vendor/google/hal_face_default.te - device/google/coral-sepolicy - Git at Google

 #Allow face hal to find airbrush service and face hal <-> airbrush comms
 allow hal_face_default hal_airbrush_hwservice:hwservice_manager find;
 binder_call(hal_face_default, airbrush)
 binder_call(airbrush, hal_face_default)

 allow hal_face_default hal_graphics_mapper_hwservice:hwservice_manager find;
 hal_client_domain(hal_face_default, hal_graphics_allocator)

 binder_call(hal_face_default, hal_graphics_allocator_default)

 # Grant TEE access to the face HAL
 allow hal_face_default tee_device:chr_file rw_file_perms;
 allow hal_face_default faceauth_device:chr_file rw_file_perms;
 allow hal_face_default vndbinder_device:chr_file ioctl;

 #Allow face hal to talk to process serving ITokenManager(libmediandk)
 allow hal_face_default hidl_token_hwservice:hwservice_manager find;

 #Allow face hal to talk to cameraserver
 allow hal_face_default fwk_camera_hwservice:hwservice_manager find;
 binder_call(hal_face_default, camera_service_server)
 binder_call(camera_service_server, hal_face_default)

 vndbinder_use(hal_face_default)

 allow hal_face_default airbrush_faceauth_service:service_manager find;
 # Allow the face HAL to communicate with keymaster. This is required
 # to verify authorization timestamps with citadel.
 # The face HAL *can only* use the verifyAuthorization API on keymaster
 hal_client_domain(hal_face_default, hal_keymaster)

 # Create subdirectories within the face vendor file directory.
 allow hal_face_default face_vendor_data_file:dir create_dir_perms;
 r_dir_file(hal_face_default, persist_camera_file)
 allow hal_face_default persist_file:dir search;
 allow hal_face_default mnt_vendor_file:dir search;
 allow hal_face_default system_app:fd use;


 # Grant incidentd and FaceDebugService access to the face HAL debug images
 userdebug_or_eng(`
   allow hal_face_default incidentd:fd use;
   allow hal_face_default incidentd:fifo_file write;

   allow hal_face_default face_debug:fd use;
   allow hal_face_default face_debug:fifo_file write;
 ')

 get_prop(hal_face_default, camera_prop)
 get_prop(hal_face_default, vendor_faceauth_prop)

 hwbinder_use(hal_face_default);

 # Allow the face HAL to communicate with IStats.
 allow hal_face_default fwk_stats_hwservice:hwservice_manager find;
 binder_call(hal_face_default, stats_service_server)

 # Allow writing new camera calibrations
 allow hal_face camera_calibration_vendor_data_file:dir rw_dir_perms;
 allow hal_face camera_calibration_vendor_data_file:file create_file_perms;

 # Allow the face HAL to discover pil sysfs nodes for faceauth firmware loading.
 allow hal_face_default sysfs_faceauth:dir r_dir_perms;
 # Allow the face HAL to select firmware version by writing to a file here.
 allow hal_face_default sysfs_faceauth:file w_file_perms;

 # Allow the face HAL to communicate with the thermal HAL.
 hal_client_domain(hal_face_default, hal_thermal)

 # Allow the face HAL to talk to citadeld to verify the firmware version.
 allow hal_face_default citadeld_service:service_manager find;
 binder_call(hal_face_default, citadeld)
	#Allow face hal to find airbrush service and face hal <-> airbrush comms
	allow hal_face_default hal_airbrush_hwservice:hwservice_manager find;
	binder_call(hal_face_default, airbrush)
	binder_call(airbrush, hal_face_default)

	allow hal_face_default hal_graphics_mapper_hwservice:hwservice_manager find;
	hal_client_domain(hal_face_default, hal_graphics_allocator)

	binder_call(hal_face_default, hal_graphics_allocator_default)

	# Grant TEE access to the face HAL
	allow hal_face_default tee_device:chr_file rw_file_perms;
	allow hal_face_default faceauth_device:chr_file rw_file_perms;
	allow hal_face_default vndbinder_device:chr_file ioctl;

	#Allow face hal to talk to process serving ITokenManager(libmediandk)
	allow hal_face_default hidl_token_hwservice:hwservice_manager find;

	#Allow face hal to talk to cameraserver
	allow hal_face_default fwk_camera_hwservice:hwservice_manager find;
	binder_call(hal_face_default, camera_service_server)
	binder_call(camera_service_server, hal_face_default)

	vndbinder_use(hal_face_default)

	allow hal_face_default airbrush_faceauth_service:service_manager find;
	# Allow the face HAL to communicate with keymaster. This is required
	# to verify authorization timestamps with citadel.
	# The face HAL can only use the verifyAuthorization API on keymaster
	hal_client_domain(hal_face_default, hal_keymaster)

	# Create subdirectories within the face vendor file directory.
	allow hal_face_default face_vendor_data_file:dir create_dir_perms;
	r_dir_file(hal_face_default, persist_camera_file)
	allow hal_face_default persist_file:dir search;
	allow hal_face_default mnt_vendor_file:dir search;
	allow hal_face_default system_app:fd use;


	# Grant incidentd and FaceDebugService access to the face HAL debug images
	userdebug_or_eng(`
	allow hal_face_default incidentd:fd use;
	allow hal_face_default incidentd:fifo_file write;

	allow hal_face_default face_debug:fd use;
	allow hal_face_default face_debug:fifo_file write;
	')

	get_prop(hal_face_default, camera_prop)
	get_prop(hal_face_default, vendor_faceauth_prop)

	hwbinder_use(hal_face_default);

	# Allow the face HAL to communicate with IStats.
	allow hal_face_default fwk_stats_hwservice:hwservice_manager find;
	binder_call(hal_face_default, stats_service_server)

	# Allow writing new camera calibrations
	allow hal_face camera_calibration_vendor_data_file:dir rw_dir_perms;
	allow hal_face camera_calibration_vendor_data_file:file create_file_perms;

	# Allow the face HAL to discover pil sysfs nodes for faceauth firmware loading.
	allow hal_face_default sysfs_faceauth:dir r_dir_perms;
	# Allow the face HAL to select firmware version by writing to a file here.
	allow hal_face_default sysfs_faceauth:file w_file_perms;

	# Allow the face HAL to communicate with the thermal HAL.
	hal_client_domain(hal_face_default, hal_thermal)

	# Allow the face HAL to talk to citadeld to verify the firmware version.
	allow hal_face_default citadeld_service:service_manager find;
	binder_call(hal_face_default, citadeld)