From a15f24934622cf43216eb40318d39adcf87ef7ab Mon Sep 17 00:00:00 2001 From: Aayush Gupta Date: Sun, 27 Dec 2020 15:30:01 +0530 Subject: [PATCH] non_plat: Label /dev/teei_fp and allow required perms to hal_fingerprint_default /dev/teei_fp is used by fingerprint to communicate with Microtrust TEE drivers to store fingerprint data on the device. Label it and allow relevant source required permissions. Denial observed without this change: [ 17.672144] .(4)[397:logd.auditd]type=1400 audit(1608975801.860:326): avc: denied { ioctl } for comm="fingerprint@2.1" path="/dev/teei_fp" dev="tmpfs" ino=15742 ioctlcmd=0x5402 scontext=u:r:hal_fingerprint_default:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 Test: Boot and notice denials have disappeared Signed-off-by: Aayush Gupta Change-Id: I8a7445400be241e81f8bf21347967b85381ed3ec --- non_plat/device.te | 2 ++ non_plat/file_contexts | 3 +++ non_plat/hal_fingerprint_default.te | 1 + non_plat/system_server.te | 2 ++ 4 files changed, 8 insertions(+) create mode 100644 non_plat/hal_fingerprint_default.te diff --git a/non_plat/device.te b/non_plat/device.te index 702a58d..9251874 100644 --- a/non_plat/device.te +++ b/non_plat/device.te @@ -272,3 +272,5 @@ type m_bio_misc_device, dev_type; # Operation : Migration # Purpose : Add permission for gpu access type dri_device, dev_type, mlstrustedobject; + +type teei_fp_device, dev_type; diff --git a/non_plat/file_contexts b/non_plat/file_contexts index a0f7234..a6b19eb 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -691,3 +691,6 @@ # Thermal /(system\/vendor|vendor)/bin/thermal u:object_r:thermal_exec:s0 + +# TEE +/dev/teei_fp u:object_r:teei_fp_device:s0 diff --git a/non_plat/hal_fingerprint_default.te b/non_plat/hal_fingerprint_default.te new file mode 100644 index 0000000..857623a --- /dev/null +++ b/non_plat/hal_fingerprint_default.te @@ -0,0 +1 @@ +allow hal_fingerprint_default teei_fp_device:chr_file { read write open ioctl }; diff --git a/non_plat/system_server.te b/non_plat/system_server.te index 16be4fe..c2aa0ff 100644 --- a/non_plat/system_server.te +++ b/non_plat/system_server.te @@ -277,3 +277,5 @@ allow system_server sf_rtt_file:dir rmdir; # Date : 2019/11/29 # Operation : Q Migration allow system_server storage_stub_file:dir getattr; + +allow system_server teei_fp_device:chr_file rw_file_perms;