SE Policy for Secure Element app and Secure Element HAL Test: App startup on boot Change-Id: I7740aafc088aadf676328e3f1bb8db5175d97102

commit: 8a2b4a783e5c9f4a342b7b0923fa1089842566e5 [log] [tgz]
author: Ruchi Kandoi <kandoiruchi@google.com> Thu Jan 04 10:33:20 2018 -0800
committer: Ruchi Kandoi <kandoiruchi@google.com> Mon Jan 29 21:31:42 2018 +0000
tree: 2e7c88c75fe814b6c5bd9184f8da45376d7393a4
parent: 426b1b468b948b8ccabbe590ddeb583c8129da5f [diff]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index bb9142d..df14019 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -199,6 +199,7 @@
   hal_nfc_hwservice
   hal_oemlock_hwservice
   hal_power_hwservice
+  hal_secure_element_hwservice
   hal_sensors_hwservice
   hal_telephony_hwservice
   hal_thermal_hwservice

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 2b0a3fb..7769b65 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil

@@ -40,6 +40,7 @@
     hal_confirmationui_hwservice
     hal_lowpan_hwservice
     hal_neuralnetworks_hwservice
+    hal_secure_element_hwservice
     hal_tetheroffload_hwservice
     hal_usb_gadget_hwservice
     hal_wifi_offload_hwservice
@@ -65,6 +66,9 @@
     perfetto_traces_data_file
     perfprofd_service
     property_info
+    secure_element
+    secure_element_tmpfs
+    secure_element_service
     slice_service
     stats
     stats_data_file

diff --git a/private/hwservice_contexts b/private/hwservice_contexts
index 5a65580..96233fc 100644
--- a/private/hwservice_contexts
+++ b/private/hwservice_contexts

@@ -38,6 +38,7 @@
 android.hardware.radio::IRadio                                  u:object_r:hal_telephony_hwservice:s0
 android.hardware.radio::ISap                                    u:object_r:hal_telephony_hwservice:s0
 android.hardware.renderscript::IDevice                          u:object_r:hal_renderscript_hwservice:s0
+android.hardware.secure_element::ISecureElement                 u:object_r:hal_secure_element_hwservice:s0
 android.hardware.sensors::ISensors                              u:object_r:hal_sensors_hwservice:s0
 android.hardware.soundtrigger::ISoundTriggerHw                  u:object_r:hal_audio_hwservice:s0
 android.hardware.thermal::IThermal                              u:object_r:hal_thermal_hwservice:s0

diff --git a/private/nfc.te b/private/nfc.te
index 56446f4..5e85672 100644
--- a/private/nfc.te
+++ b/private/nfc.te

@@ -24,6 +24,7 @@
 allow nfc app_api_service:service_manager find;
 allow nfc system_api_service:service_manager find;
 allow nfc vr_manager_service:service_manager find;
+allow nfc secure_element_service:service_manager find;
 
 set_prop(nfc, nfc_prop);
 

diff --git a/private/seapp_contexts b/private/seapp_contexts
index 76f2998..6efd59f 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts

@@ -99,6 +99,7 @@
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
+user=secure_element seinfo=platform domain=secure_element levelFrom=all
 user=radio seinfo=platform domain=radio type=radio_data_file
 user=shared_relro domain=shared_relro
 user=shell seinfo=platform domain=shell type=shell_data_file

diff --git a/private/secure_element.te b/private/secure_element.te
new file mode 100644
index 0000000..57f512b
--- /dev/null
+++ b/private/secure_element.te

@@ -0,0 +1,14 @@
+# secure element subsystem
+typeattribute secure_element coredomain;
+app_domain(secure_element)
+
+binder_service(secure_element)
+add_service(secure_element, secure_element_service)
+
+allow secure_element app_api_service:service_manager find;
+hal_client_domain(secure_element, hal_secure_element)
+
+# already open bugreport file descriptors may be shared with
+# the secure element process, from a file in
+# /data/data/com.android.shell/files/bugreports/bugreport-*.
+allow secure_element shell_data_file:file read;

diff --git a/private/service_contexts b/private/service_contexts
index 373c7cc..71d4845 100644
--- a/private/service_contexts
+++ b/private/service_contexts

@@ -134,6 +134,7 @@
 samplingprofiler                          u:object_r:samplingprofiler_service:s0
 scheduling_policy                         u:object_r:scheduling_policy_service:s0
 search                                    u:object_r:search_service:s0
+secure_element                            u:object_r:secure_element_service:s0
 sec_key_att_app_id_provider               u:object_r:sec_key_att_app_id_provider_service:s0
 sensorservice                             u:object_r:sensorservice_service:s0
 serial                                    u:object_r:serial_service:s0
commit	8a2b4a783e5c9f4a342b7b0923fa1089842566e5	[log] [tgz]
author	Ruchi Kandoi <kandoiruchi@google.com>	Thu Jan 04 10:33:20 2018 -0800
committer	Ruchi Kandoi <kandoiruchi@google.com>	Mon Jan 29 21:31:42 2018 +0000
tree	2e7c88c75fe814b6c5bd9184f8da45376d7393a4
parent	426b1b468b948b8ccabbe590ddeb583c8129da5f [diff]