From 65a5fe99c10d8ffd41996788dbbc16257da524f0 Mon Sep 17 00:00:00 2001
From: Klines Jiang <klinesjiang@google.com>
Date: Wed, 29 May 2024 02:23:19 +0000
Subject: [PATCH] [SELinux] Initial access fingerprint sepolicy for gyotaku_app

Initial a specific build folder for fingerprint, we need to include the mk file on specific build.

Bug: 342335081

Test: Local build and sepolicy tests passed.
Change-Id: I8b8522ed949abc586ebab2efe4061f5e4b6cdde0
---
 gyotaku_app/fingerprint/gyotaku_app.te | 19 +++++++++++++++++++
 gyotaku_app/fingerprint/seapp_contexts |  2 ++
 gyotaku_app/gyotaku_fingerprint.mk     |  5 +++++
 3 files changed, 26 insertions(+)
 create mode 100644 gyotaku_app/fingerprint/gyotaku_app.te
 create mode 100644 gyotaku_app/fingerprint/seapp_contexts
 create mode 100644 gyotaku_app/gyotaku_fingerprint.mk

diff --git a/gyotaku_app/fingerprint/gyotaku_app.te b/gyotaku_app/fingerprint/gyotaku_app.te
new file mode 100644
index 0000000..f6475f5
--- /dev/null
+++ b/gyotaku_app/fingerprint/gyotaku_app.te
@@ -0,0 +1,19 @@
+# Specific build for fingerprint
+type gyotaku_app, domain;
+
+app_domain(gyotaku_app)
+net_domain(gyotaku_app)
+
+# For Gyotaku app common use
+allow gyotaku_app app_api_service:service_manager find;
+allow gyotaku_app privapp_data_file:lnk_file read;
+allow gyotaku_app system_app_data_file:dir create_dir_perms;
+allow gyotaku_app system_app_data_file:file create_file_perms;
+
+# For getproperty isDebuggable use
+get_prop(gyotaku_app, userdebug_or_eng_prop)
+
+# For access /data/vendor/misc fingerprint use.
+allow gyotaku_app vendor_misc_data_file:dir search;
+allow gyotaku_app vendor_fingerprint_data_file:dir r_dir_perms;
+allow gyotaku_app vendor_fingerprint_data_file:file r_file_perms;
diff --git a/gyotaku_app/fingerprint/seapp_contexts b/gyotaku_app/fingerprint/seapp_contexts
new file mode 100644
index 0000000..b1c6248
--- /dev/null
+++ b/gyotaku_app/fingerprint/seapp_contexts
@@ -0,0 +1,2 @@
+# Gyotaku app
+user=system seinfo=platform name=com.google.android.apps.internal.gyotaku domain=gyotaku_app type=system_app_data_file levelFrom=all
diff --git a/gyotaku_app/gyotaku_fingerprint.mk b/gyotaku_app/gyotaku_fingerprint.mk
new file mode 100644
index 0000000..051b88e
--- /dev/null
+++ b/gyotaku_app/gyotaku_fingerprint.mk
@@ -0,0 +1,5 @@
+# Specific build for fingerprint
+PRODUCT_PACKAGES_DEBUG += \
+   Gyotaku
+
+BOARD_SEPOLICY_DIRS += device/google/gs-common/gyotaku_app/fingerprint