From cf2d68668f63b06250b9d240e4d943089774e07c Mon Sep 17 00:00:00 2001 From: George Chang Date: Wed, 28 Aug 2024 02:46:48 +0000 Subject: [PATCH 1/2] gs-common: nfc: st54spi: Add rules for hal_secure_element_st54spi_aidl sepolicy for android.hardware.secure_element-service.thales 08-26 12:49:43.959 343 343 E SELinux : avc: denied { add } for pid=706 uid=1068 name=android.hardware.secure_element.ISecureElement/eSE1 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:hal_secure_element_service:s0 tclass=service_manager permissive=1 08-26 12:49:43.936 706 706 I android.hardwar: type=1400 audit(0.0:9): avc: denied { call } for scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 08-26 12:49:43.936 706 706 I android.hardwar: type=1400 audit(0.0:10): avc: denied { transfer } for scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 08-26 12:49:59.904 1 1 I /system/bin/init: type=1107 audit(0.0:139): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.se.reset pid=706 uid=1068 gid=1068 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=1' 08-26 12:50:12.124 706 706 I android.hardwar: type=1400 audit(0.0:461): avc: denied { read write } for name="st54spi" dev="tmpfs" ino=1552 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:st54spi_device:s0 tclass=chr_file permissive=1 08-26 12:50:12.124 706 706 I android.hardwar: type=1400 audit(0.0:462): avc: denied { open } for path="/dev/st54spi" dev="tmpfs" ino=1552 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:st54spi_device:s0 tclass=chr_file permissive=1 08-26 16:33:44.332 737 737 I android.hardwar: type=1400 audit(0.0:959): avc: denied { read write } for name="st21nfc" dev="tmpfs" ino=1550 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:nfc_device:s0 tclass=chr_file permissive=1 08-26 16:33:44.332 737 737 I android.hardwar: type=1400 audit(0.0:960): avc: denied { open } for path="/dev/st21nfc" dev="tmpfs" ino=1550 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:nfc_device:s0 tclass=chr_file permissive=1 08-26 16:33:44.332 737 737 I android.hardwar: type=1400 audit(0.0:961): avc: denied { ioctl } for path="/dev/st21nfc" dev="tmpfs" ino=1550 ioctlcmd=0xea05 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:nfc_device:s0 tclass=chr_file permissive=1 Flag: EXEMPT NDK Bug: 361093024 Test: manual Change-Id: I1f3aebc9894de9f3410f2031e2b99e07d4060fa5 --- nfc/sepolicy_st54spi/file.te | 3 +++ nfc/sepolicy_st54spi/file_contexts | 3 +++ nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te | 9 +++++++++ nfc/sepolicy_st54spi/property.te | 3 +++ nfc/sepolicy_st54spi/property_contexts | 2 ++ nfc/sepolicy_st54spi/vendor_init.te | 2 ++ nfc/st54spi.mk | 3 +++ 7 files changed, 25 insertions(+) create mode 100644 nfc/sepolicy_st54spi/file.te create mode 100644 nfc/sepolicy_st54spi/file_contexts create mode 100644 nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te create mode 100644 nfc/sepolicy_st54spi/property.te create mode 100644 nfc/sepolicy_st54spi/property_contexts create mode 100644 nfc/sepolicy_st54spi/vendor_init.te create mode 100644 nfc/st54spi.mk diff --git a/nfc/sepolicy_st54spi/file.te b/nfc/sepolicy_st54spi/file.te new file mode 100644 index 0000000..5f9a80d --- /dev/null +++ b/nfc/sepolicy_st54spi/file.te @@ -0,0 +1,3 @@ +# SecureElement SPI device +type st54spi_device, dev_type; + diff --git a/nfc/sepolicy_st54spi/file_contexts b/nfc/sepolicy_st54spi/file_contexts new file mode 100644 index 0000000..f2762f3 --- /dev/null +++ b/nfc/sepolicy_st54spi/file_contexts @@ -0,0 +1,3 @@ +/dev/st54spi u:object_r:st54spi_device:s0 +/vendor/bin/hw/android\.hardware\.secure_element-service\.thales u:object_r:hal_secure_element_st54spi_aidl_exec:s0 + diff --git a/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te b/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te new file mode 100644 index 0000000..f2051e0 --- /dev/null +++ b/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te @@ -0,0 +1,9 @@ +# sepolicy for ST54L secure element +type hal_secure_element_st54spi_aidl, domain; +type hal_secure_element_st54spi_aidl_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st54spi_aidl) +hal_server_domain(hal_secure_element_st54spi_aidl, hal_secure_element) +allow hal_secure_element_st54spi_aidl st54spi_device:chr_file rw_file_perms; +allow hal_secure_element_st54spi_aidl nfc_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st54spi_aidl, vendor_secure_element_prop) + diff --git a/nfc/sepolicy_st54spi/property.te b/nfc/sepolicy_st54spi/property.te new file mode 100644 index 0000000..1ac5526 --- /dev/null +++ b/nfc/sepolicy_st54spi/property.te @@ -0,0 +1,3 @@ +# SecureElement vendor property +vendor_internal_prop(vendor_secure_element_prop) + diff --git a/nfc/sepolicy_st54spi/property_contexts b/nfc/sepolicy_st54spi/property_contexts new file mode 100644 index 0000000..2067a86 --- /dev/null +++ b/nfc/sepolicy_st54spi/property_contexts @@ -0,0 +1,2 @@ +# SecureElement vendor property +persist.vendor.se. u:object_r:vendor_secure_element_prop:s0 diff --git a/nfc/sepolicy_st54spi/vendor_init.te b/nfc/sepolicy_st54spi/vendor_init.te new file mode 100644 index 0000000..91e5cdb --- /dev/null +++ b/nfc/sepolicy_st54spi/vendor_init.te @@ -0,0 +1,2 @@ +# SecureElement vendor property +set_prop(vendor_init, vendor_secure_element_prop) diff --git a/nfc/st54spi.mk b/nfc/st54spi.mk new file mode 100644 index 0000000..046de87 --- /dev/null +++ b/nfc/st54spi.mk @@ -0,0 +1,3 @@ +BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy_st54spi +PRODUCT_PACKAGES += android.hardware.secure_element-service.thales + From 0f4a0bb8a2ef14874c4502720b3102548258b161 Mon Sep 17 00:00:00 2001 From: Randall Huang Date: Thu, 29 Aug 2024 15:24:47 +0800 Subject: [PATCH 2/2] Storage: add selinux for ufs firmware upgrade event avc: denied { execute_no_trans } for comm="ufs_firmware_up" path="/vendor/bin/toybox_vendor" dev="dm-11" ino=380 scontext=u:r:ufs_firmware_update:s0 tcontext=u:object_r:vendor_toolbox_exec:s0 tclass=file permissive=1 avc: denied { read } for comm="cat" name="vendor" dev="sysfs" ino=63193 scontext=u:r:ufs_firmware_update:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { open } for comm="cat" path="/sys/devices/platform/13200000.ufs/vendor" dev="sysfs" ino=63193 scontext=u:r:ufs_firmware_update:s0 tcontext=u:object_r:sysfs_scsi_devices_0000:s0 tclass=file permissive=1 avc: denied { search } for comm="dd" name="block" dev="tmpfs" ino=12 scontext=u:r:ufs_firmware_update:s0 tcontext=u:object_r:block_device:s0 tclass=dir permissive=1 avc: denied { write } for comm="dd" name="sda12" dev="tmpfs" ino=1139 scontext=u:r:ufs_firmware_update:s0 tcontext=u:object_r:ufs_internal_block_device:s0 tclass=blk_file permissive=1 Bug: 361093041 Test: NA Change-Id: I54445d4543a733baae85cd408b433033dd93ec6b Signed-off-by: Randall Huang --- storage/sepolicy/ufs_firmware_update.te | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 storage/sepolicy/ufs_firmware_update.te diff --git a/storage/sepolicy/ufs_firmware_update.te b/storage/sepolicy/ufs_firmware_update.te new file mode 100644 index 0000000..1b92976 --- /dev/null +++ b/storage/sepolicy/ufs_firmware_update.te @@ -0,0 +1,9 @@ +# support ufs ffu via ota +init_daemon_domain(ufs_firmware_update) + +# support ufs ffu via ota +allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans; +allow ufs_firmware_update block_device:dir { search }; +allow ufs_firmware_update ufs_internal_block_device:blk_file rw_file_perms; +allow ufs_firmware_update sysfs_scsi_devices_0000:file r_file_perms; +