From b8df90a273a034ea0377c49a9610e0bfec1ecbd4 Mon Sep 17 00:00:00 2001
From: Iliyan Malchev <malchev@google.com>
Date: Mon, 26 Sep 2016 00:06:43 -0700
Subject: [PATCH] add policy for android.hardware.nfc@1.0-service

android.hardware.nfc@1.0-service is the generic binderized
HIDL package implementation of android.hardware.nfc@1.0

Denials:
avc: denied { read write } for pid=432 comm="android.hardwar"
name="pn548" dev="tmpfs" ino=10228
scontext=u:r:android_hardware_nfc_1_0_service:s0
tcontext=u:object_r:nfc_device:s0 tclass=chr_file

avc: denied { search } for pid=443 comm="Binder:430_1" name="nfc"
dev="dm-0" ino=670433 scontext=u:r:android_hardware_nfc_1_0_service:s0
tcontext=u:object_r:nfc_data_file:s0 tclass=dir

Test: pass

Change-Id: Id022b8d1706253ef65a37406c74ff883e12415b2
Signed-off-by: Iliyan Malchev <malchev@google.com>
---
 android_hardware_nfc_1_0_service.te | 22 ++++++++++++++++++++++
 file_contexts                       |  1 +
 nfc.te                              |  9 +++------
 3 files changed, 26 insertions(+), 6 deletions(-)
 create mode 100644 android_hardware_nfc_1_0_service.te

diff --git a/android_hardware_nfc_1_0_service.te b/android_hardware_nfc_1_0_service.te
new file mode 100644
index 000000000..f980da43b
--- /dev/null
+++ b/android_hardware_nfc_1_0_service.te
@@ -0,0 +1,22 @@
+# nfc subsystem
+type android_hardware_nfc_1_0_service, domain;
+type android_hardware_nfc_1_0_service_exec, exec_type, file_type;
+
+# may be started by init
+init_daemon_domain(android_hardware_nfc_1_0_service)
+
+# hwbinder access
+hwbinder_use(android_hardware_nfc_1_0_service)
+
+# call into NFC process (callbacks)
+binder_call(android_hardware_nfc_1_0_service, nfc)
+
+# Set NFC properties (used by bcm2079x HAL).
+set_prop(android_hardware_nfc_1_0_service, nfc_prop)
+
+# NFC device access.
+allow android_hardware_nfc_1_0_service nfc_device:chr_file rw_file_perms;
+
+# Data file accesses.
+allow android_hardware_nfc_1_0_service nfc_data_file:dir create_dir_perms;
+allow android_hardware_nfc_1_0_service nfc_data_file:notdevfile_class_set create_file_perms;
diff --git a/file_contexts b/file_contexts
index 33b628a47..41ab94938 100644
--- a/file_contexts
+++ b/file_contexts
@@ -218,6 +218,7 @@
 /system/bin/hw/wifi_hal_legacy   u:object_r:wifi_hal_legacy_exec:s0
 /system/fake-lib(64)?/libart.*   u:object_r:libart_file:s0
 /system/lib(64)?/libart.*        u:object_r:libart_file:s0
+/system/bin/hw/android.hardware.nfc@1.0-service   u:object_r:android_hardware_nfc_1_0_service_exec:s0
 
 #############################
 # Vendor files
diff --git a/nfc.te b/nfc.te
index a4383bb4f..09e75150e 100644
--- a/nfc.te
+++ b/nfc.te
@@ -17,12 +17,6 @@ allow nfc nfc_device:chr_file rw_file_perms;
 allow nfc nfc_data_file:dir create_dir_perms;
 allow nfc nfc_data_file:notdevfile_class_set create_file_perms;
 
-allow nfc sysfs_nfc_power_writable:file rw_file_perms;
-allow nfc sysfs:file write;
-
-# TODO: added to match above sysfs rule. Remove me?
-allow nfc sysfs_usb:file write;
-
 # SoundPool loading and playback
 allow nfc audioserver_service:service_manager find;
 allow nfc drmserver_service:service_manager find;
@@ -40,3 +34,6 @@ allow nfc system_api_service:service_manager find;
 # the nfc process, from a file in
 # /data/data/com.android.shell/files/bugreports/bugreport-*.
 allow nfc shell_data_file:file read;
+
+# allow NFC process to call into the NFC HAL
+binder_call(nfc, android_hardware_nfc_1_0_service)
-- 
GitLab