb
Author: DarkJoker360 <simoespo159@gmail.com>
Date: Fri, 4 Aug 2023 08:35:34 +0000
faceunlock: sepolicy: Correct face service label
* Lynx has different face service AIDL name,
let's improve the regex to make sure all
devices have the correct selinux label.
Signed-off-by: DarkJoker360 <simoespo159@gmail.com>
Change-Id: I007a30b37b423feea2f5cc97e188c737b06a494f
14 files changed, 123 insertions, 0 deletions
diff --git a/sepolicy/whitechapel_pro/exo_camera_injection/dumpstate.te b/sepolicy/whitechapel_pro/exo_camera_injection/dumpstate.te new file mode 100644 index 00000000..1a5b393d --- /dev/null +++ b/sepolicy/whitechapel_pro/exo_camera_injection/dumpstate.te @@ -0,0 +1,2 @@ +# For collecting bugreports. +dump_hal(hal_camera) diff --git a/sepolicy/whitechapel_pro/exo_camera_injection/exo_app.te b/sepolicy/whitechapel_pro/exo_camera_injection/exo_app.te new file mode 100644 index 00000000..211e0c67 --- /dev/null +++ b/sepolicy/whitechapel_pro/exo_camera_injection/exo_app.te @@ -0,0 +1,25 @@ +type exo_app, coredomain, domain; + +app_domain(exo_app) +net_domain(exo_app) + +allow exo_app app_api_service:service_manager find; +allow exo_app audioserver_service:service_manager find; +allow exo_app cameraserver_service:service_manager find; +allow exo_app mediaserver_service:service_manager find; +allow exo_app radio_service:service_manager find; +allow exo_app fwk_stats_service:service_manager find; +allow exo_app mediametrics_service:service_manager find; +allow exo_app virtual_device_service:service_manager find; +allow exo_app gpu_device:dir search; + +allow exo_app uhid_device:chr_file rw_file_perms; + +# Allow exo app to find and bind exo camera injection hal. +allow exo_app hal_exo_camera_injection_hwservice:hwservice_manager find; +binder_call(exo_app, hal_exo_camera_injection) + +binder_call(exo_app, statsd) +binder_use(exo_app) + +get_prop(exo_app, device_config_runtime_native_boot_prop) diff --git a/sepolicy/whitechapel_pro/exo_camera_injection/file_contexts b/sepolicy/whitechapel_pro/exo_camera_injection/file_contexts new file mode 100644 index 00000000..98627c63 --- /dev/null +++ b/sepolicy/whitechapel_pro/exo_camera_injection/file_contexts @@ -0,0 +1 @@ +/vendor/bin/hw/vendor\.google\.exo_camera_injection@1\.1-service u:object_r:hal_exo_camera_injection_exec:s0 diff --git a/sepolicy/whitechapel_pro/exo_camera_injection/hal_exo_camera_injection.te b/sepolicy/whitechapel_pro/exo_camera_injection/hal_exo_camera_injection.te new file mode 100644 index 00000000..138d1b1d --- /dev/null +++ b/sepolicy/whitechapel_pro/exo_camera_injection/hal_exo_camera_injection.te @@ -0,0 +1,10 @@ +# TODO(b/180558115): It will moved to pixel-sepolicy after pixel 6 launches. +type hal_exo_camera_injection, domain; +hal_server_domain(hal_exo_camera_injection, hal_camera) + +type hal_exo_camera_injection_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_exo_camera_injection) + +hwbinder_use(hal_exo_camera_injection) +add_hwservice(hal_exo_camera_injection, hal_exo_camera_injection_hwservice) +allow hal_exo_camera_injection hal_graphics_mapper_hwservice:hwservice_manager find; diff --git a/sepolicy/whitechapel_pro/exo_camera_injection/hwservice.te b/sepolicy/whitechapel_pro/exo_camera_injection/hwservice.te new file mode 100644 index 00000000..cea97689 --- /dev/null +++ b/sepolicy/whitechapel_pro/exo_camera_injection/hwservice.te @@ -0,0 +1 @@ +type hal_exo_camera_injection_hwservice, hwservice_manager_type; diff --git a/sepolicy/whitechapel_pro/exo_camera_injection/hwservice_contexts b/sepolicy/whitechapel_pro/exo_camera_injection/hwservice_contexts new file mode 100644 index 00000000..59ccfe67 --- /dev/null +++ b/sepolicy/whitechapel_pro/exo_camera_injection/hwservice_contexts @@ -0,0 +1 @@ +vendor.google.exo_camera_injection::IExoCameraInjection u:object_r:hal_exo_camera_injection_hwservice:s0 diff --git a/sepolicy/whitechapel_pro/exo_camera_injection/seapp_contexts b/sepolicy/whitechapel_pro/exo_camera_injection/seapp_contexts new file mode 100644 index 00000000..8024688c --- /dev/null +++ b/sepolicy/whitechapel_pro/exo_camera_injection/seapp_contexts @@ -0,0 +1,2 @@ +# Domain for Exo app +user=_app seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all diff --git a/sepolicy/whitechapel_pro/file_contexts b/sepolicy/whitechapel_pro/file_contexts index 03e8c70f..92a10af4 100644 --- a/sepolicy/whitechapel_pro/file_contexts +++ b/sepolicy/whitechapel_pro/file_contexts @@ -30,6 +30,7 @@ /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_st33spi_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 +/vendor/bin/hw/android\.hardware\.biometrics\.face-service(.*) u:object_r:hal_face_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.nfc-service\.st u:object_r:hal_nfc_default_exec:s0 diff --git a/sepolicy/whitechapel_pro/hal_face_debug_service.te b/sepolicy/whitechapel_pro/hal_face_debug_service.te new file mode 100644 index 00000000..9d16cc7f --- /dev/null +++ b/sepolicy/whitechapel_pro/hal_face_debug_service.te @@ -0,0 +1,6 @@ +hal_attribute(face_debug); +binder_call(hal_face_debug_client, hal_face_debug_server) +binder_call(hal_face_debug_server, hal_face_debug_client) +binder_call(hal_face_debug_server, servicemanager) + +hal_attribute_hwservice(hal_face_debug, hal_face_debug_hwservice) diff --git a/sepolicy/whitechapel_pro/hal_face_default.te b/sepolicy/whitechapel_pro/hal_face_default.te new file mode 100644 index 00000000..2cd57b91 --- /dev/null +++ b/sepolicy/whitechapel_pro/hal_face_default.te @@ -0,0 +1,64 @@ +allow hal_face_default hal_graphics_mapper_hwservice:hwservice_manager find; +hal_client_domain(hal_face_default, hal_graphics_allocator) +binder_call(hal_face_default, hal_graphics_allocator_default) + +# Implementation of face debug HAL +hal_server_domain(hal_face_default, hal_face_debug) + +# Allow DMA buffer access +allow hal_face_default dmabuf_system_heap_device:chr_file { ioctl read open }; +allow hal_face_default faceauth_heap_device:chr_file { ioctl read open }; + +# TPU +allow hal_face_default edgetpu_device:chr_file { ioctl open read write }; + +# Allow sensor HAL access +allow hal_face_default fwk_sensor_hwservice:hwservice_manager find; + +# Allow power HAL access +hal_client_domain(hal_face_default, hal_power); + +# Allow hal_face_default to obtain wakelock +wakelock_use(hal_face_default) + +# Grant TEE access to the face HAL +allow hal_face_default tee_device:chr_file rw_file_perms; +allow hal_face_default vndbinder_device:chr_file ioctl; + +#Allow face hal to talk to process serving ITokenManager(libmediandk) +allow hal_face_default hidl_token_hwservice:hwservice_manager find; + +#Allow face hal to talk to cameraserver +allow hal_face_default fwk_camera_hwservice:hwservice_manager find; +binder_call(hal_face_default, camera_service_server) +binder_call(camera_service_server, hal_face_default) + +# Create subdirectories within the face vendor file directory. +allow hal_face_default face_vendor_data_file:dir create_dir_perms; +r_dir_file(hal_face_default, persist_camera_file) +allow hal_face_default persist_file:dir search; +allow hal_face_default mnt_vendor_file:dir search; +allow hal_face_default system_app:fd use; + +# Grant incidentd access to the face HAL debug images +userdebug_or_eng(` + allow hal_face_default incidentd:fd use; + allow hal_face_default incidentd:fifo_file write; +') +get_prop(hal_face_default, camera_config_prop) +hwbinder_use(hal_face_default); + +# Allow the face HAL to communicate with IStats. +allow hal_face_default fwk_stats_hwservice:hwservice_manager find; +binder_call(hal_face_default, stats_service_server) +allow hal_face_default fwk_stats_service:service_manager find; +binder_use(hal_face_default) + +# Allow the face HAL to communicate with the thermal HAL. +hal_client_domain(hal_face_default, hal_thermal) + +# Allow the face HAL to communicate with the face debug service. +allow hal_face_default hal_face_debug_service:service_manager find; + +# Allow the face HAL to communicate with ICameraService. +allow hal_face_default fwk_camera_service:service_manager find; diff --git a/sepolicy/whitechapel_pro/hwservice.te b/sepolicy/whitechapel_pro/hwservice.te index 983e5a3f..8b0d0435 100644 --- a/sepolicy/whitechapel_pro/hwservice.te +++ b/sepolicy/whitechapel_pro/hwservice.te @@ -10,6 +10,9 @@ type hal_wlc_hwservice, hwservice_manager_type; # rild service type hal_exynos_rild_hwservice, hwservice_manager_type; +# Face +type hal_face_debug_hwservice, hwservice_manager_type; + # Fingerprint type hal_fingerprint_ext_hwservice, hwservice_manager_type; diff --git a/sepolicy/whitechapel_pro/hwservice_contexts b/sepolicy/whitechapel_pro/hwservice_contexts index 0035ed49..0e9b20d4 100644 --- a/sepolicy/whitechapel_pro/hwservice_contexts +++ b/sepolicy/whitechapel_pro/hwservice_contexts @@ -1,6 +1,9 @@ # dmd HAL vendor.samsung_slsi.telephony.hardware.oemservice::IOemService u:object_r:hal_vendor_oem_hwservice:s0 +# Face +com.google.face.debug::IDebugHost u:object_r:hal_face_debug_hwservice:s0 + # Fingerprint vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon u:object_r:hal_fingerprint_ext_hwservice:s0 diff --git a/sepolicy/whitechapel_pro/service.te b/sepolicy/whitechapel_pro/service.te index 1c49d4f8..5ea8b689 100644 --- a/sepolicy/whitechapel_pro/service.te +++ b/sepolicy/whitechapel_pro/service.te @@ -1,5 +1,8 @@ type hal_pixel_display_service, service_manager_type, hal_service_type; type hal_uwb_vendor_service, service_manager_type, hal_service_type; +# Face +type hal_face_debug_service, hal_service_type, protected_service, service_manager_type; + # WLC type hal_wireless_charger_service, hal_service_type, protected_service, service_manager_type; diff --git a/sepolicy/whitechapel_pro/service_contexts b/sepolicy/whitechapel_pro/service_contexts index a3849bb7..b07013b5 100644 --- a/sepolicy/whitechapel_pro/service_contexts +++ b/sepolicy/whitechapel_pro/service_contexts @@ -1,4 +1,5 @@ com.google.hardware.pixel.display.IDisplay/default u:object_r:hal_pixel_display_service:s0 hardware.qorvo.uwb.IUwbVendor/default u:object_r:hal_uwb_vendor_service:s0 +com.google.face.debug.IDebugHost/default u:object_r:hal_face_debug_service:s0 vendor.google.wireless_charger.IWirelessCharger/default u:object_r:hal_wireless_charger_service:s0 |