gs-common: nfc: st54spi: Add rules for hal_secure_element_st54spi_aidl

sepolicy for android.hardware.secure_element-service.thales 08-26 12:49:43.959 343 343 E SELinux : avc: denied { add } for pid=706 uid=1068 name=android.hardware.secure_element.ISecureElement/eSE1 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:hal_secure_element_service:s0 tclass=service_manager permissive=1 08-26 12:49:43.936 706 706 I android.hardwar: type=1400 audit(0.0:9): avc: denied { call } for scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 08-26 12:49:43.936 706 706 I android.hardwar: type=1400 audit(0.0:10): avc: denied { transfer } for scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:r:servicemanager:s0 tclass=binder permissive=1 08-26 12:49:59.904 1 1 I /system/bin/init: type=1107 audit(0.0:139): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.se.reset pid=706 uid=1068 gid=1068 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=1' 08-26 12:50:12.124 706 706 I android.hardwar: type=1400 audit(0.0:461): avc: denied { read write } for name="st54spi" dev="tmpfs" ino=1552 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:st54spi_device:s0 tclass=chr_file permissive=1 08-26 12:50:12.124 706 706 I android.hardwar: type=1400 audit(0.0:462): avc: denied { open } for path="/dev/st54spi" dev="tmpfs" ino=1552 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:st54spi_device:s0 tclass=chr_file permissive=1 08-26 16:33:44.332 737 737 I android.hardwar: type=1400 audit(0.0:959): avc: denied { read write } for name="st21nfc" dev="tmpfs" ino=1550 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:nfc_device:s0 tclass=chr_file permissive=1 08-26 16:33:44.332 737 737 I android.hardwar: type=1400 audit(0.0:960): avc: denied { open } for path="/dev/st21nfc" dev="tmpfs" ino=1550 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:nfc_device:s0 tclass=chr_file permissive=1 08-26 16:33:44.332 737 737 I android.hardwar: type=1400 audit(0.0:961): avc: denied { ioctl } for path="/dev/st21nfc" dev="tmpfs" ino=1550 ioctlcmd=0xea05 scontext=u:r:hal_secure_element_st54spi_aidl:s0 tcontext=u:object_r:nfc_device:s0 tclass=chr_file permissive=1 Flag: EXEMPT NDK Bug: 361093024 Test: manual Change-Id: I1f3aebc9894de9f3410f2031e2b99e07d4060fa5
2024-08-28 02:46:48 +00:00 · 2024-08-28 02:46:48 +00:00 · cf2d68668f
commit cf2d68668f
parent 1ae1d53973
7 changed files with 25 additions and 0 deletions
--- a/nfc/sepolicy_st54spi/file.te
+++ b/nfc/sepolicy_st54spi/file.te
@ -0,0 +1,3 @@
+# SecureElement SPI device
+type st54spi_device, dev_type;
+
--- a/nfc/sepolicy_st54spi/file_contexts
+++ b/nfc/sepolicy_st54spi/file_contexts
@ -0,0 +1,3 @@
+/dev/st54spi                                                                u:object_r:st54spi_device:s0
+/vendor/bin/hw/android\.hardware\.secure_element-service\.thales            u:object_r:hal_secure_element_st54spi_aidl_exec:s0
+
--- a/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te
+++ b/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te
@ -0,0 +1,9 @@
+# sepolicy for ST54L secure element
+type hal_secure_element_st54spi_aidl, domain;
+type hal_secure_element_st54spi_aidl_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_secure_element_st54spi_aidl)
+hal_server_domain(hal_secure_element_st54spi_aidl, hal_secure_element)
+allow hal_secure_element_st54spi_aidl st54spi_device:chr_file rw_file_perms;
+allow hal_secure_element_st54spi_aidl nfc_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_st54spi_aidl, vendor_secure_element_prop)
+
--- a/nfc/sepolicy_st54spi/property.te
+++ b/nfc/sepolicy_st54spi/property.te
@ -0,0 +1,3 @@
+# SecureElement vendor property
+vendor_internal_prop(vendor_secure_element_prop)
+
--- a/nfc/sepolicy_st54spi/property_contexts
+++ b/nfc/sepolicy_st54spi/property_contexts
@ -0,0 +1,2 @@
+# SecureElement vendor property
+persist.vendor.se.                         u:object_r:vendor_secure_element_prop:s0
--- a/nfc/sepolicy_st54spi/vendor_init.te
+++ b/nfc/sepolicy_st54spi/vendor_init.te
@ -0,0 +1,2 @@
+# SecureElement vendor property
+set_prop(vendor_init, vendor_secure_element_prop)
--- a/nfc/st54spi.mk
+++ b/nfc/st54spi.mk
@ -0,0 +1,3 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy_st54spi
+PRODUCT_PACKAGES += android.hardware.secure_element-service.thales
+