Update ST NFC/SecureElement policies
Bug: 168875298
Bug: 160672745
Test: check no avc denial for nfc
Merged-In: I51059a5a8f4afbb41505d1ed826c6aea8027894d
Change-Id: I51059a5a8f4afbb41505d1ed826c6aea8027894d
diff --git a/coral-sepolicy.mk b/coral-sepolicy.mk
index b4da01c..4de3284 100644
--- a/coral-sepolicy.mk
+++ b/coral-sepolicy.mk
@@ -7,4 +7,5 @@
BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/qcom/sm8150
BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/knowles/common
BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/tracking_denials
+BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/st
BOARD_SEPOLICY_DIRS += device/google/coral-sepolicy/vendor/verizon
diff --git a/vendor/google/file.te b/vendor/google/file.te
index cfb5ef6..1faf285 100644
--- a/vendor/google/file.te
+++ b/vendor/google/file.te
@@ -49,9 +49,6 @@
#diag cmd socket
type diag_socket, file_type, mlstrustedobject;
-#eSE file
-type ese_vendor_data_file, file_type, data_file_type;
-
# Dumpstats dmabuf info
type debugfs_dma_buf, debugfs_type, fs_type;
diff --git a/vendor/google/file_contexts b/vendor/google/file_contexts
index 4fd4689..8c110f6 100644
--- a/vendor/google/file_contexts
+++ b/vendor/google/file_contexts
@@ -12,7 +12,6 @@
/dev/maxfg_history u:object_r:maxfg_device:s0
/dev/vd6281 u:object_r:rls_device:s0
/dev/sensor_tunnel u:object_r:rls_device:s0
-/dev/st54j_se u:object_r:secure_element_device:s0
/dev/subsys_faceauth u:object_r:faceauth_device:s0
/dev/subsys_faceauth_b u:object_r:faceauth_device:s0
/dev/touch_offload u:object_r:touch_offload_device:s0
@@ -37,7 +36,6 @@
/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-noronha u:object_r:hal_neuralnetworks_darwinn_exec:s0
/vendor/bin/hw/android\.hardware\.power\.stats@1\.0-service\.pixel u:object_r:hal_power_stats_default_exec:s0
/vendor/bin/hw/android\.hardware\.rebootescrow-service\.citadel u:object_r:hal_rebootescrow_citadel_exec:s0
-/vendor/bin/hw/android\.hardware\.secure_element@1\.0-service\.st u:object_r:hal_secure_element_default_exec:s0
/vendor/bin/hw/android\.hardware\.usb@1\.2-service\.coral u:object_r:hal_usb_impl_exec:s0
/vendor/bin/hw/android\.hardware\.weaver@1\.0-service\.citadel u:object_r:hal_weaver_citadel_exec:s0
/vendor/bin/hw/citadeld u:object_r:citadeld_exec:s0
@@ -114,7 +112,6 @@
/data/vendor/modem_dump(/.*)? u:object_r:modem_dump_file:s0
/data/vendor/tcpdump_logger(/.*)? u:object_r:tcpdump_vendor_data_file:s0
/data/vendor_ce/[0-9]+/ramoops(/.*)? u:object_r:ramoops_vendor_data_file:s0
-/data/vendor/ese(/.*)? u:object_r:ese_vendor_data_file:s0
/data/vendor/hal_neuralnetworks_darwinn/hal_camera(/.*)? u:object_r:hal_neuralnetworks_darwinn_hal_camera_data_file:s0
/data/vendor/camera_calibration(/.*)? u:object_r:camera_calibration_vendor_data_file:s0
/data/vendor/face(/.*)? u:object_r:face_vendor_data_file:s0
diff --git a/vendor/google/hal_secure_element_default.te b/vendor/google/hal_secure_element_default.te
deleted file mode 100644
index 94b811d..0000000
--- a/vendor/google/hal_secure_element_default.te
+++ /dev/null
@@ -1,6 +0,0 @@
-allow hal_secure_element_default secure_element_device:chr_file rw_file_perms;
-allow hal_secure_element_default ese_vendor_data_file:dir create_dir_perms;
-allow hal_secure_element_default ese_vendor_data_file:file create_file_perms;
-allow hal_secure_element_default debugfs_ipc:dir search;
-set_prop(hal_secure_element_default, vendor_secure_element_prop)
-get_prop(hal_secure_element_default, vendor_modem_prop)
diff --git a/vendor/google/nfc.te b/vendor/google/nfc.te
deleted file mode 100644
index 90efccc..0000000
--- a/vendor/google/nfc.te
+++ /dev/null
@@ -1 +0,0 @@
-set_prop(hal_nfc_default, vendor_modem_prop)
diff --git a/vendor/google/property.te b/vendor/google/property.te
index b8ed500..5584d78 100644
--- a/vendor/google/property.te
+++ b/vendor/google/property.te
@@ -26,8 +26,5 @@
type vendor_shutdown_prop, property_type;
type vendor_battery_defender_prop, property_type;
-# SecureElement property
-type vendor_secure_element_prop, property_type;
-
# wifi_sniffer
type vendor_wifi_sniffer_prop, property_type;
diff --git a/vendor/google/property_contexts b/vendor/google/property_contexts
index 262866e..3acdede 100644
--- a/vendor/google/property_contexts
+++ b/vendor/google/property_contexts
@@ -67,9 +67,6 @@
# ramoops
vendor.ramoops. u:object_r:vendor_ramoops_prop:s0
-# SecureElement
-persist.vendor.se. u:object_r:vendor_secure_element_prop:s0
-
# wifi_sniffer
persist.vendor.wifi.sniffer.freq u:object_r:vendor_wifi_sniffer_prop:s0
persist.vendor.wifi.sniffer.bandwidth u:object_r:vendor_wifi_sniffer_prop:s0
diff --git a/vendor/qcom/common/file.te b/vendor/qcom/common/file.te
index 0284a07..6f0a04c 100644
--- a/vendor/qcom/common/file.te
+++ b/vendor/qcom/common/file.te
@@ -197,9 +197,6 @@
type persist_time_file, file_type, vendor_persist_type;
-# nfc file type for data vendor access
-type nfc_vendor_data_file, file_type, data_file_type;
-
# kgsl file type for sysfs access
type sysfs_kgsl, sysfs_type, fs_type;
type sysfs_kgsl_proc, sysfs_type, fs_type;
diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts
index 9004bb2..591b6ba 100644
--- a/vendor/qcom/common/file_contexts
+++ b/vendor/qcom/common/file_contexts
@@ -93,7 +93,6 @@
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@4\.0-strongbox-service-qti u:object_r:hal_keymaster_qti_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:hal_gatekeeper_qti_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0
/(vendor|system/vendor)/bin/imsrcsd u:object_r:hal_rcsservice_exec:s0
/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qteeconnector@1\.0-service u:object_r:hal_qteeconnector_qti_exec:s0
/vendor/bin/hw/vendor\.qti\.hardware\.qseecom@1\.0-service u:object_r:hal_qseecom_default_exec:s0
@@ -238,8 +237,6 @@
#
/vendor/bt_firmware(/.*)? u:object_r:bt_firmware_file:s0
-/dev/st21nfc u:object_r:nfc_device:s0
-/data/nfc(/.*)? u:object_r:nfc_data_file:s0
#Android NN Driver
/(vendor|system/vendor)/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-qti u:object_r:hal_neuralnetworks_default_exec:s0
diff --git a/vendor/qcom/common/hal_nfc_default.te b/vendor/qcom/common/hal_nfc_default.te
deleted file mode 100644
index 3044f1d..0000000
--- a/vendor/qcom/common/hal_nfc_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-# Data file accesses.
-allow hal_nfc_default nfc_vendor_data_file:dir create_dir_perms;
-allow hal_nfc_default nfc_vendor_data_file:file create_file_perms;
diff --git a/vendor/st/file_contexts b/vendor/st/file_contexts
new file mode 100644
index 0000000..eddf11d
--- /dev/null
+++ b/vendor/st/file_contexts
@@ -0,0 +1,15 @@
+###################################
+# vendor binaries
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service\.st u:object_r:hal_secure_element_default_exec:s0
+
+
+###################################
+# dev nodes
+/dev/st54j_se u:object_r:secure_element_device:s0
+/dev/st21nfc u:object_r:nfc_device:s0
+
+###################################
+# data files
+/data/nfc(/.*)? u:object_r:nfc_data_file:s0
+
diff --git a/vendor/st/hal_nfc_default.te b/vendor/st/hal_nfc_default.te
new file mode 100644
index 0000000..5f0c7f6
--- /dev/null
+++ b/vendor/st/hal_nfc_default.te
@@ -0,0 +1,9 @@
+# NFC property
+get_prop(hal_nfc_default, vendor_nfc_prop)
+
+# SecureElement property
+set_prop(hal_nfc_default, vendor_secure_element_prop)
+
+# Modem property
+set_prop(hal_nfc_default, vendor_modem_prop)
+
diff --git a/vendor/st/hal_secure_element_default.te b/vendor/st/hal_secure_element_default.te
new file mode 100644
index 0000000..1c127ea
--- /dev/null
+++ b/vendor/st/hal_secure_element_default.te
@@ -0,0 +1,5 @@
+allow hal_secure_element_default secure_element_device:chr_file rw_file_perms;
+dontaudit hal_secure_element_default debugfs_ipc:dir search;
+set_prop(hal_secure_element_default, vendor_secure_element_prop)
+get_prop(hal_secure_element_default, vendor_modem_prop)
+
diff --git a/vendor/st/property.te b/vendor/st/property.te
new file mode 100644
index 0000000..723121a
--- /dev/null
+++ b/vendor/st/property.te
@@ -0,0 +1,2 @@
+vendor_internal_prop(vendor_nfc_prop)
+vendor_internal_prop(vendor_secure_element_prop)
diff --git a/vendor/st/property_contexts b/vendor/st/property_contexts
new file mode 100644
index 0000000..c6cd8a4
--- /dev/null
+++ b/vendor/st/property_contexts
@@ -0,0 +1,6 @@
+# SecureElement
+persist.vendor.se. u:object_r:vendor_secure_element_prop:s0
+
+# NFC
+persist.vendor.nfc. u:object_r:vendor_nfc_prop:s0
+
diff --git a/vendor/st/vendor_init.te b/vendor/st/vendor_init.te
new file mode 100644
index 0000000..7de90e2
--- /dev/null
+++ b/vendor/st/vendor_init.te
@@ -0,0 +1,2 @@
+# NFC vendor property
+set_prop(vendor_init, vendor_nfc_prop)
