otter: sepolicy: allow fingerprint to write to HBM nodes
This is required for allowing the fingerprint HAL to write
to UDFPS HBM paths.
Change-Id: I6bb2ddf2652725e382a13b8467ec9f63c8254f0e
Signed-off-by: Alexander Martinz <amartinz@shiftphones.com>
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index 61f0205..3188035 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -1,3 +1,6 @@
+# Display
+/sys/devices/virtual/display/panel(/.*)? u:object_r:vendor_sysfs_graphics:s0
+
# Fingerprint
/dev/goodix_fp u:object_r:fingerprint_device:s0
/data/vendor/goodix/gf_data(/.*)? u:object_r:fingerprint_data_file:s0
diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te
index 346bab7..55a9b71 100644
--- a/sepolicy/vendor/hal_fingerprint_default.te
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -8,5 +8,9 @@
allow hal_fingerprint_default vendor_data_file:dir create_dir_perms;
allow hal_fingerprint_default vendor_data_file:file create_file_perms;
+# Allow writing to UDFPS HBM panel nodes
+allow hal_fingerprint_default vendor_sysfs_graphics:dir search;
+allow hal_fingerprint_default vendor_sysfs_graphics:file rw_file_perms;
+
# gf.debug.fp_vendor
dontaudit hal_fingerprint_default default_prop:property_service set;