From ed2c8d78ae39667034fbb6c647604c64a27dc08d Mon Sep 17 00:00:00 2001
From: eddielan <eddielan@google.com>
Date: Fri, 21 Jan 2022 11:27:23 +0800
Subject: [PATCH 1/2] Add vendor SELinux denial to allowlist

Bug: 215640468
Test: Build Pass
Change-Id: I8c2aa5ce4c6cc229837f763c6a20a1c27e1978a6
---
 whitechapel/vendor/google/bug_map | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/whitechapel/vendor/google/bug_map b/whitechapel/vendor/google/bug_map
index 3dc069c5..6799ba21 100644
--- a/whitechapel/vendor/google/bug_map
+++ b/whitechapel/vendor/google/bug_map
@@ -1,2 +1,3 @@
 permissioncontroller_app sysfs_vendor_sched file b/190671898
-vendor_ims_app default_prop file b/194281028
\ No newline at end of file
+vendor_ims_app default_prop file b/194281028
+hal_fingerprint_default default_prop property_service b/215640468

From b9beafc9fa61b89dd00bdc2b51163e7870d34dac Mon Sep 17 00:00:00 2001
From: Stephen Crane <cranes@google.com>
Date: Tue, 14 Dec 2021 14:33:56 -0800
Subject: [PATCH 2/2] Allow TEE storageproxyd permissions needed for DSU
 handling

Allows the vendor TEE access to GSI metadata files (which are publicly
readable). Storageproxyd needs access to this metadata to determine if a
GSI image is currently booted. Also allows the TEE domain to make new
directories in its data path.

Includes the fixed directory creation permission change from
Ifcc3e5f82b68a506ff99469d2f3df6ab1440b42a.

Test: access /metadata/gsi/dsu/booted from storageproxyd
Bug: 203719297
Merged-In: I86055dd5601f8c2899d28f29bdfcb4dcb9b90d1b
Merged-In: Ifcc3e5f82b68a506ff99469d2f3df6ab1440b42a
Change-Id: I86055dd5601f8c2899d28f29bdfcb4dcb9b90d1b
(cherry picked from commit b69ac35ff006cccbeee26f299826c32104fe1934)
---
 whitechapel/vendor/google/storageproxyd.te | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
index d6acb458..f9222712 100644
--- a/whitechapel/vendor/google/storageproxyd.te
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -8,6 +8,10 @@ allow tee persist_ss_file:file create_file_perms;
 allow tee persist_ss_file:dir create_dir_perms;
 allow tee persist_file:dir r_dir_perms;
 allow tee mnt_vendor_file:dir r_dir_perms;
+allow tee tee_data_file:dir create_dir_perms;
 allow tee tee_data_file:lnk_file r_file_perms;
 allow tee sg_device:chr_file rw_file_perms;
 allow tee self:capability { setgid setuid };
+
+# Allow storageproxyd access to gsi_public_metadata_file
+read_fstab(tee)