From 34fe0575266d057dc0ba2b1687d4c8a431eada09 Mon Sep 17 00:00:00 2001
From: Donnie Pollitz <donpollitz@google.com>
Date: Tue, 24 Jan 2023 15:22:57 +0100
Subject: [PATCH] sepolicy: Fix tee avc denials

tee policies were missing

Bug: 263304957
Bug: 263429986
Bug: 264489524
Test: boot and scanAvcDeniedLogRightAfterReboot passed

Change-Id: Ia3191496be005dbbbe331a14f7d45adace34b3fc
Signed-off-by: Donnie Pollitz <donpollitz@google.com>
---
 tracking_denials/tee.te | 24 ------------------------
 vendor/tee.te           | 15 +++++++++++++++
 2 files changed, 15 insertions(+), 24 deletions(-)
 delete mode 100644 tracking_denials/tee.te
 create mode 100644 vendor/tee.te

diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te
deleted file mode 100644
index 1070ed9a..00000000
--- a/tracking_denials/tee.te
+++ /dev/null
@@ -1,24 +0,0 @@
-# b/263304957
-dontaudit tee gsi_metadata_file:dir { search };
-dontaudit tee hal_system_suspend_service:service_manager { find };
-dontaudit tee init:unix_stream_socket { connectto };
-dontaudit tee metadata_file:dir { search };
-dontaudit tee mnt_vendor_file:dir { search };
-dontaudit tee persist_file:dir { search };
-dontaudit tee persist_ss_file:dir { search };
-dontaudit tee persist_ss_file:file { open };
-dontaudit tee persist_ss_file:file { read write };
-dontaudit tee property_socket:sock_file { write };
-dontaudit tee servicemanager:binder { call };
-dontaudit tee sg_device:chr_file { ioctl };
-dontaudit tee sg_device:chr_file { open };
-dontaudit tee sg_device:chr_file { read write };
-dontaudit tee system_suspend_server:binder { call };
-dontaudit tee tee_data_file:lnk_file { read };
-dontaudit tee vendor_trusty_storage_prop:property_service { set };
-# b/263429986
-dontaudit tee servicemanager:binder { transfer };
-# b/264489524
-userdebug_or_eng(`
-  permissive tee;
-')
\ No newline at end of file
diff --git a/vendor/tee.te b/vendor/tee.te
new file mode 100644
index 00000000..256fb384
--- /dev/null
+++ b/vendor/tee.te
@@ -0,0 +1,15 @@
+# Handle wake locks
+wakelock_use(tee)
+
+allow tee persist_ss_file:file create_file_perms;
+allow tee persist_ss_file:dir create_dir_perms;
+allow tee persist_file:dir r_dir_perms;
+allow tee mnt_vendor_file:dir r_dir_perms;
+allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:lnk_file r_file_perms;
+allow tee sg_device:chr_file rw_file_perms;
+
+# Allow storageproxyd access to gsi_public_metadata_file
+read_fstab(tee)
+
+set_prop(tee, vendor_trusty_storage_prop)