aosp_beryllium: Replace gatekeeper with software HIDL service.

Use the default software implementation of gatekeeper.

Signed-off-by: Amit Pundir <pundiramit@gmail.com>
diff --git a/aosp_beryllium/device.mk b/aosp_beryllium/device.mk
index 0a59285..6ec7fd0 100644
--- a/aosp_beryllium/device.mk
+++ b/aosp_beryllium/device.mk
@@ -41,11 +41,5 @@
 # Build generic Audio HAL
 PRODUCT_PACKAGES := audio.primary.aosp_beryllium
 
-# Software Gatekeeper
-PRODUCT_PACKAGES += \
-    gatekeeper.aosp_beryllium \
-    android.hardware.gatekeeper@1.0-impl \
-    android.hardware.gatekeeper@1.0-service
-
 # Copy firmware files
 $(call inherit-product-if-exists, device/xiaomi/beryllium/firmware/device.mk)
diff --git a/device-common.mk b/device-common.mk
index 6062264..4f86c3a 100644
--- a/device-common.mk
+++ b/device-common.mk
@@ -127,6 +127,10 @@
     android.hardware.keymaster@3.0-impl \
     android.hardware.keymaster@3.0-service
 
+# Gatekeeper
+PRODUCT_PACKAGES += \
+    android.hardware.gatekeeper@1.0-service.software
+
 # Copy standard platform config files
 PRODUCT_COPY_FILES +=  \
     device/linaro/hikey/etc/permissions/android.hardware.screen.xml:$(TARGET_COPY_OUT_VENDOR)/etc/permissions/android.hardware.screen.xml \
diff --git a/gatekeeper/Android.mk b/gatekeeper/Android.mk
deleted file mode 100644
index 4579c99..0000000
--- a/gatekeeper/Android.mk
+++ /dev/null
@@ -1,50 +0,0 @@
-#
-# Copyright (C) 2015 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#      http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-LOCAL_PATH := $(call my-dir)
-
-include $(CLEAR_VARS)
-
-# See b/67109557
-ifeq (true, $(TARGET_TRANSLATE_2ND_ARCH))
-LOCAL_MULTILIB := first
-endif
-
-LOCAL_VENDOR_MODULE := true
-LOCAL_MODULE := gatekeeper.$(TARGET_BOARD_PLATFORM)
-LOCAL_MODULE_RELATIVE_PATH := hw
-
-LOCAL_CFLAGS := -Wall -Wextra -Werror -Wunused
-LOCAL_SRC_FILES := \
-	module.cpp \
-	SoftGateKeeperDevice.cpp
-
-LOCAL_SHARED_LIBRARIES := \
-	libbinder \
-	libgatekeeper \
-	liblog \
-	libhardware \
-	libbase \
-	libutils \
-	libcrypto \
-	libhidlbase \
-	libhidltransport \
-	libhwbinder \
-	android.hardware.gatekeeper@1.0 \
-
-LOCAL_STATIC_LIBRARIES := libscrypt_static
-LOCAL_C_INCLUDES := external/scrypt/lib/crypto
-include $(BUILD_SHARED_LIBRARY)
diff --git a/gatekeeper/SoftGateKeeper.h b/gatekeeper/SoftGateKeeper.h
deleted file mode 100644
index 2f4f4d7..0000000
--- a/gatekeeper/SoftGateKeeper.h
+++ /dev/null
@@ -1,182 +0,0 @@
-/*
- * Copyright 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- */
-
-#ifndef SOFT_GATEKEEPER_H_
-#define SOFT_GATEKEEPER_H_
-
-extern "C" {
-#include <openssl/rand.h>
-#include <openssl/sha.h>
-
-#include <crypto_scrypt.h>
-}
-
-#include <android-base/memory.h>
-#include <gatekeeper/gatekeeper.h>
-
-#include <iostream>
-#include <unordered_map>
-#include <memory>
-
-namespace gatekeeper {
-
-struct fast_hash_t {
-    uint64_t salt;
-    uint8_t digest[SHA256_DIGEST_LENGTH];
-};
-
-class SoftGateKeeper : public GateKeeper {
-public:
-    static const uint32_t SIGNATURE_LENGTH_BYTES = 32;
-
-    // scrypt params
-    static const uint64_t N = 16384;
-    static const uint32_t r = 8;
-    static const uint32_t p = 1;
-
-    static const int MAX_UINT_32_CHARS = 11;
-
-    SoftGateKeeper() {
-        key_.reset(new uint8_t[SIGNATURE_LENGTH_BYTES]);
-        memset(key_.get(), 0, SIGNATURE_LENGTH_BYTES);
-    }
-
-    virtual ~SoftGateKeeper() {
-    }
-
-    virtual bool GetAuthTokenKey(const uint8_t **auth_token_key,
-            uint32_t *length) const {
-        if (auth_token_key == NULL || length == NULL) return false;
-        uint8_t *auth_token_key_copy = new uint8_t[SIGNATURE_LENGTH_BYTES];
-        memcpy(auth_token_key_copy, key_.get(), SIGNATURE_LENGTH_BYTES);
-
-        *auth_token_key = auth_token_key_copy;
-        *length = SIGNATURE_LENGTH_BYTES;
-        return true;
-    }
-
-    virtual void GetPasswordKey(const uint8_t **password_key, uint32_t *length) {
-        if (password_key == NULL || length == NULL) return;
-        uint8_t *password_key_copy = new uint8_t[SIGNATURE_LENGTH_BYTES];
-        memcpy(password_key_copy, key_.get(), SIGNATURE_LENGTH_BYTES);
-
-        *password_key = password_key_copy;
-        *length = SIGNATURE_LENGTH_BYTES;
-    }
-
-    virtual void ComputePasswordSignature(uint8_t *signature, uint32_t signature_length,
-            const uint8_t *, uint32_t, const uint8_t *password,
-            uint32_t password_length, salt_t salt) const {
-        if (signature == NULL) return;
-        crypto_scrypt(password, password_length, reinterpret_cast<uint8_t *>(&salt),
-                sizeof(salt), N, r, p, signature, signature_length);
-    }
-
-    virtual void GetRandom(void *random, uint32_t requested_length) const {
-        if (random == NULL) return;
-        RAND_pseudo_bytes((uint8_t *) random, requested_length);
-    }
-
-    virtual void ComputeSignature(uint8_t *signature, uint32_t signature_length,
-            const uint8_t *, uint32_t, const uint8_t *, const uint32_t) const {
-        if (signature == NULL) return;
-        memset(signature, 0, signature_length);
-    }
-
-    virtual uint64_t GetMillisecondsSinceBoot() const {
-        struct timespec time;
-        int res = clock_gettime(CLOCK_BOOTTIME, &time);
-        if (res < 0) return 0;
-        return (time.tv_sec * 1000) + (time.tv_nsec / 1000 / 1000);
-    }
-
-    virtual bool IsHardwareBacked() const {
-        return false;
-    }
-
-    virtual bool GetFailureRecord(uint32_t uid, secure_id_t user_id, failure_record_t *record,
-            bool /* secure */) {
-        failure_record_t *stored = &failure_map_[uid];
-        if (user_id != stored->secure_user_id) {
-            stored->secure_user_id = user_id;
-            stored->last_checked_timestamp = 0;
-            stored->failure_counter = 0;
-        }
-        memcpy(record, stored, sizeof(*record));
-        return true;
-    }
-
-    virtual bool ClearFailureRecord(uint32_t uid, secure_id_t user_id, bool /* secure */) {
-        failure_record_t *stored = &failure_map_[uid];
-        stored->secure_user_id = user_id;
-        stored->last_checked_timestamp = 0;
-        stored->failure_counter = 0;
-        return true;
-    }
-
-    virtual bool WriteFailureRecord(uint32_t uid, failure_record_t *record, bool /* secure */) {
-        failure_map_[uid] = *record;
-        return true;
-    }
-
-    fast_hash_t ComputeFastHash(const SizedBuffer &password, uint64_t salt) {
-        fast_hash_t fast_hash;
-        size_t digest_size = password.length + sizeof(salt);
-        std::unique_ptr<uint8_t[]> digest(new uint8_t[digest_size]);
-        memcpy(digest.get(), &salt, sizeof(salt));
-        memcpy(digest.get() + sizeof(salt), password.buffer.get(), password.length);
-
-        SHA256(digest.get(), digest_size, (uint8_t *) &fast_hash.digest);
-
-        fast_hash.salt = salt;
-        return fast_hash;
-    }
-
-    bool VerifyFast(const fast_hash_t &fast_hash, const SizedBuffer &password) {
-        fast_hash_t computed = ComputeFastHash(password, fast_hash.salt);
-        return memcmp(computed.digest, fast_hash.digest, SHA256_DIGEST_LENGTH) == 0;
-    }
-
-    bool DoVerify(const password_handle_t *expected_handle, const SizedBuffer &password) {
-        uint64_t user_id = android::base::get_unaligned<secure_id_t>(&expected_handle->user_id);
-        FastHashMap::const_iterator it = fast_hash_map_.find(user_id);
-        if (it != fast_hash_map_.end() && VerifyFast(it->second, password)) {
-            return true;
-        } else {
-            if (GateKeeper::DoVerify(expected_handle, password)) {
-                uint64_t salt;
-                GetRandom(&salt, sizeof(salt));
-                fast_hash_map_[user_id] = ComputeFastHash(password, salt);
-                return true;
-            }
-        }
-
-        return false;
-    }
-
-private:
-
-    typedef std::unordered_map<uint32_t, failure_record_t> FailureRecordMap;
-    typedef std::unordered_map<uint64_t, fast_hash_t> FastHashMap;
-
-    std::unique_ptr<uint8_t[]> key_;
-    FailureRecordMap failure_map_;
-    FastHashMap fast_hash_map_;
-};
-}
-
-#endif // SOFT_GATEKEEPER_H_
diff --git a/gatekeeper/SoftGateKeeperDevice.cpp b/gatekeeper/SoftGateKeeperDevice.cpp
deleted file mode 100644
index 5212680..0000000
--- a/gatekeeper/SoftGateKeeperDevice.cpp
+++ /dev/null
@@ -1,116 +0,0 @@
-/*
- * Copyright (C) 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-#include "SoftGateKeeper.h"
-#include "SoftGateKeeperDevice.h"
-
-namespace cuttlefish {
-
-int SoftGateKeeperDevice::enroll(uint32_t uid,
-            const uint8_t *current_password_handle, uint32_t current_password_handle_length,
-            const uint8_t *current_password, uint32_t current_password_length,
-            const uint8_t *desired_password, uint32_t desired_password_length,
-            uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {
-
-    if (enrolled_password_handle == NULL || enrolled_password_handle_length == NULL ||
-            desired_password == NULL || desired_password_length == 0)
-        return -EINVAL;
-
-    // Current password and current password handle go together
-    if (current_password_handle == NULL || current_password_handle_length == 0 ||
-            current_password == NULL || current_password_length == 0) {
-        current_password_handle = NULL;
-        current_password_handle_length = 0;
-        current_password = NULL;
-        current_password_length = 0;
-    }
-
-    SizedBuffer desired_password_buffer(desired_password_length);
-    memcpy(desired_password_buffer.buffer.get(), desired_password, desired_password_length);
-
-    SizedBuffer current_password_handle_buffer(current_password_handle_length);
-    if (current_password_handle) {
-        memcpy(current_password_handle_buffer.buffer.get(), current_password_handle,
-                current_password_handle_length);
-    }
-
-    SizedBuffer current_password_buffer(current_password_length);
-    if (current_password) {
-        memcpy(current_password_buffer.buffer.get(), current_password, current_password_length);
-    }
-
-    EnrollRequest request(uid, &current_password_handle_buffer, &desired_password_buffer,
-            &current_password_buffer);
-    EnrollResponse response;
-
-    impl_->Enroll(request, &response);
-
-    if (response.error == ERROR_RETRY) {
-        return response.retry_timeout;
-    } else if (response.error != ERROR_NONE) {
-        return -EINVAL;
-    }
-
-    *enrolled_password_handle = response.enrolled_password_handle.buffer.release();
-    gatekeeper::password_handle_t *handle =
-                    reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle);
-    //FIXIT: We need to move this module to host with gatekeeper pipe
-    handle->hardware_backed = true;
-
-    *enrolled_password_handle_length = response.enrolled_password_handle.length;
-    return 0;
-}
-
-int SoftGateKeeperDevice::verify(uint32_t uid,
-        uint64_t challenge, const uint8_t *enrolled_password_handle,
-        uint32_t enrolled_password_handle_length, const uint8_t *provided_password,
-        uint32_t provided_password_length, uint8_t **auth_token, uint32_t *auth_token_length,
-        bool *request_reenroll) {
-
-    if (enrolled_password_handle == NULL ||
-            provided_password == NULL) {
-        return -EINVAL;
-    }
-
-    SizedBuffer password_handle_buffer(enrolled_password_handle_length);
-    memcpy(password_handle_buffer.buffer.get(), enrolled_password_handle,
-            enrolled_password_handle_length);
-    SizedBuffer provided_password_buffer(provided_password_length);
-    memcpy(provided_password_buffer.buffer.get(), provided_password, provided_password_length);
-
-    VerifyRequest request(uid, challenge, &password_handle_buffer, &provided_password_buffer);
-    VerifyResponse response;
-
-    impl_->Verify(request, &response);
-
-    if (response.error == ERROR_RETRY) {
-        return response.retry_timeout;
-    } else if (response.error != ERROR_NONE) {
-        return -EINVAL;
-    }
-
-    if (auth_token != NULL && auth_token_length != NULL) {
-       *auth_token = response.auth_token.buffer.release();
-       *auth_token_length = response.auth_token.length;
-    }
-
-    if (request_reenroll != NULL) {
-        *request_reenroll = response.request_reenroll;
-    }
-
-    return 0;
-}
-
-} // namespace cuttlefish
diff --git a/gatekeeper/SoftGateKeeperDevice.h b/gatekeeper/SoftGateKeeperDevice.h
deleted file mode 100644
index 14ad548..0000000
--- a/gatekeeper/SoftGateKeeperDevice.h
+++ /dev/null
@@ -1,76 +0,0 @@
-/*
- * Copyright 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef SOFT_GATEKEEPER_DEVICE_H_
-#define SOFT_GATEKEEPER_DEVICE_H_
-
-#include "SoftGateKeeper.h"
-
-#include <memory>
-
-using namespace gatekeeper;
-
-namespace cuttlefish {
-
-/**
- * Software based GateKeeper implementation
- */
-class SoftGateKeeperDevice {
-public:
-    SoftGateKeeperDevice() {
-        impl_.reset(new SoftGateKeeper());
-    }
-
-   // Wrappers to translate the gatekeeper HAL API to the Kegyuard Messages API.
-
-    /**
-     * Enrolls password_payload, which should be derived from a user selected pin or password,
-     * with the authentication factor private key used only for enrolling authentication
-     * factor data.
-     *
-     * Returns: 0 on success or an error code less than 0 on error.
-     * On error, enrolled_password_handle will not be allocated.
-     */
-    int enroll(uint32_t uid,
-            const uint8_t *current_password_handle, uint32_t current_password_handle_length,
-            const uint8_t *current_password, uint32_t current_password_length,
-            const uint8_t *desired_password, uint32_t desired_password_length,
-            uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length);
-
-    /**
-     * Verifies provided_password matches enrolled_password_handle.
-     *
-     * Implementations of this module may retain the result of this call
-     * to attest to the recency of authentication.
-     *
-     * On success, writes the address of a verification token to auth_token,
-     * usable to attest password verification to other trusted services. Clients
-     * may pass NULL for this value.
-     *
-     * Returns: 0 on success or an error code less than 0 on error
-     * On error, verification token will not be allocated
-     */
-    int verify(uint32_t uid, uint64_t challenge,
-            const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
-            const uint8_t *provided_password, uint32_t provided_password_length,
-            uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll);
-private:
-    std::unique_ptr<SoftGateKeeper> impl_;
-};
-
-} // namespace gatekeeper
-
-#endif //SOFT_GATEKEEPER_DEVICE_H_
diff --git a/gatekeeper/module.cpp b/gatekeeper/module.cpp
deleted file mode 100644
index c37d543..0000000
--- a/gatekeeper/module.cpp
+++ /dev/null
@@ -1,127 +0,0 @@
-/*
- * Copyright (C) 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *      http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <hardware/hardware.h>
-#include <hardware/gatekeeper.h>
-#define LOG_TAG "CuttlefishGatekeeper"
-#include <log/log.h>
-
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-
-#include "SoftGateKeeper.h"
-#include "SoftGateKeeperDevice.h"
-
-using cuttlefish::SoftGateKeeperDevice;
-
-struct cuttlefish_gatekeeper_device {
-    gatekeeper_device device;
-    SoftGateKeeperDevice *s_gatekeeper;
-};
-
-static cuttlefish_gatekeeper_device s_device;
-
-static int enroll(const struct gatekeeper_device *dev __unused, uint32_t uid,
-            const uint8_t *current_password_handle, uint32_t current_password_handle_length,
-            const uint8_t *current_password, uint32_t current_password_length,
-            const uint8_t *desired_password, uint32_t desired_password_length,
-            uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {
-
-    SoftGateKeeperDevice *s_gatekeeper = ((cuttlefish_gatekeeper_device*)(dev))->s_gatekeeper;
-    ALOGE("called %s with gate keeper %p device %p\n", __func__, s_gatekeeper, dev);
-    if (s_gatekeeper == nullptr)  {
-        abort();
-        return -EINVAL;
-    }
-
-    return s_gatekeeper->enroll(uid,
-            current_password_handle, current_password_handle_length,
-            current_password, current_password_length,
-            desired_password, desired_password_length,
-            enrolled_password_handle, enrolled_password_handle_length);
-}
-
-static int verify(const struct gatekeeper_device *dev __unused, uint32_t uid, uint64_t challenge,
-            const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
-            const uint8_t *provided_password, uint32_t provided_password_length,
-            uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) {
-    SoftGateKeeperDevice *s_gatekeeper = ((cuttlefish_gatekeeper_device*)(dev))->s_gatekeeper;
-    ALOGE("called %s with gate keeper %p device %p\n", __func__, s_gatekeeper, dev);
-    if (s_gatekeeper == nullptr) return -EINVAL;
-    return s_gatekeeper->verify(uid, challenge,
-            enrolled_password_handle, enrolled_password_handle_length,
-            provided_password, provided_password_length,
-            auth_token, auth_token_length, request_reenroll);
-}
-
-static int close_device(hw_device_t* dev __unused) {
-    SoftGateKeeperDevice *s_gatekeeper = ((cuttlefish_gatekeeper_device*)(dev))->s_gatekeeper;
-    if (s_gatekeeper == nullptr) return 0;
-    delete s_gatekeeper;
-    s_gatekeeper = nullptr;
-    ALOGE("called %s with gate keeper %p device %p\n", __func__, s_gatekeeper, dev);
-    return 0;
-}
-
-static int cuttlefish_gatekeeper_open(const hw_module_t *module, const char *name,
-        hw_device_t **device) {
-
-    if (strcmp(name, HARDWARE_GATEKEEPER) != 0) {
-        abort();
-        return -EINVAL;
-    }
-
-    memset(&s_device, 0, sizeof(s_device));
-
-    SoftGateKeeperDevice *s_gatekeeper = new SoftGateKeeperDevice();
-    if (s_gatekeeper == nullptr) return -ENOMEM;
-
-    s_device.s_gatekeeper = s_gatekeeper;
-
-    s_device.device.common.tag = HARDWARE_DEVICE_TAG;
-    s_device.device.common.version = 1;
-    s_device.device.common.module = const_cast<hw_module_t *>(module);
-    s_device.device.common.close = close_device;
-
-    s_device.device.enroll = enroll;
-    s_device.device.verify = verify;
-    s_device.device.delete_user = nullptr;
-    s_device.device.delete_all_users = nullptr;
-
-    *device = &s_device.device.common;
-    ALOGE("called %s with gate keeper %p device %p\n", __func__, s_gatekeeper, *device);
-
-    return 0;
-}
-
-static struct hw_module_methods_t gatekeeper_module_methods = {
-    .open = cuttlefish_gatekeeper_open,
-};
-
-struct gatekeeper_module HAL_MODULE_INFO_SYM __attribute__((visibility("default"))) = {
-    .common = {
-        .tag = HARDWARE_MODULE_TAG,
-        .module_api_version = GATEKEEPER_MODULE_API_VERSION_0_1,
-        .hal_api_version = HARDWARE_HAL_API_VERSION,
-        .id = GATEKEEPER_HARDWARE_MODULE_ID,
-        .name = "Cuttlefish GateKeeper HAL",
-        .author = "The Android Open Source Project",
-        .methods = &gatekeeper_module_methods,
-        .dso = 0,
-        .reserved = {}
-    },
-};
diff --git a/manifest.xml b/manifest.xml
index 9580fe0..37ea938 100644
--- a/manifest.xml
+++ b/manifest.xml
@@ -94,15 +94,6 @@
         </interface>
     </hal>
     <hal format="hidl">
-        <name>android.hardware.gatekeeper</name>
-        <transport>hwbinder</transport>
-        <version>1.0</version>
-        <interface>
-            <name>IGatekeeper</name>
-            <instance>default</instance>
-        </interface>
-    </hal>
-    <hal format="hidl">
         <name>android.hardware.media.omx</name>
         <transport>hwbinder</transport>
         <version>1.0</version>
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 7005278..d7d3dd8 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -6,6 +6,7 @@
 /sys/devices/platform/soc/ae00000.mdss		u:object_r:sysfs_mdss:s0
 
 /sys/devices/platform/soc/c440000.spmi/spmi-0/0-00/c440000.spmi:pmic@0:rtc@6000/rtc	u:object_r:sysfs_rtc:s0
+/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.software			u:object_r:hal_gatekeeper_default_exec:s0
 
 /(vendor|system/vendor)/lib(64)?/hw/gralloc\.gbm\.so	u:object_r:same_process_hal_file:s0
 /(vendor|system/vendor)/lib(64)?/libglapi\.so		u:object_r:same_process_hal_file:s0