From 56499fe8618d46e7c08466ed29fce836f09f5dc7 Mon Sep 17 00:00:00 2001 From: Sebastiano Barezzi Date: Tue, 26 Jul 2022 23:10:16 +0800 Subject: [PATCH] lmi: sepolicy: Label fingerprint props as restricted vendor * System only reads them, but never sets them * Rename to vendor_fingerprint_prop while at it Change-Id: Id980731ec53338c5c5a07b81f10a283c428d17aa --- sepolicy/vendor/app.te | 2 +- sepolicy/vendor/hal_fingerprint_default.te | 4 ++-- sepolicy/vendor/hal_mlipay_default.te | 2 +- sepolicy/vendor/mlipay_app.te | 2 +- sepolicy/vendor/property.te | 2 +- sepolicy/vendor/property_contexts | 8 ++++---- 6 files changed, 10 insertions(+), 10 deletions(-) diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te index fcd2abe..9e00f17 100644 --- a/sepolicy/vendor/app.te +++ b/sepolicy/vendor/app.te @@ -1,5 +1,5 @@ get_prop({ appdomain -isolated_app }, vendor_payment_security_prop) -get_prop({ appdomain -isolated_app }, vendor_fp_prop) +get_prop({ appdomain -isolated_app }, vendor_fingerprint_prop) # Allow appdomain to get vendor_camera_prop get_prop(appdomain, vendor_camera_prop) diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te index 1d406e9..4b2108d 100644 --- a/sepolicy/vendor/hal_fingerprint_default.te +++ b/sepolicy/vendor/hal_fingerprint_default.te @@ -30,9 +30,9 @@ allow hal_fingerprint_default { r_dir_file(hal_fingerprint_default, firmware_file) -get_prop(system_server, vendor_fp_prop); +get_prop(system_server, vendor_fingerprint_prop); -set_prop(hal_fingerprint_default, vendor_fp_prop) +set_prop(hal_fingerprint_default, vendor_fingerprint_prop) allow hal_fingerprint_default vendor_sysfs_spss:dir { search }; allow hal_fingerprint_default vendor_sysfs_spss:file { open read }; diff --git a/sepolicy/vendor/hal_mlipay_default.te b/sepolicy/vendor/hal_mlipay_default.te index 146cccc..3cb7313 100644 --- a/sepolicy/vendor/hal_mlipay_default.te +++ b/sepolicy/vendor/hal_mlipay_default.te @@ -19,4 +19,4 @@ allow hal_mlipay_default { r_dir_file(hal_mlipay_default, firmware_file) set_prop(hal_mlipay_default, vendor_payment_security_prop); -get_prop(hal_mlipay_default, vendor_fp_prop); +get_prop(hal_mlipay_default, vendor_fingerprint_prop); diff --git a/sepolicy/vendor/mlipay_app.te b/sepolicy/vendor/mlipay_app.te index 6e3b5a4..2f0e6de 100644 --- a/sepolicy/vendor/mlipay_app.te +++ b/sepolicy/vendor/mlipay_app.te @@ -15,7 +15,7 @@ allow mlipay_app activity_service:service_manager find; r_dir_file(mlipay_app, firmware_file) set_prop(mlipay_app, vendor_payment_security_prop); -get_prop(mlipay_app, vendor_fp_prop) +get_prop(mlipay_app, vendor_fingerprint_prop) allow mlipay_app game_service:service_manager find; allow mlipay_app content_capture_service:service_manager find; diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te index 9667826..97d9ddf 100644 --- a/sepolicy/vendor/property.te +++ b/sepolicy/vendor/property.te @@ -1,6 +1,6 @@ vendor_internal_prop(vendor_camera_sensor_prop) -vendor_public_prop(vendor_fp_prop) +vendor_restricted_prop(vendor_fingerprint_prop) vendor_internal_prop(vendor_device_prop) diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts index b26ccda..f62d514 100644 --- a/sepolicy/vendor/property_contexts +++ b/sepolicy/vendor/property_contexts @@ -12,10 +12,10 @@ ro.camera.req.fmq.size u:object_r:vendor_ro_camera_prop:s0 ro.camera.res.fmq.size u:object_r:vendor_ro_camera_prop:s0 # Fingerprint -persist.vendor.sys.fp. u:object_r:vendor_fp_prop:s0 -ro.boot.fpsensor u:object_r:vendor_fp_prop:s0 -ro.hardware.fp. u:object_r:vendor_fp_prop:s0 -vendor.fps_hal. u:object_r:vendor_fp_prop:s0 +persist.vendor.sys.fp. u:object_r:vendor_fingerprint_prop:s0 +ro.boot.fpsensor u:object_r:vendor_fingerprint_prop:s0 +ro.hardware.fp. u:object_r:vendor_fingerprint_prop:s0 +vendor.fps_hal. u:object_r:vendor_fingerprint_prop:s0 # Mlipay persist.vendor.sys.pay.ifaa u:object_r:vendor_payment_security_prop:s0