From a1410fdaa47a6e100cea08cca8ce8a1e3c4690a6 Mon Sep 17 00:00:00 2001 From: dianlujitao Date: Wed, 19 Feb 2020 20:28:52 +0800 Subject: sdm660-common: sepolicy: Rework mlipay rules Change-Id: Ib3935dac1de548da5ba6902365b2bab969b3b3b1 --- sepolicy/private/system_app.te | 1 + sepolicy/public/attributes | 1 + sepolicy/vendor/app.te | 2 -- sepolicy/vendor/hal_mlipay.te | 20 ++++++++++++++++++++ sepolicy/vendor/hal_mlipay_default.te | 16 ---------------- 5 files changed, 22 insertions(+), 18 deletions(-) create mode 100644 sepolicy/private/system_app.te create mode 100644 sepolicy/public/attributes create mode 100644 sepolicy/vendor/hal_mlipay.te delete mode 100644 sepolicy/vendor/hal_mlipay_default.te diff --git a/sepolicy/private/system_app.te b/sepolicy/private/system_app.te new file mode 100644 index 0000000..c9f1b37 --- /dev/null +++ b/sepolicy/private/system_app.te @@ -0,0 +1 @@ +hal_client_domain(system_app, hal_mlipay) diff --git a/sepolicy/public/attributes b/sepolicy/public/attributes new file mode 100644 index 0000000..13df9a9 --- /dev/null +++ b/sepolicy/public/attributes @@ -0,0 +1 @@ +hal_attribute(mlipay) diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te index 776c7c6..a2d8aa6 100644 --- a/sepolicy/vendor/app.te +++ b/sepolicy/vendor/app.te @@ -1,5 +1,3 @@ # Allow appdomain to get vendor_camera_prop -allow { appdomain -isolated_app -ephemeral_app -mediaprovider -untrusted_app_27 -untrusted_app -untrusted_app_25 -runas_app } hal_mlipay_hwservice:hwservice_manager find; -binder_call({ appdomain -isolated_app }, hal_mlipay_default) get_prop({ appdomain -isolated_app }, mlipay_prop) get_prop({ appdomain -isolated_app }, hal_fingerprint_prop) diff --git a/sepolicy/vendor/hal_mlipay.te b/sepolicy/vendor/hal_mlipay.te new file mode 100644 index 0000000..18d0413 --- /dev/null +++ b/sepolicy/vendor/hal_mlipay.te @@ -0,0 +1,20 @@ +type hal_mlipay_default, domain; +hal_server_domain(hal_mlipay_default, hal_mlipay) + +type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_mlipay_default) + +# Allow hwbinder call from hal client to server +binder_call(hal_mlipay_client, hal_mlipay_server) + +# Add hwservice related rules +add_hwservice(hal_mlipay_server, hal_mlipay_hwservice) +allow hal_mlipay_client hal_mlipay_hwservice:hwservice_manager find; + +allow hal_mlipay_default tee_device:chr_file rw_file_perms; +allow hal_mlipay_default ion_device:chr_file r_file_perms; + +r_dir_file(hal_mlipay_default, firmware_file) +set_prop(hal_mlipay_default, mlipay_prop); + +get_prop(hal_mlipay_default, hal_fingerprint_prop); diff --git a/sepolicy/vendor/hal_mlipay_default.te b/sepolicy/vendor/hal_mlipay_default.te deleted file mode 100644 index c6f721c..0000000 --- a/sepolicy/vendor/hal_mlipay_default.te +++ /dev/null @@ -1,16 +0,0 @@ -type hal_mlipay_default, domain; - -type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type; -init_daemon_domain(hal_mlipay_default) - -hwbinder_use(hal_mlipay_default) -get_prop(hal_mlipay_default, hwservicemanager_prop) -add_hwservice(hal_mlipay_default, hal_mlipay_hwservice) - -allow hal_mlipay_default tee_device:chr_file rw_file_perms; -allow hal_mlipay_default ion_device:chr_file r_file_perms; - -r_dir_file(hal_mlipay_default, firmware_file) -set_prop(hal_mlipay_default, mlipay_prop); - -get_prop(hal_mlipay_default, hal_fingerprint_prop); -- cgit v1.2.3