Merge "Add widevine SELinux permissions" into main

commit: 13e34cc96a83c2d8b0b58b34206586c07e9feda3 [log] [tgz]
author: Snehal Koukuntla <snehalreddy@google.com> Wed Sep 04 08:42:49 2024 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> Wed Sep 04 08:42:49 2024 +0000
tree: 5946e2ca68f60cff2e0cb416f89e529c91881c54
parent: 6ec23c152f7da13f6e908d13bbe6d86aa0d8fa9a [diff]
parent: bd3767ae16a3e11166c95d9ecd3bbccc5800ba09 [diff]
diff --git a/nfc/sepolicy_st54spi/file.te b/nfc/sepolicy_st54spi/file.te
new file mode 100644
index 0000000..5f9a80d
--- /dev/null
+++ b/nfc/sepolicy_st54spi/file.te

@@ -0,0 +1,3 @@
+# SecureElement SPI device
+type st54spi_device, dev_type;
+

diff --git a/nfc/sepolicy_st54spi/file_contexts b/nfc/sepolicy_st54spi/file_contexts
new file mode 100644
index 0000000..f2762f3
--- /dev/null
+++ b/nfc/sepolicy_st54spi/file_contexts

@@ -0,0 +1,3 @@
+/dev/st54spi                                                                u:object_r:st54spi_device:s0
+/vendor/bin/hw/android\.hardware\.secure_element-service\.thales            u:object_r:hal_secure_element_st54spi_aidl_exec:s0
+

diff --git a/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te b/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te
new file mode 100644
index 0000000..f2051e0
--- /dev/null
+++ b/nfc/sepolicy_st54spi/hal_secure_element_st54spi_aidl.te

@@ -0,0 +1,9 @@
+# sepolicy for ST54L secure element
+type hal_secure_element_st54spi_aidl, domain;
+type hal_secure_element_st54spi_aidl_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_secure_element_st54spi_aidl)
+hal_server_domain(hal_secure_element_st54spi_aidl, hal_secure_element)
+allow hal_secure_element_st54spi_aidl st54spi_device:chr_file rw_file_perms;
+allow hal_secure_element_st54spi_aidl nfc_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_st54spi_aidl, vendor_secure_element_prop)
+

diff --git a/nfc/sepolicy_st54spi/property.te b/nfc/sepolicy_st54spi/property.te
new file mode 100644
index 0000000..1ac5526
--- /dev/null
+++ b/nfc/sepolicy_st54spi/property.te

@@ -0,0 +1,3 @@
+# SecureElement vendor property
+vendor_internal_prop(vendor_secure_element_prop)
+

diff --git a/nfc/sepolicy_st54spi/property_contexts b/nfc/sepolicy_st54spi/property_contexts
new file mode 100644
index 0000000..2067a86
--- /dev/null
+++ b/nfc/sepolicy_st54spi/property_contexts

@@ -0,0 +1,2 @@
+# SecureElement vendor property
+persist.vendor.se.                         u:object_r:vendor_secure_element_prop:s0

diff --git a/nfc/sepolicy_st54spi/vendor_init.te b/nfc/sepolicy_st54spi/vendor_init.te
new file mode 100644
index 0000000..91e5cdb
--- /dev/null
+++ b/nfc/sepolicy_st54spi/vendor_init.te

@@ -0,0 +1,2 @@
+# SecureElement vendor property
+set_prop(vendor_init, vendor_secure_element_prop)

diff --git a/nfc/st54spi.mk b/nfc/st54spi.mk
new file mode 100644
index 0000000..046de87
--- /dev/null
+++ b/nfc/st54spi.mk

@@ -0,0 +1,3 @@
+BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy_st54spi
+PRODUCT_PACKAGES += android.hardware.secure_element-service.thales
+

diff --git a/storage/sepolicy/device.te b/storage/sepolicy/device.te
index e0968f9..1252ee0 100644
--- a/storage/sepolicy/device.te
+++ b/storage/sepolicy/device.te

@@ -1,2 +1,11 @@
 # Userdata Exp block device.
 type userdata_exp_block_device, dev_type;
+
+# Block Devices
+type persist_block_device, dev_type;
+type efs_block_device, dev_type;
+type modem_userdata_block_device, dev_type;
+
+# Storage firmware upgrade
+type ufs_internal_block_device, dev_type;
+

diff --git a/storage/sepolicy/file_contexts b/storage/sepolicy/file_contexts
index 30335eb..1ef5a67 100644
--- a/storage/sepolicy/file_contexts
+++ b/storage/sepolicy/file_contexts

@@ -1,6 +1,9 @@
+# storage
 /vendor/bin/dump/dump_storage      u:object_r:dump_storage_exec:s0
 /sys/devices/platform/[0-9a-z]+\.ufs/pixel/enable_pixel_ufs_logging  u:object_r:sysfs_scsi_devices_0000:s0
 /dev/sg[0-9]                       u:object_r:sg_device:s0
 /data/vendor/storage(/.*)?         u:object_r:dump_storage_data_file:s0
 /vendor/bin/sg_read_buffer         u:object_r:sg_util_exec:s0
 /dev/block/by-name/userdata_exp.*  u:object_r:userdata_exp_block_device:s0
+/vendor/bin/ufs_firmware_update\.sh                                  u:object_r:ufs_firmware_update_exec:s0
+

diff --git a/storage/sepolicy/ufs_firmware_update.te b/storage/sepolicy/ufs_firmware_update.te
index 1b92976..2313121 100644
--- a/storage/sepolicy/ufs_firmware_update.te
+++ b/storage/sepolicy/ufs_firmware_update.te

@@ -1,5 +1,7 @@
 # support ufs ffu via ota
 init_daemon_domain(ufs_firmware_update)
+type ufs_firmware_update, domain;
+type ufs_firmware_update_exec, vendor_file_type, exec_type, file_type;
 
 # support ufs ffu via ota
 allow ufs_firmware_update vendor_toolbox_exec:file execute_no_trans;
commit	13e34cc96a83c2d8b0b58b34206586c07e9feda3	[log] [tgz]
author	Snehal Koukuntla <snehalreddy@google.com>	Wed Sep 04 08:42:49 2024 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	Wed Sep 04 08:42:49 2024 +0000
tree	5946e2ca68f60cff2e0cb416f89e529c91881c54
parent	6ec23c152f7da13f6e908d13bbe6d86aa0d8fa9a [diff]
parent	bd3767ae16a3e11166c95d9ecd3bbccc5800ba09 [diff]