Merge "Fix selinux for RPMB daemon" into sc-dev

tracking_denials/tee.te

@@ -1,14 +0,0 @@
-# b/173971240
-dontaudit tee persist_file:file { open };
-dontaudit tee tee_data_file:lnk_file { read };
-dontaudit tee mnt_vendor_file:dir { search };
-dontaudit tee persist_file:dir { search };
-dontaudit tee persist_file:file { open };
-dontaudit tee persist_file:file { read write };
-dontaudit tee persist_file:dir { search };
-dontaudit tee mnt_vendor_file:dir { search };
-dontaudit tee tee_data_file:lnk_file { read };
-dontaudit tee persist_file:file { read write };
-userdebug_or_eng(`
-  permissive tee;
-')

whitechapel/vendor/google/file_contexts

@@ -325,7 +325,7 @@
 /vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
 /dev/trusty-ipc-dev0                 u:object_r:tee_device:s0
 /data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
-/mnt/vendor/persist/data/ss(/.*)?    u:object_r:tee_data_file:s0
+/mnt/vendor/persist/ss(/.*)?         u:object_r:tee_data_file:s0
 /dev/sg1                             u:object_r:sg_device:s0
 
 # Battery

whitechapel/vendor/google/storageproxyd.te

@@ -1,4 +1,9 @@
 type sg_device, dev_type;
+type persist_ss_file, file_type, vendor_persist_type;
 
+allow tee persist_ss_file:dir r_dir_perms;
+allow tee persist_file:dir r_dir_perms;
+allow tee mnt_vendor_file:dir r_dir_perms;
+allow tee tee_data_file:lnk_file r_file_perms;
 allow tee sg_device:chr_file rw_file_perms;
 allow tee self:capability { setgid setuid };