From f5277482c1e960f6f0569cdf2160c3bccb17dc0a Mon Sep 17 00:00:00 2001
From: Wenhao Wang <wenhaowang@google.com>
Date: Mon, 19 Apr 2021 17:26:53 -0700
Subject: [PATCH] Fix selinux for RPMB daemon

Secure persistent storage has been moved to persist root.
The corresponding pathes on SELinux policy has to be updated.

Bug: 173971240
Bug: 173032298
Test: Trusty storage tests
Change-Id: I0e7756f3b4d5c6be705a87e1d7d80247df1ec4bb
---
 tracking_denials/tee.te                    | 14 --------------
 whitechapel/vendor/google/file_contexts    |  2 +-
 whitechapel/vendor/google/storageproxyd.te |  5 +++++
 3 files changed, 6 insertions(+), 15 deletions(-)
 delete mode 100644 tracking_denials/tee.te

diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te
deleted file mode 100644
index 3375948f..00000000
--- a/tracking_denials/tee.te
+++ /dev/null
@@ -1,14 +0,0 @@
-# b/173971240
-dontaudit tee persist_file:file { open };
-dontaudit tee tee_data_file:lnk_file { read };
-dontaudit tee mnt_vendor_file:dir { search };
-dontaudit tee persist_file:dir { search };
-dontaudit tee persist_file:file { open };
-dontaudit tee persist_file:file { read write };
-dontaudit tee persist_file:dir { search };
-dontaudit tee mnt_vendor_file:dir { search };
-dontaudit tee tee_data_file:lnk_file { read };
-dontaudit tee persist_file:file { read write };
-userdebug_or_eng(`
-  permissive tee;
-')
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
index 58c0617e..79aa3f3f 100644
--- a/whitechapel/vendor/google/file_contexts
+++ b/whitechapel/vendor/google/file_contexts
@@ -325,7 +325,7 @@
 /vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
 /dev/trusty-ipc-dev0                 u:object_r:tee_device:s0
 /data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
-/mnt/vendor/persist/data/ss(/.*)?    u:object_r:tee_data_file:s0
+/mnt/vendor/persist/ss(/.*)?         u:object_r:tee_data_file:s0
 /dev/sg1                             u:object_r:sg_device:s0
 
 # Battery
diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index ef9d93a8..315300c2 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -1,4 +1,9 @@
 type sg_device, dev_type;
+type persist_ss_file, file_type, vendor_persist_type;
 
+allow tee persist_ss_file:dir r_dir_perms;
+allow tee persist_file:dir r_dir_perms;
+allow tee mnt_vendor_file:dir r_dir_perms;
+allow tee tee_data_file:lnk_file r_file_perms;
 allow tee sg_device:chr_file rw_file_perms;
 allow tee self:capability { setgid setuid };