Evolution-X-Tensor/device_google_zuma
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "sepolicy: Fix tee avc denials"

Browse source
This commit is contained in:
Donnie Pollitz 2023-02-01 09:46:16 +00:00 committed by Android (Google) Code Review
commit eea50ca2bc
2 changed files with 15 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

24
tracking_denials/tee.te
View file

@ -1,24 +0,0 @@
# b/263304957
dontaudit tee gsi_metadata_file:dir { search };
dontaudit tee hal_system_suspend_service:service_manager { find };
dontaudit tee init:unix_stream_socket { connectto };
dontaudit tee metadata_file:dir { search };
dontaudit tee mnt_vendor_file:dir { search };
dontaudit tee persist_file:dir { search };
dontaudit tee persist_ss_file:dir { search };
dontaudit tee persist_ss_file:file { open };
dontaudit tee persist_ss_file:file { read write };
dontaudit tee property_socket:sock_file { write };
dontaudit tee servicemanager:binder { call };
dontaudit tee sg_device:chr_file { ioctl };
dontaudit tee sg_device:chr_file { open };
dontaudit tee sg_device:chr_file { read write };
dontaudit tee system_suspend_server:binder { call };
dontaudit tee tee_data_file:lnk_file { read };
dontaudit tee vendor_trusty_storage_prop:property_service { set };
# b/263429986
dontaudit tee servicemanager:binder { transfer };
# b/264489524
userdebug_or_eng(`
permissive tee;
')

15
vendor/tee.te vendored Normal file
View file

@ -0,0 +1,15 @@
# Handle wake locks
wakelock_use(tee)
allow tee persist_ss_file:file create_file_perms;
allow tee persist_ss_file:dir create_dir_perms;
allow tee persist_file:dir r_dir_perms;
allow tee mnt_vendor_file:dir r_dir_perms;
allow tee tee_data_file:dir rw_dir_perms;
allow tee tee_data_file:lnk_file r_file_perms;
allow tee sg_device:chr_file rw_file_perms;
# Allow storageproxyd access to gsi_public_metadata_file
read_fstab(tee)
set_prop(tee, vendor_trusty_storage_prop)