Update SecureElement Sepolicy

Add rules for sysfs_st33spi
Separate hal_secure_element_st54spi and st33spi form default

Bug: 193417907
Test: VtsHalSecureElementV1_2TargetTest,
      VtsHalSecureElementV1_1TargetTest,
      VtsHalSecureElementV1_0TargetTest,
      CtsOmapiTestCases
Change-Id: I444af2e38fc120d173445bce48b7e4d381201a91

whitechapel/vendor/google/device.te

@@ -54,3 +54,7 @@ type battery_history_device, dev_type;
 # Raw HID device
 type hidraw_device, dev_type;
 
+# SecureElement SPI device
+type st54spi_device, dev_type;
+type st33spi_device, dev_type;
+

whitechapel/vendor/google/euiccpixel_app.te

@@ -14,8 +14,11 @@ set_prop(euiccpixel_app, vendor_modem_prop)
 userdebug_or_eng(`
     net_domain(euiccpixel_app)
 
-    # Access to directly upgrade firmware on secure_element used for engineering devices
-    typeattribute secure_element_device mlstrustedobject;
-    allow euiccpixel_app secure_element_device:chr_file rw_file_perms;
+    # Access to directly upgrade firmware on st54spi_device used for engineering devices
+    typeattribute st54spi_device mlstrustedobject;
+    allow euiccpixel_app st54spi_device:chr_file rw_file_perms;
+    # Access to directly upgrade firmware on st33spi_device used for engineering devices
+    typeattribute st33spi_device mlstrustedobject;
+    allow euiccpixel_app st33spi_device:chr_file rw_file_perms;
 ')
 

whitechapel/vendor/google/fastbootd.te

@@ -1,6 +1,6 @@
 # Required by the bootcontrol HAL for the 'set_active' command.
 recovery_only(`
-allow fastbootd secure_element_device:chr_file rw_file_perms;
+allow fastbootd st54spi_device:chr_file rw_file_perms;
 allow fastbootd devinfo_block_device:blk_file rw_file_perms;
 allow fastbootd sda_block_device:blk_file rw_file_perms;
 allow fastbootd sysfs_ota:file rw_file_perms;

whitechapel/vendor/google/file.te

@@ -202,3 +202,6 @@ type sysfs_sjtag, fs_type, sysfs_type;
 userdebug_or_eng(`
     typeattribute sysfs_sjtag mlstrustedobject;
 ')
+
+# SecureElement
+type sysfs_st33spi, sysfs_type, fs_type;

whitechapel/vendor/google/file_contexts

@@ -287,13 +287,11 @@
 /data/nfc(/.*)?                                                                       u:object_r:nfc_data_file:s0
 
 # SecureElement
-/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service\.st     u:object_r:hal_secure_element_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto     u:object_r:hal_secure_element_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2     u:object_r:hal_secure_element_default_exec:s0
-/dev/st54j_se                                                                         u:object_r:secure_element_device:s0
-/dev/st54spi                                                                          u:object_r:secure_element_device:s0
-/dev/st33spi                                                                          u:object_r:secure_element_device:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto     u:object_r:hal_secure_element_st54spi_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2    u:object_r:hal_secure_element_st33spi_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service    u:object_r:hal_secure_element_default_exec:s0
+/dev/st54spi                                                                          u:object_r:st54spi_device:s0
+/dev/st33spi                                                                          u:object_r:st33spi_device:s0
 
 # Bluetooth
 /dev/wbrc                           u:object_r:wb_coexistence_dev:s0

whitechapel/vendor/google/genfs_contexts

@@ -320,3 +320,7 @@ genfscon sysfs /devices/platform/google,usbc_port_cooling_dev/trip_time
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/i2c-max77759tcpc/extcon   u:object_r:sysfs_extcon:s0
 
+# SecureElement
+genfscon sysfs /devices/platform/10950000.spi/spi_master/spi6/spi6.0/st33spi    u:object_r:sysfs_st33spi:s0
+genfscon sysfs /devices/platform/175c0000.spi/spi_master/spi15/spi15.0/st33spi  u:object_r:sysfs_st33spi:s0
+

whitechapel/vendor/google/hal_secure_element_default.te

@@ -1,7 +1,5 @@
 allow hal_secure_element_default secure_element_device:chr_file rw_file_perms;
-allow hal_secure_element_default nfc_device:chr_file rw_file_perms;
 set_prop(hal_secure_element_default, vendor_secure_element_prop)
-set_prop(hal_secure_element_default, vendor_nfc_prop)
 set_prop(hal_secure_element_default, vendor_modem_prop)
 
 # Allow hal_secure_element_default to access rild

whitechapel/vendor/google/hal_secure_element_st33spi.te

@@ -0,0 +1,8 @@
+type hal_secure_element_st33spi, domain;
+hal_server_domain(hal_secure_element_st33spi, hal_secure_element)
+type hal_secure_element_st33spi_exec, exec_type, vendor_file_type, file_type;
+
+allow hal_secure_element_st33spi st33spi_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_st33spi, vendor_secure_element_prop)
+
+init_daemon_domain(hal_secure_element_st33spi)

whitechapel/vendor/google/hal_secure_element_st54spi.te

@@ -0,0 +1,9 @@
+type hal_secure_element_st54spi, domain;
+hal_server_domain(hal_secure_element_st54spi, hal_secure_element)
+type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type;
+allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms;
+allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_st54spi, vendor_secure_element_prop)
+set_prop(hal_secure_element_st54spi, vendor_nfc_prop)
+set_prop(hal_secure_element_st54spi, vendor_modem_prop)
+init_daemon_domain(hal_secure_element_st54spi)

whitechapel/vendor/google/ofl_app.te

@@ -11,7 +11,10 @@ userdebug_or_eng(`
   allow ofl_app radio_service:service_manager find;
   allow ofl_app surfaceflinger_service:service_manager find;
 
-  # Access to directly update firmware on secure_element
-  typeattribute secure_element_device mlstrustedobject;
-  allow ofl_app secure_element_device:chr_file rw_file_perms;
+  # Access to directly update firmware on st54spi_device
+  typeattribute st54spi_device mlstrustedobject;
+  allow ofl_app st54spi_device:chr_file rw_file_perms;
+  # Access to directly update firmware on st33spi_device
+  typeattribute st33spi_device mlstrustedobject;
+  allow ofl_app st33spi_device:chr_file rw_file_perms;
 ')

whitechapel/vendor/google/recovery.te

@@ -1,4 +1,4 @@
 recovery_only(`
   allow recovery sysfs_ota:file rw_file_perms;
-  allow recovery secure_element_device:chr_file rw_file_perms;
+  allow recovery st54spi_device:chr_file rw_file_perms;
 ')

whitechapel/vendor/google/vendor_init.te

@@ -18,6 +18,7 @@ allow vendor_init proc_dirty:file w_file_perms;
 allow vendor_init proc_sched:file write;
 allow vendor_init bootdevice_sysdev:file create_file_perms;
 allow vendor_init block_device:lnk_file setattr;
+allow vendor_init sysfs_st33spi:file w_file_perms;
 
 userdebug_or_eng(`
   set_prop(vendor_init, logpersistd_logging_prop)