From 097157613ae21176aeff6da0f5da49843d328ff0 Mon Sep 17 00:00:00 2001
From: George Chang <georgekgchang@google.com>
Date: Tue, 30 Nov 2021 19:47:27 +0800
Subject: [PATCH] Fix SELinux error coming from hal_secure_element_uicc

11-11 09:38:59.168   794   794 I secure_element@: type=1400 audit(0.0:102): avc: denied { call } for scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:r:rild:s0 tclass=binder permissive=1
[   19.632309] type=1400 audit(1636594739.168:103): avc: denied { transfer } for comm="secure_element@" scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:r:rild:s0 tclass=binder permissive=1
[   19.631474] type=1400 audit(1636594739.168:102): avc: denied { call } for comm="secure_element@" scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:r:rild:s0 tclass=binder permissive=1
11-11 09:38:59.168   794   794 I secure_element@: type=1400 audit(0.0:103): avc: denied { transfer } for scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:r:rild:s0 tclass=binder permissive=1
[   19.633481] type=1400 audit(1636594739.172:104): avc: denied { call } for comm="rild_exynos" scontext=u:r:rild:s0 tcontext=u:r:hal_secure_element_uicc:s0 tclass=binder permissive=1
11-11 09:38:59.172   971   971 I rild_exynos: type=1400 audit(0.0:104): avc: denied { call } for scontext=u:r:rild:s0 tcontext=u:r:hal_secure_element_uicc:s0 tclass=binder permissive=1

Bug: 205904403
Test: check avc
Change-Id: I9186714d81e21ba8920aaa900a92f542e98ceddb
---
 tracking_denials/hal_secure_element_uicc.te | 3 ---
 tracking_denials/rild.te                    | 1 -
 whitechapel_pro/hal_secure_element_uicc.te  | 4 ++++
 whitechapel_pro/rild.te                     | 1 +
 4 files changed, 5 insertions(+), 4 deletions(-)
 delete mode 100644 tracking_denials/hal_secure_element_uicc.te

diff --git a/tracking_denials/hal_secure_element_uicc.te b/tracking_denials/hal_secure_element_uicc.te
deleted file mode 100644
index 10323849..00000000
--- a/tracking_denials/hal_secure_element_uicc.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/205904403
-dontaudit hal_secure_element_uicc rild:binder { call };
-dontaudit hal_secure_element_uicc rild:binder { transfer };
diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te
index 312cca32..cb423e91 100644
--- a/tracking_denials/rild.te
+++ b/tracking_denials/rild.te
@@ -5,6 +5,5 @@ dontaudit rild vendor_persist_config_default_prop:file { map };
 dontaudit rild vendor_persist_config_default_prop:file { open };
 dontaudit rild vendor_persist_config_default_prop:file { read };
 # b/205904441
-dontaudit rild hal_secure_element_uicc:binder { call };
 dontaudit rild vendor_ims_app:binder { call };
 dontaudit rild vendor_rcs_app:binder { call };
diff --git a/whitechapel_pro/hal_secure_element_uicc.te b/whitechapel_pro/hal_secure_element_uicc.te
index bcc4fac0..c91ae3bb 100644
--- a/whitechapel_pro/hal_secure_element_uicc.te
+++ b/whitechapel_pro/hal_secure_element_uicc.te
@@ -4,4 +4,8 @@ type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type;
 hal_server_domain(hal_secure_element_uicc, hal_secure_element)
 init_daemon_domain(hal_secure_element_uicc)
 
+# Allow hal_secure_element_default to access rild
+binder_call(hal_secure_element_default, rild);
 allow hal_secure_element_uicc hal_exynos_rild_hwservice:hwservice_manager find;
+
+
diff --git a/whitechapel_pro/rild.te b/whitechapel_pro/rild.te
index c931a996..d30f4a91 100644
--- a/whitechapel_pro/rild.te
+++ b/whitechapel_pro/rild.te
@@ -19,6 +19,7 @@ binder_call(rild, gpsd)
 binder_call(rild, hal_audio_default)
 binder_call(rild, modem_svc_sit)
 binder_call(rild, oemrilservice_app)
+binder_call(rild, hal_secure_element_uicc)
 
 # for hal service
 add_hwservice(rild, hal_exynos_rild_hwservice)