From a4b253476ccfd1384bac25c8f2a4f2527b508cfc Mon Sep 17 00:00:00 2001
From: Grace Chen <chengrace@google.com>
Date: Sun, 28 Mar 2021 09:30:08 -0700
Subject: [PATCH] Add selinux permissions for NFC/eSIM fw upgrade

Bug: 183709811
Test: Confirm no selinux permissions errors.
Change-Id: Ibd98558a2446567d4beb1f6b88acafc05c3c1951
---
 tracking_denials/ofl_app.te              |  3 +++
 whitechapel/vendor/google/ofl_app.te     | 17 +++++++++++++++++
 whitechapel/vendor/google/seapp_contexts |  5 ++++-
 3 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 tracking_denials/ofl_app.te
 create mode 100644 whitechapel/vendor/google/ofl_app.te

diff --git a/tracking_denials/ofl_app.te b/tracking_denials/ofl_app.te
new file mode 100644
index 00000000..525ebdad
--- /dev/null
+++ b/tracking_denials/ofl_app.te
@@ -0,0 +1,3 @@
+# b/184005231
+dontaudit ofl_app default_prop:file { read };
+
diff --git a/whitechapel/vendor/google/ofl_app.te b/whitechapel/vendor/google/ofl_app.te
new file mode 100644
index 00000000..e3f61408
--- /dev/null
+++ b/whitechapel/vendor/google/ofl_app.te
@@ -0,0 +1,17 @@
+# OFLBasicAgent app
+
+type ofl_app, domain;
+
+userdebug_or_eng(`
+  app_domain(ofl_app)
+  net_domain(ofl_app)
+
+  allow ofl_app app_api_service:service_manager find;
+  allow ofl_app nfc_service:service_manager find;
+  allow ofl_app radio_service:service_manager find;
+  allow ofl_app surfaceflinger_service:service_manager find;
+
+  # Access to directly update firmware on secure_element
+  typeattribute secure_element_device mlstrustedobject;
+  allow ofl_app secure_element_device:chr_file rw_file_perms;
+')
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
index 43cd77a1..db3c3adc 100644
--- a/whitechapel/vendor/google/seapp_contexts
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -42,4 +42,7 @@ user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymon
 user=radio isPrivApp=true seinfo=platform name=com.google.RilConfigService domain=ril_config_service_app type=app_data_file
 
 # CBRS setup app
-user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
\ No newline at end of file
+user=_app seinfo=platform name=com.google.googlecbrs domain=cbrs_setup_app type=app_data_file levelFrom=user
+
+# Domain for OFLBasicAgentApp to support NFC/eSIM fw upgrade
+user=_app isPrivApp=true  seinfo=platform name=com.thales.device.ofl.app.basicagent domain=ofl_app type=app_data_file levelFrom=user