diff --git a/tracking_denials/hal_secure_element_gto.te b/tracking_denials/hal_secure_element_gto.te deleted file mode 100644 index d264971b..00000000 --- a/tracking_denials/hal_secure_element_gto.te +++ /dev/null @@ -1,13 +0,0 @@ -# b/205073164 -dontaudit hal_secure_element_gto vendor_secure_element_prop:property_service { set }; -# b/205656951 -dontaudit hal_secure_element_gto secure_element_device:chr_file { open }; -dontaudit hal_secure_element_gto secure_element_device:chr_file { read write }; -# b/205904452 -dontaudit hal_secure_element_gto init:unix_stream_socket { connectto }; -dontaudit hal_secure_element_gto property_socket:sock_file { write }; -# b/207062261 -dontaudit hal_secure_element_gto vendor_secure_element_prop:file { getattr }; -dontaudit hal_secure_element_gto vendor_secure_element_prop:file { map }; -dontaudit hal_secure_element_gto vendor_secure_element_prop:file { open }; -dontaudit hal_secure_element_gto vendor_secure_element_prop:file { read }; diff --git a/tracking_denials/hal_secure_element_gto_ese2.te b/tracking_denials/hal_secure_element_gto_ese2.te deleted file mode 100644 index 3c17e5b3..00000000 --- a/tracking_denials/hal_secure_element_gto_ese2.te +++ /dev/null @@ -1,3 +0,0 @@ -# b/205657039 -dontaudit hal_secure_element_gto_ese2 secure_element_device:chr_file { open }; -dontaudit hal_secure_element_gto_ese2 secure_element_device:chr_file { read write }; diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te index 1f5e22ba..e6bb4fe0 100644 --- a/whitechapel_pro/device.te +++ b/whitechapel_pro/device.te @@ -17,3 +17,7 @@ type faceauth_heap_device, dmabuf_heap_device_type, dev_type; type vframe_heap_device, dmabuf_heap_device_type, dev_type; type vscaler_heap_device, dmabuf_heap_device_type, dev_type; +# SecureElement SPI device +type st54spi_device, dev_type; +type st33spi_device, dev_type; + diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts index d18bc9dd..45e7974a 100644 --- a/whitechapel_pro/file_contexts +++ b/whitechapel_pro/file_contexts @@ -28,8 +28,8 @@ /vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs201 u:object_r:hal_dumpstate_default_exec:s0 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_samsung_exec:s0 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service u:object_r:mediacodec_google_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0 -/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_gto_ese2_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_st54spi_exec:s0 +/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_st33spi_exec:s0 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix u:object_r:hal_fingerprint_default_exec:s0 @@ -123,8 +123,8 @@ /dev/trusty-ipc-dev0 u:object_r:tee_device:s0 /dev/sg1 u:object_r:sg_device:s0 /dev/st21nfc u:object_r:nfc_device:s0 -/dev/st54spi u:object_r:secure_element_device:s0 -/dev/st33spi u:object_r:secure_element_device:s0 +/dev/st54spi u:object_r:st54spi_device:s0 +/dev/st33spi u:object_r:st33spi_device:s0 /dev/ttyGS[0-3] u:object_r:serial_device:s0 /dev/oem_ipc[0-7] u:object_r:radio_device:s0 /dev/umts_boot0 u:object_r:radio_device:s0 diff --git a/whitechapel_pro/hal_secure_element_st33spi.te b/whitechapel_pro/hal_secure_element_st33spi.te new file mode 100644 index 00000000..cecc8fe8 --- /dev/null +++ b/whitechapel_pro/hal_secure_element_st33spi.te @@ -0,0 +1,6 @@ +type hal_secure_element_st33spi, domain; +hal_server_domain(hal_secure_element_st33spi, hal_secure_element) +type hal_secure_element_st33spi_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st33spi) +allow hal_secure_element_st33spi st33spi_device:chr_file rw_file_perms; + diff --git a/whitechapel_pro/hal_secure_element_st54spi.te b/whitechapel_pro/hal_secure_element_st54spi.te new file mode 100644 index 00000000..a3e74be3 --- /dev/null +++ b/whitechapel_pro/hal_secure_element_st54spi.te @@ -0,0 +1,8 @@ +type hal_secure_element_st54spi, domain; +hal_server_domain(hal_secure_element_st54spi, hal_secure_element) +type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type; +init_daemon_domain(hal_secure_element_st54spi) +allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms; +allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms; +set_prop(hal_secure_element_st54spi, vendor_secure_element_prop) + diff --git a/whitechapel_pro/ofl_app.te b/whitechapel_pro/ofl_app.te index e3f61408..a9498165 100644 --- a/whitechapel_pro/ofl_app.te +++ b/whitechapel_pro/ofl_app.te @@ -11,7 +11,10 @@ userdebug_or_eng(` allow ofl_app radio_service:service_manager find; allow ofl_app surfaceflinger_service:service_manager find; - # Access to directly update firmware on secure_element - typeattribute secure_element_device mlstrustedobject; - allow ofl_app secure_element_device:chr_file rw_file_perms; + # Access to directly update firmware on st54spi_device + typeattribute st54spi_device mlstrustedobject; + allow ofl_app st54spi_device:chr_file rw_file_perms; + # Access to directly update firmware on st33spi_device + typeattribute st33spi_device mlstrustedobject; + allow ofl_app st33spi_device:chr_file rw_file_perms; ')