From cb18bb48d55097c0fd86d2be6055528c2a82a926 Mon Sep 17 00:00:00 2001 From: Donnie Pollitz Date: Mon, 5 Aug 2024 13:12:19 +0200 Subject: [PATCH] trusty: Allow linking/read tdp and td Background: * storageproxyd needs to be able to create and read symlinks associated with TDP and TD. 08-07 08:13:44.868 750 750 W binder:750_2: type=1400 audit(0.0:18): avc: denied { create } for name="0" scontext=u:r:tee:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=lnk_file permissive=0 08-07 07:35:19.396 755 755 W binder:755_2: type=1400 audit(0.0:7): avc: denied { read } for name="0" dev="sda1" ino=15 scontext=u:r:tee:s0 tcontext=u:object_r:persist_ss_file:s0 tclass=lnk_file permissive=0 08-07 08:34:24.956 742 742 W binder:742_2: type=1400 audit(0.0:8): avc: denied { read } for name="persist" dev="dm-52" ino=406 scontext=u:r:tee:s0 tcontext=u:object_r:tee_data_file:s0 tclass=lnk_file permissive=0 Flag: EXEMPT resource only update Bug: 357815590 Test: Tested by purging device and verifying fresh device Change-Id: Ib239534bfb28d05de14095e84961ff0f84cde68d Signed-off-by: Donnie Pollitz --- vendor/tee.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vendor/tee.te b/vendor/tee.te index 0a6139b..a4153be 100644 --- a/vendor/tee.te +++ b/vendor/tee.te @@ -1,3 +1,4 @@ allow tee tee_persist_block_device:blk_file rw_file_perms; allow tee tee_userdata_block_device:blk_file rw_file_perms; -allow tee tee_data_file:lnk_file create; +allow tee tee_data_file:lnk_file { create read }; +allow tee persist_ss_file:lnk_file { create read };