56 lines
2.0 KiB
Plaintext
56 lines
2.0 KiB
Plaintext
#SELinux policy for the Huawei fingerprint daemon
|
|
type hw_fpnav, domain;
|
|
type hw_fpnav_exec, exec_type, file_type;
|
|
|
|
typeattribute hw_fpnav coredomain;
|
|
|
|
#We need both app_domain to execute app_process, and access to /dev/input
|
|
#This is not possible in current SELinux rules
|
|
#So set to permissive
|
|
#It is possible to fix, but it requires to have two separate contexts, one for app_process calls
|
|
#One for reading /dev/input
|
|
#app_domain(hw_fpnav);
|
|
permissive hw_fpnav;
|
|
|
|
tmpfs_domain(hw_fpnav);
|
|
domain_auto_trans(init, hw_fpnav_exec, hw_fpnav);
|
|
|
|
|
|
binder_use(hw_fpnav);
|
|
hwbinder_use(hw_fpnav);
|
|
|
|
get_prop(hw_fpnav, hwservicemanager_prop)
|
|
|
|
allow hw_fpnav hwservicemanager:hwservice_manager { list };
|
|
#We just want access to hw_ext_fingerprint, but this type is not known in the framework
|
|
#So just ask for all hw services...
|
|
allow hw_fpnav { hwservice_manager_type -hidl_base_hwservice -default_android_hwservice }:hwservice_manager { find };
|
|
|
|
allow hw_fpnav zygote_exec:file rx_file_perms;
|
|
allow hw_fpnav shell_exec:file rx_file_perms;
|
|
allow hw_fpnav system_file:file rx_file_perms;
|
|
|
|
allow hw_fpnav ashmem_device:chr_file execute;
|
|
|
|
allow hw_fpnav hw_fpnav:process { share execmem setexec setcurrent };
|
|
|
|
allow hw_fpnav input_device:dir r_dir_perms;
|
|
allow hw_fpnav input_device:chr_file rw_file_perms;
|
|
|
|
allow hw_fpnav dalvikcache_data_file:dir { search getattr };
|
|
allow hw_fpnav dalvikcache_data_file:file r_file_perms;
|
|
allow hw_fpnav dalvikcache_data_file:lnk_file r_file_perms;
|
|
|
|
#dontaudit hw_fpnav dalvikcache_data_file:file rwx_file_perms;
|
|
#dontaudit hw_fpnav dalvikcache_data_file:dir rw_dir_perms;
|
|
#dontaudit hw_fpnav service_manager_type:service_manager find;
|
|
#dontaudit hw_fpnav hidl_base_hwservice:hwservice_manager find;
|
|
|
|
binder_call(hw_fpnav, binderservicedomain);
|
|
binder_call(hw_fpnav, halserverdomain);
|
|
allow hw_fpnav devpts:chr_file { getattr read write };
|
|
|
|
allow hw_fpnav statusbar_service:service_manager find;
|
|
allow hw_fpnav input_service:service_manager find;
|
|
allow system_server hw_fpnav:fd use;
|