Set default access permission as denied for eSE According to GP spec chap 4, access permission should be ALLOWED when ARA-M is not accessible on the eSE. But on converged chip which is used by both eSIM/Felica, there is security concern when deleting ARA-M on this chip. Set ChannelAccess as DENIED before long-term solution complete. Bug: 140902609 Bug: 141203396 Test: Check ChannelAccess is DENIED after deleting ARA-M Change-Id: Ic0eee4f4b214eae8f1a94b1b0c3b9621502deff5 (cherry picked from commit 2adec4001b7dde47ecbdb849dd615f28fc5aa68a)

commit: 64f4791ac8637cfee364b359e9168352e1419894 [log] [tgz]
author: Jack Yu <jackcwyu@google.com> Wed Sep 18 17:00:17 2019 +0800
committer: android-build-team Robot <android-build-team-robot@google.com> Fri Sep 20 23:47:20 2019 +0000
tree: 2185a58e8ec20e50d4817e460ff26f21a8d9d1cf
parent: bcac007eefcc6da58e62d30a357d42bdcb622231 [diff]
diff --git a/src/com/android/se/security/AccessControlEnforcer.java b/src/com/android/se/security/AccessControlEnforcer.java
index 22b82f0..79252bd 100644
--- a/src/com/android/se/security/AccessControlEnforcer.java
+++ b/src/com/android/se/security/AccessControlEnforcer.java

@@ -488,9 +488,8 @@
             }
         }
         if (!mTerminal.getName().startsWith(SecureElementService.UICC_TERMINAL)) {
-            // It shall be allowed to grant full access if no rule can be retrieved
-            // from the secure element except for UICC.
-            mFullAccess = true;
+            // Deny full access for eSE if no rule can be retrieved because of security concern
+            mFullAccess = false;
             // ARF is supported only on UICC.
             mUseArf = false;
         }
commit	64f4791ac8637cfee364b359e9168352e1419894	[log] [tgz]
author	Jack Yu <jackcwyu@google.com>	Wed Sep 18 17:00:17 2019 +0800
committer	android-build-team Robot <android-build-team-robot@google.com>	Fri Sep 20 23:47:20 2019 +0000
tree	2185a58e8ec20e50d4817e460ff26f21a8d9d1cf
parent	bcac007eefcc6da58e62d30a357d42bdcb622231 [diff]