Set ro.build.version.security_patch and ro.build.version.sdk in system/etc/prop.default

base.mk

@@ -14,3 +14,10 @@ DEVICE_PACKAGE_OVERLAYS += device/phh/treble/overlay
 $(call inherit-product, vendor/hardware_overlay/overlay.mk)
 $(call inherit-product, $(SRC_TARGET_DIR)/product/core_64_bit.mk)
 $(call inherit-product, $(SRC_TARGET_DIR)/product/aosp_base_telephony.mk)
+
+#Those overrides are here because Huawei's init read properties
+#from /system/etc/prop.default, then /vendor/build.prop, then /system/build.prop
+#So we need to set our props in prop.default
+PRODUCT_SYSTEM_DEFAULT_PROPERTIES += \
+	ro.build.version.security_patch=$(PLATFORM_SECURITY_PATCH) \
+	ro.build.version.sdk=$(PLATFORM_SDK_VERSION)

sepolicy/file_contexts

@@ -1 +1,2 @@
 /system/bin/phh-su                   u:object_r:phhsu_exec:s0
+/system/bin/hw-fpnav                 u:object_r:hw_fpnav_exec:s0

sepolicy/hw_fpnav.te

@@ -0,0 +1,55 @@
+#SELinux policy for the Huawei fingerprint daemon
+type hw_fpnav, domain;
+type hw_fpnav_exec, exec_type, file_type;
+
+typeattribute hw_fpnav coredomain;
+
+#We need both app_domain to execute app_process, and access to /dev/input
+#This is not possible in current SELinux rules
+#So set to permissive
+#It is possible to fix, but it requires to have two separate contexts, one for app_process calls
+#One for reading /dev/input
+#app_domain(hw_fpnav);
+permissive hw_fpnav;
+
+tmpfs_domain(hw_fpnav);
+domain_auto_trans(init, hw_fpnav_exec, hw_fpnav);
+
+
+binder_use(hw_fpnav);
+hwbinder_use(hw_fpnav);
+
+get_prop(hw_fpnav, hwservicemanager_prop)
+
+allow hw_fpnav hwservicemanager:hwservice_manager { list };
+#We just want access to hw_ext_fingerprint, but this type is not known in the framework
+#So just ask for all hw services...
+allow hw_fpnav { hwservice_manager_type -hidl_base_hwservice -default_android_hwservice }:hwservice_manager { find };
+
+allow hw_fpnav zygote_exec:file rx_file_perms;
+allow hw_fpnav shell_exec:file rx_file_perms;
+allow hw_fpnav system_file:file rx_file_perms;
+
+allow hw_fpnav ashmem_device:chr_file execute;
+
+allow hw_fpnav hw_fpnav:process { share execmem setexec setcurrent };
+
+allow hw_fpnav input_device:dir r_dir_perms;
+allow hw_fpnav input_device:chr_file rw_file_perms;
+
+allow hw_fpnav dalvikcache_data_file:dir { search getattr };
+allow hw_fpnav dalvikcache_data_file:file r_file_perms;
+allow hw_fpnav dalvikcache_data_file:lnk_file r_file_perms;
+
+#dontaudit hw_fpnav dalvikcache_data_file:file rwx_file_perms;
+#dontaudit hw_fpnav dalvikcache_data_file:dir rw_dir_perms;
+#dontaudit hw_fpnav service_manager_type:service_manager find;
+#dontaudit hw_fpnav hidl_base_hwservice:hwservice_manager find;
+
+binder_call(hw_fpnav, binderservicedomain);
+binder_call(hw_fpnav, halserverdomain);
+allow hw_fpnav devpts:chr_file { getattr read write };
+
+allow hw_fpnav statusbar_service:service_manager find;
+allow hw_fpnav input_service:service_manager find;
+allow system_server hw_fpnav:fd use;

sepolicy/su.te

@@ -29,9 +29,10 @@ typeattribute su mlstrustedsubject;
 
 allow phhsu_daemon { system_api_service app_api_service system_server_service }:service_manager find;
 
-allow system_server phhsu_daemon:fd use;
-allow system_server phhsu_daemon:binder { call transfer };
-allow system_server shell_devpts:chr_file { read write };
+allow { system_server halclientdomain coredomain -installd } phhsu_daemon:fd use;
+allow { system_server halclientdomain coredomain -installd } phhsu_daemon:binder { call transfer };
+allow { system_server halclientdomain coredomain -installd } phhsu_daemon:fifo_file { read write };
+allow { system_server halclientdomain coredomain -installd } shell_devpts:chr_file { read write };
 
 # Add su to various domains
 net_domain(su)
@@ -46,3 +47,10 @@ allow phhsu_daemon zygote_exec:file { execute read open execute_no_trans getattr
 allow phhsu_daemon phhsu_daemon:capability { setuid setgid dac_override chown};
 
 allow appdomain phhsu_daemon:dir { search };
+allow domain phhsu_daemon:process { sigchld };
+
+allow hwservicemanager phhsu_daemon:process { getattr };
+allow hwservicemanager phhsu_daemon:dir { search };
+allow hwservicemanager phhsu_daemon:file { open read };
+
+allow phhsu_daemon { property_type -serialno_prop -firstboot_prop }:file { read };