refactor hal_secure_element
01-01 20:00:07.579 419 419 E SELinux : avc: denied { find } for interface=android.hardware.secure_element::ISecureElement sid=u:r:hal_secure_element_gto_ese2:s0 pid=748 scontext=u:r:hal_secure_element_gto_ese2:s0 tcontext=u:object_r:hal_secure_element_hwservice:s0 tclass=hwservice_manager permissive=1
01-01 20:00:07.595 419 419 E SELinux : avc: denied { add } for interface=android.hardware.secure_element::ISecureElement sid=u:r:hal_secure_element_gto_ese2:s0 pid=748 scontext=u:r:hal_secure_element_gto_ese2:s0 tcontext=u:object_r:hal_secure_element_hwservice:s0 tclass=hwservice_manager permissive=1
01-01 20:00:07.596 419 419 E SELinux : avc: denied { add } for interface=android.hidl.base::IBase sid=u:r:hal_secure_element_gto_ese2:s0 pid=748 scontext=u:r:hal_secure_element_gto_ese2:s0 tcontext=u:object_r:hidl_base_hwservice:s0 tclass=hwservice_manager permissive=1
01-01 20:00:07.597 419 419 E SELinux : avc: denied { find } for interface=android.hardware.secure_element::ISecureElement sid=u:r:hal_secure_element_gto:s0 pid=749 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:hal_secure_element_hwservice:s0 tclass=hwservice_manager permissive=1
01-01 20:00:07.597 419 419 E SELinux : avc: denied { find } for interface=android.hardware.secure_element::ISecureElement sid=u:r:hal_secure_element_uicc:s0 pid=750 scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:object_r:hal_secure_element_hwservice:s0 tclass=hwservice_manager permissive=1
01-01 20:00:07.599 419 419 E SELinux : avc: denied { add } for interface=android.hardware.secure_element::ISecureElement sid=u:r:hal_secure_element_uicc:s0 pid=750 scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:object_r:hal_secure_element_hwservice:s0 tclass=hwservice_manager permissive=1
01-01 20:00:07.600 419 419 E SELinux : avc: denied { add } for interface=android.hidl.base::IBase sid=u:r:hal_secure_element_uicc:s0 pid=750 scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:object_r:hidl_base_hwservice:s0 tclass=hwservice_manager permissive=1
01-01 20:00:07.601 419 419 E SELinux : avc: denied { add } for interface=android.hardware.secure_element::ISecureElement sid=u:r:hal_secure_element_gto:s0 pid=749 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:hal_secure_element_hwservice:s0 tclass=hwservice_manager permissive=1
01-01 20:00:07.602 419 419 E SELinux : avc: denied { add } for interface=android.hidl.base::IBase sid=u:r:hal_secure_element_gto:s0 pid=749 scontext=u:r:hal_secure_element_gto:s0 tcontext=u:object_r:hidl_base_hwservice:s0 tclass=hwservice_manager permissive=1
09-03 10:51:44.574 419 419 E SELinux : avc: denied { find } for interface=vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal sid=u:r:hal_secure_element_uicc:s0 pid=750 scontext=u:r:hal_secure_element_uicc:s0 tcontext=u:object_r:hal_exynos_rild_hwservice:s0 tclass=hwservice_manager permissive=1
Bug: 198713948
Test: boot with secure_element started
Change-Id: Ie79b80f3c0fbe21c898e6a67384d98a2cc282f93
Change-Id: I14d9f01b6ef901fd87e8927d691ce96a9b174ed3
diff --git a/legacy/file_contexts b/legacy/file_contexts
index 675299d..5736d18 100644
--- a/legacy/file_contexts
+++ b/legacy/file_contexts
@@ -160,15 +160,6 @@
/dev/st21nfc u:object_r:nfc_device:s0
/data/nfc(/.*)? u:object_r:nfc_data_file:s0
-# SecureElement
-/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service\.st u:object_r:hal_secure_element_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_default_exec:s0
-/dev/st54j_se u:object_r:secure_element_device:s0
-/dev/st54spi u:object_r:secure_element_device:s0
-/dev/st33spi u:object_r:secure_element_device:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_default_exec:s0
-
# Bluetooth
/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux u:object_r:hal_bluetooth_btlinux_exec:s0
/dev/wbrc u:object_r:wb_coexistence_dev:s0
diff --git a/legacy/hal_secure_element_default.te b/legacy/hal_secure_element_default.te
deleted file mode 100644
index dc04874..0000000
--- a/legacy/hal_secure_element_default.te
+++ /dev/null
@@ -1,10 +0,0 @@
-allow hal_secure_element_default secure_element_device:chr_file rw_file_perms;
-allow hal_secure_element_default nfc_device:chr_file rw_file_perms;
-set_prop(hal_secure_element_default, vendor_secure_element_prop)
-set_prop(hal_secure_element_default, vendor_nfc_prop)
-set_prop(hal_secure_element_default, vendor_modem_prop)
-
-# Allow hal_secure_element_default to access rild
-binder_call(hal_secure_element_default, rild);
-allow hal_secure_element_default hal_exynos_rild_hwservice:hwservice_manager find;
-
diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts
index 72ce51e..b94c949 100644
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@@ -1,73 +1,78 @@
# Binaries
-/vendor/bin/dmd u:object_r:dmd_exec:s0
-/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0
-/vendor/bin/sced u:object_r:sced_exec:s0
-/vendor/bin/vcd u:object_r:vcd_exec:s0
-/vendor/bin/chre u:object_r:chre_exec:s0
-/vendor/bin/cbd u:object_r:cbd_exec:s0
-/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0
-/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0
-/vendor/bin/rfsd u:object_r:rfsd_exec:s0
-/vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0
+/vendor/bin/dmd u:object_r:dmd_exec:s0
+/vendor/bin/modem_logging_control u:object_r:modem_logging_control_exec:s0
+/vendor/bin/sced u:object_r:sced_exec:s0
+/vendor/bin/vcd u:object_r:vcd_exec:s0
+/vendor/bin/chre u:object_r:chre_exec:s0
+/vendor/bin/cbd u:object_r:cbd_exec:s0
+/vendor/bin/modem_svc_sit u:object_r:modem_svc_sit_exec:s0
+/vendor/bin/hw/rild_exynos u:object_r:rild_exec:s0
+/vendor/bin/rfsd u:object_r:rfsd_exec:s0
+/vendor/bin/bipchmgr u:object_r:bipchmgr_exec:s0
+/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto u:object_r:hal_secure_element_gto_exec:s0
+/vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2 u:object_r:hal_secure_element_gto_ese2_exec:s0
+/vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service u:object_r:hal_secure_element_uicc_exec:s0
# Vendor Firmwares
-/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0
+/vendor/firmware(/.*)? u:object_r:vendor_fw_file:s0
# Devices
-/dev/ttyGS[0-3] u:object_r:serial_device:s0
-/dev/oem_ipc[0-7] u:object_r:radio_device:s0
-/dev/umts_boot0 u:object_r:radio_device:s0
-/dev/umts_ipc0 u:object_r:radio_device:s0
-/dev/umts_ipc1 u:object_r:radio_device:s0
-/dev/umts_rfs0 u:object_r:radio_device:s0
-/dev/umts_dm0 u:object_r:radio_device:s0
-/dev/umts_router u:object_r:radio_device:s0
-/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0
-/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0
-/dev/socket/chre u:object_r:chre_socket:s0
-/dev/block/sda u:object_r:sda_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0
-/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0
+/dev/st54spi u:object_r:secure_element_device:s0
+/dev/st33spi u:object_r:secure_element_device:s0
+/dev/ttyGS[0-3] u:object_r:serial_device:s0
+/dev/oem_ipc[0-7] u:object_r:radio_device:s0
+/dev/umts_boot0 u:object_r:radio_device:s0
+/dev/umts_ipc0 u:object_r:radio_device:s0
+/dev/umts_ipc1 u:object_r:radio_device:s0
+/dev/umts_rfs0 u:object_r:radio_device:s0
+/dev/umts_dm0 u:object_r:radio_device:s0
+/dev/umts_router u:object_r:radio_device:s0
+/dev/logbuffer_tcpm u:object_r:logbuffer_device:s0
+/dev/sys/block/bootdevice(/.*)? u:object_r:bootdevice_sysdev:s0
+/dev/socket/chre u:object_r:chre_socket:s0
+/dev/block/sda u:object_r:sda_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/abl_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl1_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl2_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl31_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/boot_[ab] u:object_r:boot_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/devinfo u:object_r:devinfo_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dpm_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/efs u:object_r:efs_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/efs_backup u:object_r:efs_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/frp u:object_r:frp_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/gsa_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/metadata u:object_r:metadata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/misc u:object_r:misc_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/modem_[ab] u:object_r:modem_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/modem_userdata u:object_r:modem_userdata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/pbl_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/persist u:object_r:persist_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/super u:object_r:super_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/userdata u:object_r:userdata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab] u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab] u:object_r:custom_ab_block_device:s0
# Data
-/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0
-/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0
-/data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0
-/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0
-/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0
-/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0
+/data/vendor/slog(/.*)? u:object_r:vendor_slog_file:s0
+/data/vendor/radio(/.*)? u:object_r:radio_vendor_data_file:s0
+/data/vendor/modem_stat/debug\.txt u:object_r:modem_stat_data_file:s0
+/data/vendor/log(/.*)? u:object_r:vendor_log_file:s0
+/data/vendor/log/rfsd(/.*)? u:object_r:vendor_rfsd_log_file:s0
+/data/vendor/rild(/.*)? u:object_r:rild_vendor_data_file:s0
# Persist
-/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0
+/mnt/vendor/persist/modem(/.*)? u:object_r:persist_modem_file:s0
# Extra mount images
-/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0
-/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0
-/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0
-/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0
+/mnt/vendor/modem_img(/.*)? u:object_r:modem_img_file:s0
+/mnt/vendor/efs(/.*)? u:object_r:modem_efs_file:s0
+/mnt/vendor/efs_backup(/.*)? u:object_r:modem_efs_file:s0
+/mnt/vendor/modem_userdata(/.*)? u:object_r:modem_userdata_file:s0
diff --git a/whitechapel_pro/hal_secure_element_gto.te b/whitechapel_pro/hal_secure_element_gto.te
new file mode 100644
index 0000000..c7724c7
--- /dev/null
+++ b/whitechapel_pro/hal_secure_element_gto.te
@@ -0,0 +1,5 @@
+type hal_secure_element_gto, domain;
+type hal_secure_element_gto_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_secure_element_gto, hal_secure_element)
+init_daemon_domain(hal_secure_element_gto)
diff --git a/whitechapel_pro/hal_secure_element_gto_ese2.te b/whitechapel_pro/hal_secure_element_gto_ese2.te
new file mode 100644
index 0000000..678810a
--- /dev/null
+++ b/whitechapel_pro/hal_secure_element_gto_ese2.te
@@ -0,0 +1,5 @@
+type hal_secure_element_gto_ese2, domain;
+type hal_secure_element_gto_ese2_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_secure_element_gto_ese2, hal_secure_element)
+init_daemon_domain(hal_secure_element_gto_ese2)
diff --git a/whitechapel_pro/hal_secure_element_uicc.te b/whitechapel_pro/hal_secure_element_uicc.te
new file mode 100644
index 0000000..6e953cd
--- /dev/null
+++ b/whitechapel_pro/hal_secure_element_uicc.te
@@ -0,0 +1,5 @@
+type hal_secure_element_uicc, domain;
+type hal_secure_element_uicc_exec, exec_type, vendor_file_type, file_type;
+
+hal_server_domain(hal_secure_element_uicc, hal_secure_element)
+init_daemon_domain(hal_secure_element_uicc)