non_plat: Label /dev/teei_fp and allow required perms to hal_fingerprint_default

/dev/teei_fp is used by fingerprint to communicate with Microtrust TEE drivers to store fingerprint data on the device. Label it and allow relevant source required permissions. Denial observed without this change: [ 17.672144] .(4)[397:logd.auditd]type=1400 audit(1608975801.860:326): avc: denied { ioctl } for comm="fingerprint@2.1" path="/dev/teei_fp" dev="tmpfs" ino=15742 ioctlcmd=0x5402 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 Test: Boot and notice denials have disappeared Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com> Change-Id: I8a7445400be241e81f8bf21347967b85381ed3ec
2020-12-27 15:30:01 +05:30 · 2020-12-27 15:30:01 +05:30 · a15f249346
commit a15f249346
parent 54f06d5d7c
4 changed files with 8 additions and 0 deletions
--- a/non_plat/device.te
+++ b/non_plat/device.te
@ -272,3 +272,5 @@ type m_bio_misc_device, dev_type;
 # Operation : Migration
 # Purpose : Add permission for gpu access
 type dri_device, dev_type, mlstrustedobject;
+
+type teei_fp_device, dev_type;
--- a/non_plat/file_contexts
+++ b/non_plat/file_contexts
@ -691,3 +691,6 @@

 # Thermal
 /(system\/vendor|vendor)/bin/thermal u:object_r:thermal_exec:s0
+
+# TEE
+/dev/teei_fp u:object_r:teei_fp_device:s0
--- a/non_plat/hal_fingerprint_default.te
+++ b/non_plat/hal_fingerprint_default.te
@ -0,0 +1 @@
+allow hal_fingerprint_default teei_fp_device:chr_file { read write open ioctl };
--- a/non_plat/system_server.te
+++ b/non_plat/system_server.te
@ -277,3 +277,5 @@ allow system_server sf_rtt_file:dir rmdir;
 # Date : 2019/11/29
 # Operation : Q Migration
 allow system_server storage_stub_file:dir getattr;
+
+allow system_server teei_fp_device:chr_file rw_file_perms;
				`@ -0,0 +1 @@`
				`allow hal_fingerprint_default teei_fp_device:chr_file { read write open ioctl };`