From d15185b2d72d3efd06d2caf0abf14a91c7446fda Mon Sep 17 00:00:00 2001
From: George Chang <georgekgchang@google.com>
Date: Thu, 18 Nov 2021 11:46:41 +0800
Subject: [PATCH] Fix SELinux error coming from hal_secure_element_gto and
 gto_ese2

update hal_secure_element_st54spi/st33spi form gto/gto_ese2

hal_secure_element_gto.te => hal_secure_element_st54spi.te
[   10.846098] type=1400 audit(1637296724.408:40): avc: denied { map } for comm="android.hardwar" path="/dev/__properties__/u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1
11-19 12:38:44.408   776   776 I android.hardwar: type=1400 audit(0.0:40): avc: denied { map } for path="/dev/__properties__/u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1
11-19 12:38:44.408   776   776 I android.hardwar: type=1400 audit(0.0:39): avc: denied { getattr } for path="/dev/__properties__/u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1
11-19 12:38:44.408   776   776 I android.hardwar: type=1400 audit(0.0:38): avc: denied { open } for path="/dev/__properties__/u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1
11-19 12:38:44.408   776   776 I android.hardwar: type=1400 audit(0.0:37): avc: denied { read } for name="u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1
[   10.846033] type=1400 audit(1637296724.408:37): avc: denied { read } for comm="android.hardwar" name="u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1
[   10.846072] type=1400 audit(1637296724.408:38): avc: denied { open } for comm="android.hardwar" path="/dev/__properties__/u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1
[   10.846086] type=1400 audit(1637296724.408:39): avc: denied { getattr } for comm="android.hardwar" path="/dev/__properties__/u:object_r:vendor_secure_element_prop:s0" dev="tmpfs" ino=327 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=file permissive=1
11-11 09:38:59.132   785   785 I secure_element@: type=1400 audit(0.0:100): avc: denied { write } for name="property_service" dev="tmpfs" ino=357 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1
11-11 09:38:59.132   785   785 I secure_element@: type=1400 audit(0.0:101): avc: denied { connectto } for path="/dev/socket/property_service" scontext=u:r:hal_secure_element_gto:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1
[   19.593472] type=1400 audit(1636594739.132:101): avc: denied { connectto } for comm="secure_element@" path="/dev/socket/property_service" scontext=u:r:hal_secure_element_gto:s0 tcontext=u:r:init:s0 tclass=unix_stream_socket permissive=1
[   19.593175] type=1400 audit(1636594739.132:100): avc: denied { write } for comm="secure_element@" name="property_service" dev="tmpfs" ino=357 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:property_socket:s0 tclass=sock_file permissive=1
11-09 12:04:08.620   786   786 I secure_element@: type=1400 audit(0.0:135): avc: denied { open } for path="/dev/st54spi" dev="tmpfs" ino=584 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1
[   17.142141] type=1400 audit(1636430648.620:135): avc: denied { open } for comm="secure_element@" path="/dev/st54spi" dev="tmpfs" ino=584 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1
[   17.141947] type=1400 audit(1636430648.620:134): avc: denied { read write } for comm="secure_element@" name="st54spi" dev="tmpfs" ino=584 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1
11-09 12:04:08.620   786   786 I secure_element@: type=1400 audit(0.0:134): avc: denied { read write } for name="st54spi" dev="tmpfs" ino=584 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1
11-04 13:27:24.564     1     1 I /system/bin/init: type=1107 audit(0.0:52): uid=0 auid=4294967295 ses=4294967295 subj=u:r:init:s0 msg='avc: denied { set } for property=persist.vendor.se.reset pid=772 uid=1068 gid=1068 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:vendor_secure_element_prop:s0 tclass=property_service permissive=1'
11-19 10:22:25.052   797   797 I secure_element@: type=1400 audit(0.0:49): avc: denied { read write } for name="st21nfc" dev="tmpfs" ino=708 scontext=u:r:hal_secure_element_st54spi:s0 tcontext=u:object_r:nfc_device:s0 tclass=chr_file permissive=1
11-19 10:22:25.052   797   797 I secure_element@: type=1400 audit(0.0:50): avc: denied { open } for path="/dev/st21nfc" dev="tmpfs" ino=708 scontext=u:r:hal_secure_element_st54spi:s0 tcontext=u:object_r:nfc_device:s0 tclass=chr_file permissive=1

hal_secure_element_gto_ese2 =>  hal_secure_element_st33spi.te
11-09 12:04:09.140   771   771 I secure_element@: type=1400 audit(0.0:137): avc: denied { open } for path="/dev/st33spi" dev="tmpfs" ino=728 scontext=u:r:hal_secure_element_gto_ese2:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1
[   17.660987] type=1400 audit(1636430649.140:137): avc: denied { open } for comm="secure_element@" path="/dev/st33spi" dev="tmpfs" ino=728 scontext=u:r:hal_secure_element_gto_ese2:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1
[   17.660845] type=1400 audit(1636430649.140:136): avc: denied { read write } for comm="secure_element@" name="st33spi" dev="tmpfs" ino=728 scontext=u:r:hal_secure_element_gto_ese2:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1
11-09 12:04:09.140   771   771 I secure_element@: type=1400 audit(0.0:136): avc: denied { read write } for name="st33spi" dev="tmpfs" ino=728 scontext=u:r:hal_secure_element_gto_ese2:s0 tcontext=u:object_r:secure_element_device:s0 tclass=chr_file permissive=1

Bug: 207062261
Bug: 205073164
Bug: 205656951
Bug: 205657039
Bug: 205904452
Test: check avc without secure_element
Change-Id: I312299deb6d6bfa353e7936d41a723e75d3ea06b
---
 tracking_denials/hal_secure_element_gto.te      | 13 -------------
 tracking_denials/hal_secure_element_gto_ese2.te |  3 ---
 whitechapel_pro/device.te                       |  4 ++++
 whitechapel_pro/file_contexts                   |  8 ++++----
 whitechapel_pro/hal_secure_element_st33spi.te   |  6 ++++++
 whitechapel_pro/hal_secure_element_st54spi.te   |  8 ++++++++
 whitechapel_pro/ofl_app.te                      |  9 ++++++---
 7 files changed, 28 insertions(+), 23 deletions(-)
 delete mode 100644 tracking_denials/hal_secure_element_gto.te
 delete mode 100644 tracking_denials/hal_secure_element_gto_ese2.te
 create mode 100644 whitechapel_pro/hal_secure_element_st33spi.te
 create mode 100644 whitechapel_pro/hal_secure_element_st54spi.te

diff --git a/tracking_denials/hal_secure_element_gto.te b/tracking_denials/hal_secure_element_gto.te
deleted file mode 100644
index d264971b..00000000
--- a/tracking_denials/hal_secure_element_gto.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# b/205073164
-dontaudit hal_secure_element_gto vendor_secure_element_prop:property_service { set };
-# b/205656951
-dontaudit hal_secure_element_gto secure_element_device:chr_file { open };
-dontaudit hal_secure_element_gto secure_element_device:chr_file { read write };
-# b/205904452
-dontaudit hal_secure_element_gto init:unix_stream_socket { connectto };
-dontaudit hal_secure_element_gto property_socket:sock_file { write };
-# b/207062261
-dontaudit hal_secure_element_gto vendor_secure_element_prop:file { getattr };
-dontaudit hal_secure_element_gto vendor_secure_element_prop:file { map };
-dontaudit hal_secure_element_gto vendor_secure_element_prop:file { open };
-dontaudit hal_secure_element_gto vendor_secure_element_prop:file { read };
diff --git a/tracking_denials/hal_secure_element_gto_ese2.te b/tracking_denials/hal_secure_element_gto_ese2.te
deleted file mode 100644
index 3c17e5b3..00000000
--- a/tracking_denials/hal_secure_element_gto_ese2.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# b/205657039
-dontaudit hal_secure_element_gto_ese2 secure_element_device:chr_file { open };
-dontaudit hal_secure_element_gto_ese2 secure_element_device:chr_file { read write };
diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te
index 1f5e22ba..e6bb4fe0 100644
--- a/whitechapel_pro/device.te
+++ b/whitechapel_pro/device.te
@@ -17,3 +17,7 @@ type faceauth_heap_device, dmabuf_heap_device_type, dev_type;
 type vframe_heap_device, dmabuf_heap_device_type, dev_type;
 type vscaler_heap_device, dmabuf_heap_device_type, dev_type;
 
+# SecureElement SPI device
+type st54spi_device, dev_type;
+type st33spi_device, dev_type;
+
diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts
index d18bc9dd..45e7974a 100644
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@@ -28,8 +28,8 @@
 /vendor/bin/hw/android\.hardware\.dumpstate@1\.1-service\.gs201             u:object_r:hal_dumpstate_default_exec:s0
 /vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service                    u:object_r:mediacodec_samsung_exec:s0
 /vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service                     u:object_r:mediacodec_google_exec:s0
-/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto           u:object_r:hal_secure_element_gto_exec:s0
-/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2      u:object_r:hal_secure_element_gto_ese2_exec:s0
+/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto           u:object_r:hal_secure_element_st54spi_exec:s0
+/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2      u:object_r:hal_secure_element_st33spi_exec:s0
 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service          u:object_r:hal_secure_element_uicc_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix  u:object_r:hal_fingerprint_default_exec:s0
 /vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix   u:object_r:hal_fingerprint_default_exec:s0
@@ -123,8 +123,8 @@
 /dev/trusty-ipc-dev0                                                        u:object_r:tee_device:s0
 /dev/sg1                                                                    u:object_r:sg_device:s0
 /dev/st21nfc                                                                u:object_r:nfc_device:s0
-/dev/st54spi                                                                u:object_r:secure_element_device:s0
-/dev/st33spi                                                                u:object_r:secure_element_device:s0
+/dev/st54spi                                                                u:object_r:st54spi_device:s0
+/dev/st33spi                                                                u:object_r:st33spi_device:s0
 /dev/ttyGS[0-3]                                                             u:object_r:serial_device:s0
 /dev/oem_ipc[0-7]                                                           u:object_r:radio_device:s0
 /dev/umts_boot0                                                             u:object_r:radio_device:s0
diff --git a/whitechapel_pro/hal_secure_element_st33spi.te b/whitechapel_pro/hal_secure_element_st33spi.te
new file mode 100644
index 00000000..cecc8fe8
--- /dev/null
+++ b/whitechapel_pro/hal_secure_element_st33spi.te
@@ -0,0 +1,6 @@
+type hal_secure_element_st33spi, domain;
+hal_server_domain(hal_secure_element_st33spi, hal_secure_element)
+type hal_secure_element_st33spi_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_secure_element_st33spi)
+allow hal_secure_element_st33spi st33spi_device:chr_file rw_file_perms;
+
diff --git a/whitechapel_pro/hal_secure_element_st54spi.te b/whitechapel_pro/hal_secure_element_st54spi.te
new file mode 100644
index 00000000..a3e74be3
--- /dev/null
+++ b/whitechapel_pro/hal_secure_element_st54spi.te
@@ -0,0 +1,8 @@
+type hal_secure_element_st54spi, domain;
+hal_server_domain(hal_secure_element_st54spi, hal_secure_element)
+type hal_secure_element_st54spi_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_secure_element_st54spi)
+allow hal_secure_element_st54spi st54spi_device:chr_file rw_file_perms;
+allow hal_secure_element_st54spi nfc_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_st54spi, vendor_secure_element_prop)
+
diff --git a/whitechapel_pro/ofl_app.te b/whitechapel_pro/ofl_app.te
index e3f61408..a9498165 100644
--- a/whitechapel_pro/ofl_app.te
+++ b/whitechapel_pro/ofl_app.te
@@ -11,7 +11,10 @@ userdebug_or_eng(`
   allow ofl_app radio_service:service_manager find;
   allow ofl_app surfaceflinger_service:service_manager find;
 
-  # Access to directly update firmware on secure_element
-  typeattribute secure_element_device mlstrustedobject;
-  allow ofl_app secure_element_device:chr_file rw_file_perms;
+  # Access to directly update firmware on st54spi_device
+  typeattribute st54spi_device mlstrustedobject;
+  allow ofl_app st54spi_device:chr_file rw_file_perms;
+  # Access to directly update firmware on st33spi_device
+  typeattribute st33spi_device mlstrustedobject;
+  allow ofl_app st33spi_device:chr_file rw_file_perms;
 ')