From 23a929df622765b25678909ebbcda3fe5fe7f90e Mon Sep 17 00:00:00 2001
From: Roshan Pius <rpius@google.com>
Date: Fri, 3 Nov 2023 17:39:43 -0700
Subject: [PATCH] sepolicy(nfc): Changing selinux policy for signed NFC APK

NFC stack is becoming an unbundled apex which embeds the existing NFC
APK. Unbundling requires the apex & apk to be signed by non-platform
certificates, hence adding new seapp_contexts rule for the NFC stack.

The old rule is also left behing to support `-next` config builds where
we are still using the platform signed NFC APK.

Ignore-AOSP-First: All of the NFC mainline work is only present in
internal master. Will cherry-pick this CL once we cherry-pick all its
dependencies.

Bug: 320583956
Test: Bootup test with signed NFC APK (within NFC apex)
Merged-In: I1d4d6370cce558c8dcc0ec73a7ce47c2b5495a33

Change-Id: I1d4d6370cce558c8dcc0ec73a7ce47c2b5495a33
---
 private/keys.conf           | 3 +++
 private/mac_permissions.xml | 5 +++++
 private/seapp_contexts      | 2 ++
 3 files changed, 10 insertions(+)

diff --git a/private/keys.conf b/private/keys.conf
index 18c1a8c14..fc50ef314 100644
--- a/private/keys.conf
+++ b/private/keys.conf
@@ -23,6 +23,9 @@ ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/media.x509.pem
 [@NETWORK_STACK]
 ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/networkstack.x509.pem
 
+[@NFC]
+ALL : $MAINLINE_SEPOLICY_DEV_CERTIFICATES/nfc.x509.pem
+
 [@SHARED]
 ALL : $DEFAULT_SYSTEM_DEV_CERTIFICATE/shared.x509.pem
 
diff --git a/private/mac_permissions.xml b/private/mac_permissions.xml
index c9a9acaf0..fa8ffcfbe 100644
--- a/private/mac_permissions.xml
+++ b/private/mac_permissions.xml
@@ -69,4 +69,9 @@
     <signer signature="@NETWORK_STACK" >
       <seinfo value="network_stack" />
     </signer>
+
+    <!-- NFC key in AOSP -->
+    <signer signature="@NFC" >
+      <seinfo value="nfc" />
+    </signer>
 </policy>
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 957d00520..221963195 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -184,7 +184,9 @@ user=system seinfo=platform domain=system_app type=system_app_data_file
 user=system seinfo=platform isPrivApp=true name=com.android.DeviceAsWebcam domain=device_as_webcam type=system_app_data_file levelFrom=all
 user=bluetooth seinfo=bluetooth domain=bluetooth type=bluetooth_data_file
 user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
+# NFC stack signed with platform cert needed for maintaining backwards comptibility for -next release config.
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=nfc seinfo=nfc domain=nfc type=nfc_data_file
 user=secure_element seinfo=platform domain=secure_element levelFrom=all
 user=radio seinfo=platform domain=radio type=radio_data_file
 user=shared_relro domain=shared_relro levelFrom=all