wayne: sepolicy: Add sepolicy for goodix script

Change-Id: Ic8b7dba6a5660c17f5db1c743e5d22f31ae1b1b3

3 files changed, 19 insertions, 1 deletions

diff --git a/biometrics/android.hardware.biometrics.fingerprint@2.1-service.xiaomi_wayne.rc b/biometrics/android.hardware.biometrics.fingerprint@2.1-service.xiaomi_wayne.rc
index 77d5408..6139c3c 100644
--- a/biometrics/android.hardware.biometrics.fingerprint@2.1-service.xiaomi_wayne.rc
+++ b/biometrics/android.hardware.biometrics.fingerprint@2.1-service.xiaomi_wayne.rc
@@ -18,5 +18,5 @@ service fps_hal /vendor/bin/hw/android.hardware.biometrics.fingerprint@2.1-servi
 
 service goodix_script /vendor/bin/init.goodix.sh
     class late_start
-    user root
+    user system
     oneshot
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index a35066a..19a8402 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -16,3 +16,6 @@
 
 # Light HAL
 /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.xiaomi_wayne u:object_r:hal_light_default_exec:s0
+
+# Shell Script
+/(vendor|system/vendor)/bin/init\.goodix\.sh    u:object_r:init_fingerprint_exec:s0
diff --git a/sepolicy/init_fingerprint.te b/sepolicy/init_fingerprint.te
new file mode 100644
index 0000000..4c27535
--- /dev/null
+++ b/sepolicy/init_fingerprint.te
@@ -0,0 +1,15 @@
+type init_fingerprint, domain;
+type init_fingerprint_exec, exec_type, vendor_file_type, file_type;
+
+# Allow for transition from init domain to init_fingerprint
+init_daemon_domain(init_fingerprint)
+
+# Shell script needs to execute /vendor/bin/sh
+allow init_fingerprint vendor_shell_exec:file rx_file_perms;
+allow init_fingerprint vendor_toolbox_exec:file rx_file_perms;
+
+# Allow to delete file
+allow init_fingerprint persist_file:dir search;
+allow init_fingerprint persist_drm_file:dir { read search open write remove_name };
+allow init_fingerprint persist_drm_file:file { getattr unlink };
+allow init_fingerprint system_data_file:file r_file_perms;