From 3f9a11fa0b59339d51cc4d4edcb718c27c905c0e Mon Sep 17 00:00:00 2001 From: Stephen Crane Date: Tue, 14 Dec 2021 14:33:56 -0800 Subject: [PATCH] Allow TEE storageproxyd permissions needed for DSU handling Allows the vendor TEE access to GSI metadata files (which are publicly readable). Storageproxyd needs access to this metadata to determine if a GSI image is currently booted. Also allows the TEE domain to make new directories in its data path. Test: access /metadata/gsi/dsu/booted from storageproxyd Bug: 203719297 Change-Id: I86055dd5601f8c2899d28f29bdfcb4dcb9b90d1b --- whitechapel/vendor/google/storageproxyd.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te index d6acb458..76552d04 100644 --- a/whitechapel/vendor/google/storageproxyd.te +++ b/whitechapel/vendor/google/storageproxyd.te @@ -8,6 +8,10 @@ allow tee persist_ss_file:file create_file_perms; allow tee persist_ss_file:dir create_dir_perms; allow tee persist_file:dir r_dir_perms; allow tee mnt_vendor_file:dir r_dir_perms; +allow tee tee_data_file:dir rw_dir_perms; allow tee tee_data_file:lnk_file r_file_perms; allow tee sg_device:chr_file rw_file_perms; allow tee self:capability { setgid setuid }; + +# Allow storageproxyd access to gsi_public_metadata_file +read_fstab(tee)