review tee

Bug: 198723116
Test: boot with tee started
Change-Id: Ib50698834d16887fa00bdbbaf81801f1067909ba

legacy/file_contexts

@@ -173,15 +173,10 @@
 
 # Trusty
 /vendor/bin/securedpud.slider        u:object_r:securedpud_slider_exec:s0
-/vendor/bin/storageproxyd            u:object_r:tee_exec:s0
 /vendor/bin/trusty_apploader         u:object_r:trusty_apploader_exec:s0
 /vendor/bin/trusty_metricsd          u:object_r:trusty_metricsd_exec:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0
 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty              u:object_r:hal_keymint_default_exec:s0
-/dev/trusty-ipc-dev0                 u:object_r:tee_device:s0
-/data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
-/mnt/vendor/persist/ss(/.*)?         u:object_r:tee_data_file:s0
-/dev/sg1                             u:object_r:sg_device:s0
 /dev/trusty-log0                     u:object_r:logbuffer_device:s0
 
 # Battery

whitechapel_pro/device.te

@@ -2,3 +2,4 @@ type sda_block_device, dev_type, bdev_type;
 type devinfo_block_device, dev_type, bdev_type;
 type modem_block_device, dev_type, bdev_type;
 type custom_ab_block_device, dev_type, bdev_type;
+type sg_device, dev_type;

whitechapel_pro/file.te

@@ -24,6 +24,7 @@ allow modem_img_file self:filesystem associate;
 
 # persist
 type persist_modem_file, file_type, vendor_persist_type;
+type persist_ss_file, file_type, vendor_persist_type;
 
 # CHRE
 type chre_socket, file_type;

whitechapel_pro/file_contexts

@@ -12,11 +12,14 @@
 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto       u:object_r:hal_secure_element_gto_exec:s0
 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2  u:object_r:hal_secure_element_gto_ese2_exec:s0
 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service      u:object_r:hal_secure_element_uicc_exec:s0
+/vendor/bin/storageproxyd                                               u:object_r:tee_exec:s0
 
 # Vendor Firmwares
 /vendor/firmware(/.*)?                                                  u:object_r:vendor_fw_file:s0
 
 # Devices
+/dev/trusty-ipc-dev0                                                    u:object_r:tee_device:s0
+/dev/sg1                                                                u:object_r:sg_device:s0
 /dev/st54spi                                                            u:object_r:secure_element_device:s0
 /dev/st33spi                                                            u:object_r:secure_element_device:s0
 /dev/ttyGS[0-3]                                                         u:object_r:serial_device:s0
@@ -67,9 +70,11 @@
 /data/vendor/log(/.*)?                                                  u:object_r:vendor_log_file:s0
 /data/vendor/log/rfsd(/.*)?                                             u:object_r:vendor_rfsd_log_file:s0
 /data/vendor/rild(/.*)?                                                 u:object_r:rild_vendor_data_file:s0
+/data/vendor/ss(/.*)?                                                   u:object_r:tee_data_file:s0
 
 # Persist
 /mnt/vendor/persist/modem(/.*)?                                         u:object_r:persist_modem_file:s0
+/mnt/vendor/persist/ss(/.*)?                                            u:object_r:persist_ss_file:s0
 
 # Extra mount images
 /mnt/vendor/modem_img(/.*)?                                             u:object_r:modem_img_file:s0

whitechapel_pro/tee.te

@@ -1,9 +1,9 @@
-type sg_device, dev_type;
-type persist_ss_file, file_type, vendor_persist_type;
+# Handle wake locks
+wakelock_use(tee)
 
-allow tee persist_ss_file:dir r_dir_perms;
+allow tee persist_ss_file:file create_file_perms;
+allow tee persist_ss_file:dir create_dir_perms;
 allow tee persist_file:dir r_dir_perms;
 allow tee mnt_vendor_file:dir r_dir_perms;
 allow tee tee_data_file:lnk_file r_file_perms;
 allow tee sg_device:chr_file rw_file_perms;
-allow tee self:capability { setgid setuid };