From dfe9a2d4b5cdabc0cb049bd34862f08399806938 Mon Sep 17 00:00:00 2001
From: George Chang <georgekgchang@google.com>
Date: Mon, 6 Jan 2025 13:02:09 +0000
Subject: [PATCH] gs-common: nfc: Add rules for hal_nfc_service

avc:  denied  { set } for property=persist.vendor.nfc.antenna.am_value pid=13816 uid=1027 gid=1027 scontext=u:r:hal_nfc_default:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0
avc:  denied  { set } for property=persist.vendor.nfc.antenna.i_value pid=13816 uid=1027 gid=1027 scontext=u:r:hal_nfc_default:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0
avc:  denied  { set } for property=persist.vendor.nfc.antenna.se1_value pid=13816 uid=1027 gid=1027 scontext=u:r:hal_nfc_default:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0
avc:  denied  { set } for property=persist.vendor.nfc.antenna.se2_value pid=13816 uid=1027 gid=1027 scontext=u:r:hal_nfc_default:s0 tcontext=u:object_r:vendor_default_prop:s0 tclass=property_service permissive=0
avc:  denied  { set } for property=persist.vendor.se.reset pid=14792 uid=1027 gid=1027 scontext=u:r:hal_nfc_default:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=property_service permissive=0
avc:  denied  { read } for  name="u:object_r:vendor_nfc_antenna_prop:s0" dev="tmpfs" ino=414 scontext=u:r:untrusted_app:s0:c79,c257,c512,c768 tcontext=u:object_r:vendor_nfc_antenna_prop:s0 tclass=file permissive=0 app=com.google.android.apps.internal.nfcassistancetool

Bug: 381405365
Flag: EXEMPT update sepolicy
Test: manual
Change-Id: Ib02cebc625965928286dba7be278f6998ecdabe4
---
 nfc/sepolicy_st21nfc/hal_nfc_default.te | 4 ++++
 nfc/sepolicy_st21nfc/property.te        | 4 ++++
 nfc/sepolicy_st21nfc/property_contexts  | 4 ++++
 nfc/sepolicy_st21nfc/untrusted_app.te   | 5 +++++
 4 files changed, 17 insertions(+)
 create mode 100644 nfc/sepolicy_st21nfc/hal_nfc_default.te
 create mode 100644 nfc/sepolicy_st21nfc/property.te
 create mode 100644 nfc/sepolicy_st21nfc/property_contexts
 create mode 100644 nfc/sepolicy_st21nfc/untrusted_app.te

diff --git a/nfc/sepolicy_st21nfc/hal_nfc_default.te b/nfc/sepolicy_st21nfc/hal_nfc_default.te
new file mode 100644
index 0000000..051b64d
--- /dev/null
+++ b/nfc/sepolicy_st21nfc/hal_nfc_default.te
@@ -0,0 +1,4 @@
+# HAL NFC property
+set_prop(hal_nfc_default, vendor_secure_element_prop)
+set_prop(hal_nfc_default, vendor_nfc_prop)
+set_prop(hal_nfc_default, vendor_nfc_antenna_prop)
diff --git a/nfc/sepolicy_st21nfc/property.te b/nfc/sepolicy_st21nfc/property.te
new file mode 100644
index 0000000..02e5d54
--- /dev/null
+++ b/nfc/sepolicy_st21nfc/property.te
@@ -0,0 +1,4 @@
+# NFC
+vendor_internal_prop(vendor_nfc_prop)
+vendor_restricted_prop(vendor_nfc_antenna_prop)
+
diff --git a/nfc/sepolicy_st21nfc/property_contexts b/nfc/sepolicy_st21nfc/property_contexts
new file mode 100644
index 0000000..0b22a27
--- /dev/null
+++ b/nfc/sepolicy_st21nfc/property_contexts
@@ -0,0 +1,4 @@
+# NFC
+persist.vendor.nfc.                        u:object_r:vendor_nfc_prop:s0
+persist.vendor.nfc.antenna.                u:object_r:vendor_nfc_antenna_prop:s0
+
diff --git a/nfc/sepolicy_st21nfc/untrusted_app.te b/nfc/sepolicy_st21nfc/untrusted_app.te
new file mode 100644
index 0000000..d9b30bc
--- /dev/null
+++ b/nfc/sepolicy_st21nfc/untrusted_app.te
@@ -0,0 +1,5 @@
+# NFC
+userdebug_or_eng(
+  get_prop(untrusted_app, vendor_nfc_antenna_prop)
+)
+