From 98ebd6e7f19ff9bffe85c5b8e2abcd1dde5c61ae Mon Sep 17 00:00:00 2001
From: Adam Shih <adamshih@google.com>
Date: Fri, 3 Sep 2021 13:21:08 +0800
Subject: [PATCH] review tee

Bug: 198723116
Test: boot with tee started
Change-Id: Ib50698834d16887fa00bdbbaf81801f1067909ba
---
 legacy/file_contexts                              | 5 -----
 whitechapel_pro/device.te                         | 1 +
 whitechapel_pro/file.te                           | 1 +
 whitechapel_pro/file_contexts                     | 5 +++++
 legacy/storageproxyd.te => whitechapel_pro/tee.te | 8 ++++----
 5 files changed, 11 insertions(+), 9 deletions(-)
 rename legacy/storageproxyd.te => whitechapel_pro/tee.te (51%)

diff --git a/legacy/file_contexts b/legacy/file_contexts
index 5736d18b..e88e04a9 100644
--- a/legacy/file_contexts
+++ b/legacy/file_contexts
@@ -173,15 +173,10 @@
 
 # Trusty
 /vendor/bin/securedpud.slider        u:object_r:securedpud_slider_exec:s0
-/vendor/bin/storageproxyd            u:object_r:tee_exec:s0
 /vendor/bin/trusty_apploader         u:object_r:trusty_apploader_exec:s0
 /vendor/bin/trusty_metricsd          u:object_r:trusty_metricsd_exec:s0
 /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0
 /vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty              u:object_r:hal_keymint_default_exec:s0
-/dev/trusty-ipc-dev0                 u:object_r:tee_device:s0
-/data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
-/mnt/vendor/persist/ss(/.*)?         u:object_r:tee_data_file:s0
-/dev/sg1                             u:object_r:sg_device:s0
 /dev/trusty-log0                     u:object_r:logbuffer_device:s0
 
 # Battery
diff --git a/whitechapel_pro/device.te b/whitechapel_pro/device.te
index 3b5feaf5..5a8323e1 100644
--- a/whitechapel_pro/device.te
+++ b/whitechapel_pro/device.te
@@ -2,3 +2,4 @@ type sda_block_device, dev_type, bdev_type;
 type devinfo_block_device, dev_type, bdev_type;
 type modem_block_device, dev_type, bdev_type;
 type custom_ab_block_device, dev_type, bdev_type;
+type sg_device, dev_type;
diff --git a/whitechapel_pro/file.te b/whitechapel_pro/file.te
index 923cdc62..8391c9a7 100644
--- a/whitechapel_pro/file.te
+++ b/whitechapel_pro/file.te
@@ -24,6 +24,7 @@ allow modem_img_file self:filesystem associate;
 
 # persist
 type persist_modem_file, file_type, vendor_persist_type;
+type persist_ss_file, file_type, vendor_persist_type;
 
 # CHRE
 type chre_socket, file_type;
diff --git a/whitechapel_pro/file_contexts b/whitechapel_pro/file_contexts
index b94c9496..e27fb544 100644
--- a/whitechapel_pro/file_contexts
+++ b/whitechapel_pro/file_contexts
@@ -12,11 +12,14 @@
 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto       u:object_r:hal_secure_element_gto_exec:s0
 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2  u:object_r:hal_secure_element_gto_ese2_exec:s0
 /vendor/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service      u:object_r:hal_secure_element_uicc_exec:s0
+/vendor/bin/storageproxyd                                               u:object_r:tee_exec:s0
 
 # Vendor Firmwares
 /vendor/firmware(/.*)?                                                  u:object_r:vendor_fw_file:s0
 
 # Devices
+/dev/trusty-ipc-dev0                                                    u:object_r:tee_device:s0
+/dev/sg1                                                                u:object_r:sg_device:s0
 /dev/st54spi                                                            u:object_r:secure_element_device:s0
 /dev/st33spi                                                            u:object_r:secure_element_device:s0
 /dev/ttyGS[0-3]                                                         u:object_r:serial_device:s0
@@ -67,9 +70,11 @@
 /data/vendor/log(/.*)?                                                  u:object_r:vendor_log_file:s0
 /data/vendor/log/rfsd(/.*)?                                             u:object_r:vendor_rfsd_log_file:s0
 /data/vendor/rild(/.*)?                                                 u:object_r:rild_vendor_data_file:s0
+/data/vendor/ss(/.*)?                                                   u:object_r:tee_data_file:s0
 
 # Persist
 /mnt/vendor/persist/modem(/.*)?                                         u:object_r:persist_modem_file:s0
+/mnt/vendor/persist/ss(/.*)?                                            u:object_r:persist_ss_file:s0
 
 # Extra mount images
 /mnt/vendor/modem_img(/.*)?                                             u:object_r:modem_img_file:s0
diff --git a/legacy/storageproxyd.te b/whitechapel_pro/tee.te
similarity index 51%
rename from legacy/storageproxyd.te
rename to whitechapel_pro/tee.te
index 315300c2..edce5e1f 100644
--- a/legacy/storageproxyd.te
+++ b/whitechapel_pro/tee.te
@@ -1,9 +1,9 @@
-type sg_device, dev_type;
-type persist_ss_file, file_type, vendor_persist_type;
+# Handle wake locks
+wakelock_use(tee)
 
-allow tee persist_ss_file:dir r_dir_perms;
+allow tee persist_ss_file:file create_file_perms;
+allow tee persist_ss_file:dir create_dir_perms;
 allow tee persist_file:dir r_dir_perms;
 allow tee mnt_vendor_file:dir r_dir_perms;
 allow tee tee_data_file:lnk_file r_file_perms;
 allow tee sg_device:chr_file rw_file_perms;
-allow tee self:capability { setgid setuid };