Set default access permission as denied for eSE
According to GP spec chap 4, access permission should be ALLOWED when ARA-M is not accessible on the eSE.
But on converged chip which is used by both eSIM/Felica, there is security concern when deleting ARA-M on this chip.
Set ChannelAccess as DENIED before long-term solution complete.
Bug: 140902609
Bug: 141203396
Test: Check ChannelAccess is DENIED after deleting ARA-M
Change-Id: Ic0eee4f4b214eae8f1a94b1b0c3b9621502deff5
(cherry picked from commit 2adec4001b7dde47ecbdb849dd615f28fc5aa68a)
diff --git a/src/com/android/se/security/AccessControlEnforcer.java b/src/com/android/se/security/AccessControlEnforcer.java
index 22b82f0..79252bd 100644
--- a/src/com/android/se/security/AccessControlEnforcer.java
+++ b/src/com/android/se/security/AccessControlEnforcer.java
@@ -488,9 +488,8 @@
}
}
if (!mTerminal.getName().startsWith(SecureElementService.UICC_TERMINAL)) {
- // It shall be allowed to grant full access if no rule can be retrieved
- // from the secure element except for UICC.
- mFullAccess = true;
+ // Deny full access for eSE if no rule can be retrieved because of security concern
+ mFullAccess = false;
// ARF is supported only on UICC.
mUseArf = false;
}