sepolicy for SE HAL

Bug: 205762050 Test: N/A Change-Id: I76cd5ebc4d0e456a3e4f1aa22f5a932fb21f6a23
2022-11-03 18:16:46 +00:00 · 2022-11-03 18:16:46 +00:00 · 4c6586817a
commit 4c6586817a
parent 080c579d47
6 changed files with 20 additions and 0 deletions
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@ -86,6 +86,12 @@ var (
 		"android.hardware.radio.voice.IRadioVoice/slot2":                          EXCEPTION_NO_FUZZER,
 		"android.hardware.radio.voice.IRadioVoice/slot3":                          EXCEPTION_NO_FUZZER,
 		"android.hardware.rebootescrow.IRebootEscrow/default":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/eSE1":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/eSE2":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/eSE3":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/SIM1":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/SIM2":                     EXCEPTION_NO_FUZZER,
+		"android.hardware.secure_element.ISecureElement/SIM3":                     EXCEPTION_NO_FUZZER,
 		"android.hardware.security.dice.IDiceDevice/default":                      EXCEPTION_NO_FUZZER,
 		"android.hardware.security.keymint.IKeyMintDevice/default":                EXCEPTION_NO_FUZZER,
 		"android.hardware.security.keymint.IRemotelyProvisionedComponent/default": EXCEPTION_NO_FUZZER,
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@ -14,6 +14,7 @@
    hal_bootctl_service
    hal_cas_service
    hal_remoteaccess_service
+    hal_secure_element_service
    hal_thermal_service
    hal_usb_gadget_service
    hal_tv_input_service
--- a/private/service_contexts
+++ b/private/service_contexts
@ -86,6 +86,12 @@ android.hardware.wifi.IWifi/default                                  u:object_r:
 android.hardware.wifi.hostapd.IHostapd/default                       u:object_r:hal_wifi_hostapd_service:s0
 android.hardware.wifi.supplicant.ISupplicant/default                 u:object_r:hal_wifi_supplicant_service:s0
 android.se.omapi.ISecureElementService/default                       u:object_r:secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE1                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE2                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/eSE3                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM1                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM2                  u:object_r:hal_secure_element_service:s0
+android.hardware.secure_element.ISecureElement/SIM3                  u:object_r:hal_secure_element_service:s0
 android.system.keystore2.IKeystoreService/default                    u:object_r:keystore_service:s0
 android.system.net.netd.INetd/default                                u:object_r:system_net_netd_service:s0
 android.system.suspend.ISystemSuspend/default                        u:object_r:hal_system_suspend_service:s0
--- a/public/hal_secure_element.te
+++ b/public/hal_secure_element.te
@ -3,3 +3,8 @@ binder_call(hal_secure_element_client, hal_secure_element_server)
 binder_call(hal_secure_element_server, hal_secure_element_client)

 hal_attribute_hwservice(hal_secure_element, hal_secure_element_hwservice)
+hal_attribute_service(hal_secure_element, hal_secure_element_service)
+
+binder_use(hal_secure_element_server)
+
+allow hal_secure_element_client hal_secure_element_service:service_manager find;
--- a/public/service.te
+++ b/public/service.te
@ -304,6 +304,7 @@ type hal_remoteaccess_service, protected_service, hal_service_type, service_mana
 type hal_remotelyprovisionedcomponent_service, protected_service, hal_service_type, service_manager_type;
 type hal_sensors_service, protected_service, hal_service_type, service_manager_type;
 type hal_secureclock_service, protected_service, hal_service_type, service_manager_type;
+type hal_secure_element_service, protected_service, hal_service_type, service_manager_type;
 type hal_sharedsecret_service, protected_service, hal_service_type, service_manager_type;
 type hal_system_suspend_service, protected_service, hal_service_type, service_manager_type;
 type hal_thermal_service, protected_service, hal_service_type, service_manager_type;
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@ -90,6 +90,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service\.example  u:object_r:hal_sensors_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors-service(\.multihal)?  u:object_r:hal_sensors_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element-service.example u:object_r:hal_secure_element_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software   u:object_r:hal_dice_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service   u:object_r:hal_keymint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/rild                                           u:object_r:rild_exec:s0