sepolicy: Fix tee avc denials

tee policies were missing Bug: 263304957 Bug: 263429986 Bug: 264489524 Test: boot and scanAvcDeniedLogRightAfterReboot passed Change-Id: Ia3191496be005dbbbe331a14f7d45adace34b3fc Signed-off-by: Donnie Pollitz <donpollitz@google.com>
2023-01-24 15:22:57 +01:00 · 2023-01-24 15:22:57 +01:00 · 34fe057526
commit 34fe057526
parent 82ae431064
2 changed files with 15 additions and 24 deletions
--- a/tracking_denials/tee.te
+++ b/tracking_denials/tee.te
@ -1,24 +0,0 @@
-# b/263304957
-dontaudit tee gsi_metadata_file:dir { search };
-dontaudit tee hal_system_suspend_service:service_manager { find };
-dontaudit tee init:unix_stream_socket { connectto };
-dontaudit tee metadata_file:dir { search };
-dontaudit tee mnt_vendor_file:dir { search };
-dontaudit tee persist_file:dir { search };
-dontaudit tee persist_ss_file:dir { search };
-dontaudit tee persist_ss_file:file { open };
-dontaudit tee persist_ss_file:file { read write };
-dontaudit tee property_socket:sock_file { write };
-dontaudit tee servicemanager:binder { call };
-dontaudit tee sg_device:chr_file { ioctl };
-dontaudit tee sg_device:chr_file { open };
-dontaudit tee sg_device:chr_file { read write };
-dontaudit tee system_suspend_server:binder { call };
-dontaudit tee tee_data_file:lnk_file { read };
-dontaudit tee vendor_trusty_storage_prop:property_service { set };
-# b/263429986
-dontaudit tee servicemanager:binder { transfer };
-# b/264489524
-userdebug_or_eng(`
-  permissive tee;
-')
--- a/vendor/tee.te
+++ b/vendor/tee.te
@ -0,0 +1,15 @@
+# Handle wake locks
+wakelock_use(tee)
+
+allow tee persist_ss_file:file create_file_perms;
+allow tee persist_ss_file:dir create_dir_perms;
+allow tee persist_file:dir r_dir_perms;
+allow tee mnt_vendor_file:dir r_dir_perms;
+allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:lnk_file r_file_perms;
+allow tee sg_device:chr_file rw_file_perms;
+
+# Allow storageproxyd access to gsi_public_metadata_file
+read_fstab(tee)
+
+set_prop(tee, vendor_trusty_storage_prop)