mobicore: split into legacy and treble folders

author Jan Altensen <info@stricted.net>

Sun, 18 Oct 2020 11:38:56 +0000 (13:38 +0200)

committer Jan Altensen <info@stricted.net>

Tue, 22 Dec 2020 12:00:49 +0000 (13:00 +0100)
author Jan Altensen <info@stricted.net>
Sun, 18 Oct 2020 11:38:56 +0000 (13:38 +0200)
committer Jan Altensen <info@stricted.net>
Tue, 22 Dec 2020 12:00:49 +0000 (13:00 +0100)
diff --git a/sepolicy.mk b/sepolicy.mk

index 68644a687cf72f53ec8cd94858e382ca08f12f8c..09305d685dd99c7efc65ec317668faae1003843e 100644 (file)
--- a/sepolicy.mk
+++ b/sepolicy.mk
@@ -18,6 +18,19 @@ BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \
  BOARD_SEPOLICY_DIRS += \
      device/samsung_slsi/sepolicy/tee/teegris/vendor
  else ifeq ($(BOARD_SEPOLICY_TEE_FLAVOR),mobicore)
+POLICY_TYPE := legacy
+# a device might not set the shipping api level
+# check if its empty to avoid erroring out in the next if
+ifeq ($(PRODUCT_SHIPPING_API_LEVEL),)
+$(warning no product shipping level defined, defaulting to legacy policy)
+# devices launched with oreo or later should be treble
+else ifneq ($(call math_gt_or_eq,$(PRODUCT_SHIPPING_API_LEVEL),26),)
+POLICY_TYPE := treble
+endif
+
+BOARD_SEPOLICY_DIRS += \
+    device/samsung_slsi/sepolicy/tee/mobicore/$(POLICY_TYPE)
+
  BOARD_SEPOLICY_DIRS += \
-    device/samsung_slsi/sepolicy/tee/mobicore
+    device/samsung_slsi/sepolicy/tee/mobicore/common
  endif
diff --git a/tee/mobicore/common/file.te b/tee/mobicore/common/file.te

new file mode 100644 (file)

index 0000000..b6898fd
--- /dev/null
+++ b/tee/mobicore/common/file.te
@@ -0,0 +1,2 @@
+type mobicore_vendor_data_file, file_type, data_file_type;
+type mobicore_data_file, file_type, core_data_file_type, data_file_type;
diff --git a/tee/mobicore/common/file_contexts b/tee/mobicore/common/file_contexts

new file mode 100644 (file)

index 0000000..0a339be
--- /dev/null
+++ b/tee/mobicore/common/file_contexts
@@ -0,0 +1,3 @@
+/dev/mobicore                                u:object_r:tee_device:s0
+/dev/mobicore-user                           u:object_r:tee_device:s0
+/dev/t-base-tui                              u:object_r:tee_device:s0
diff --git a/tee/mobicore/common/hal_fingerprint_default.te b/tee/mobicore/common/hal_fingerprint_default.te

new file mode 100644 (file)

index 0000000..ceb8aa4
--- /dev/null
+++ b/tee/mobicore/common/hal_fingerprint_default.te
@@ -0,0 +1,2 @@
+# /dev/mobicore-user
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/common/hal_gatekeeper_default.te b/tee/mobicore/common/hal_gatekeeper_default.te

new file mode 100644 (file)

index 0000000..c63173c
--- /dev/null
+++ b/tee/mobicore/common/hal_gatekeeper_default.te
@@ -0,0 +1,2 @@
+# /dev/mobicore-user
+allow hal_gatekeeper_default tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/common/hal_keymaster_default.te b/tee/mobicore/common/hal_keymaster_default.te

new file mode 100644 (file)

index 0000000..357775b
--- /dev/null
+++ b/tee/mobicore/common/hal_keymaster_default.te
@@ -0,0 +1 @@
+get_prop(hal_keymaster_default, tee_prop)
diff --git a/tee/mobicore/common/property.te b/tee/mobicore/common/property.te

new file mode 100644 (file)

index 0000000..183c2a5
--- /dev/null
+++ b/tee/mobicore/common/property.te
@@ -0,0 +1 @@
+type tee_prop, property_type;
diff --git a/tee/mobicore/common/tee.te b/tee/mobicore/common/tee.te

new file mode 100644 (file)

index 0000000..40359c6
--- /dev/null
+++ b/tee/mobicore/common/tee.te
@@ -0,0 +1,15 @@
+allow tee efs_file:dir { search getattr };
+allow tee efs_file:file r_file_perms;
+allow tee gatekeeper_efs_file:dir r_dir_perms;
+allow tee gatekeeper_efs_file:file r_file_perms;
+allow tee init:unix_stream_socket connectto;
+allow tee property_socket:sock_file write;
+allow tee prov_efs_file:dir search;
+
+set_prop(tee, tee_prop)
+
+# /dev/t-base-tui
+allow tee tee_device:chr_file r_file_perms;
+
+allow tee mobicore_vendor_data_file:dir r_dir_perms;
+allow tee mobicore_vendor_data_file:file rw_file_perms;
diff --git a/tee/mobicore/file.te b/tee/mobicore/file.te

deleted file mode 100644 (file)

index b6898fd..0000000
--- a/tee/mobicore/file.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type mobicore_vendor_data_file, file_type, data_file_type;
-type mobicore_data_file, file_type, core_data_file_type, data_file_type;
diff --git a/tee/mobicore/file_contexts b/tee/mobicore/file_contexts

deleted file mode 100644 (file)

index 0a339be..0000000
--- a/tee/mobicore/file_contexts
+++ /dev/null
@@ -1,3 +0,0 @@
-/dev/mobicore                                u:object_r:tee_device:s0
-/dev/mobicore-user                           u:object_r:tee_device:s0
-/dev/t-base-tui                              u:object_r:tee_device:s0
diff --git a/tee/mobicore/hal_fingerprint_default.te b/tee/mobicore/hal_fingerprint_default.te

deleted file mode 100644 (file)

index ceb8aa4..0000000
--- a/tee/mobicore/hal_fingerprint_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# /dev/mobicore-user
-allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/hal_gatekeeper_default.te b/tee/mobicore/hal_gatekeeper_default.te

deleted file mode 100644 (file)

index c63173c..0000000
--- a/tee/mobicore/hal_gatekeeper_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# /dev/mobicore-user
-allow hal_gatekeeper_default tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/hal_keymaster_default.te b/tee/mobicore/hal_keymaster_default.te

deleted file mode 100644 (file)

index 357775b..0000000
--- a/tee/mobicore/hal_keymaster_default.te
+++ /dev/null
@@ -1 +0,0 @@
-get_prop(hal_keymaster_default, tee_prop)
diff --git a/tee/mobicore/init.te b/tee/mobicore/init.te

deleted file mode 100644 (file)

index d32233d..0000000
--- a/tee/mobicore/init.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# /dev/mobicore, /dev/t-base-tui
-allow init tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/legacy/init.te b/tee/mobicore/legacy/init.te

new file mode 100644 (file)

index 0000000..d32233d
--- /dev/null
+++ b/tee/mobicore/legacy/init.te
@@ -0,0 +1,2 @@
+# /dev/mobicore, /dev/t-base-tui
+allow init tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/legacy/property_contexts b/tee/mobicore/legacy/property_contexts

new file mode 100644 (file)

index 0000000..d9bae11
--- /dev/null
+++ b/tee/mobicore/legacy/property_contexts
@@ -0,0 +1 @@
+sys.mobicoredaemon.enable           u:object_r:tee_prop:s0
diff --git a/tee/mobicore/legacy/tee.te b/tee/mobicore/legacy/tee.te

new file mode 100644 (file)

index 0000000..df22691
--- /dev/null
+++ b/tee/mobicore/legacy/tee.te
@@ -0,0 +1 @@
+set_prop(tee, system_prop)
diff --git a/tee/mobicore/legacy/vendor_init.te b/tee/mobicore/legacy/vendor_init.te

new file mode 100644 (file)

index 0000000..57f9235
--- /dev/null
+++ b/tee/mobicore/legacy/vendor_init.te
@@ -0,0 +1 @@
+allow vendor_init mobicore_data_file:dir setattr;
diff --git a/tee/mobicore/property.te b/tee/mobicore/property.te

deleted file mode 100644 (file)

index 183c2a5..0000000
--- a/tee/mobicore/property.te
+++ /dev/null
@@ -1 +0,0 @@
-type tee_prop, property_type;
diff --git a/tee/mobicore/property_contexts b/tee/mobicore/property_contexts

deleted file mode 100644 (file)

index fb62b98..0000000
--- a/tee/mobicore/property_contexts
+++ /dev/null
@@ -1 +0,0 @@
-sys.mobicoredaemon.enable      u:object_r:tee_prop:s0
diff --git a/tee/mobicore/tee.te b/tee/mobicore/tee.te

deleted file mode 100644 (file)

index 667c8be..0000000
--- a/tee/mobicore/tee.te
+++ /dev/null
@@ -1,15 +0,0 @@
-allow tee efs_file:dir { search getattr };
-allow tee efs_file:file r_file_perms;
-allow tee gatekeeper_efs_file:dir r_dir_perms;
-allow tee gatekeeper_efs_file:file r_file_perms;
-allow tee init:unix_stream_socket connectto;
-allow tee property_socket:sock_file write;
-allow tee prov_efs_file:dir search;
-allow tee system_prop:property_service set;
-allow tee tee_prop:property_service set;
-
-# /dev/t-base-tui
-allow tee tee_device:chr_file r_file_perms;
-
-allow tee mobicore_vendor_data_file:dir r_dir_perms;
-allow tee mobicore_vendor_data_file:file rw_file_perms;
diff --git a/tee/mobicore/treble/property_contexts b/tee/mobicore/treble/property_contexts

new file mode 100644 (file)

index 0000000..618c059
--- /dev/null
+++ b/tee/mobicore/treble/property_contexts
@@ -0,0 +1 @@
+vendor.sys.mobicoredaemon.enable    u:object_r:tee_prop:s0
diff --git a/tee/mobicore/vendor_init.te b/tee/mobicore/vendor_init.te

deleted file mode 100644 (file)

index 57f9235..0000000
--- a/tee/mobicore/vendor_init.te
+++ /dev/null
@@ -1 +0,0 @@
-allow vendor_init mobicore_data_file:dir setattr;
author	Jan Altensen <info@stricted.net>
	Sun, 18 Oct 2020 11:38:56 +0000 (13:38 +0200)
committer	Jan Altensen <info@stricted.net>
	Tue, 22 Dec 2020 12:00:49 +0000 (13:00 +0100)
sepolicy.mk		patch \| blob \| blame \| history
tee/mobicore/common/file.te	[new file with mode: 0644]	patch \| blob
tee/mobicore/common/file_contexts	[new file with mode: 0644]	patch \| blob
tee/mobicore/common/hal_fingerprint_default.te	[new file with mode: 0644]	patch \| blob
tee/mobicore/common/hal_gatekeeper_default.te	[new file with mode: 0644]	patch \| blob
tee/mobicore/common/hal_keymaster_default.te	[new file with mode: 0644]	patch \| blob
tee/mobicore/common/property.te	[new file with mode: 0644]	patch \| blob
tee/mobicore/common/tee.te	[new file with mode: 0644]	patch \| blob
tee/mobicore/file.te	[deleted file]	patch \| blob \| blame \| history
tee/mobicore/file_contexts	[deleted file]	patch \| blob \| blame \| history
tee/mobicore/hal_fingerprint_default.te	[deleted file]	patch \| blob \| blame \| history
tee/mobicore/hal_gatekeeper_default.te	[deleted file]	patch \| blob \| blame \| history
tee/mobicore/hal_keymaster_default.te	[deleted file]	patch \| blob \| blame \| history
tee/mobicore/init.te	[deleted file]	patch \| blob \| blame \| history
tee/mobicore/legacy/init.te	[new file with mode: 0644]	patch \| blob
tee/mobicore/legacy/property_contexts	[new file with mode: 0644]	patch \| blob
tee/mobicore/legacy/tee.te	[new file with mode: 0644]	patch \| blob
tee/mobicore/legacy/vendor_init.te	[new file with mode: 0644]	patch \| blob
tee/mobicore/property.te	[deleted file]	patch \| blob \| blame \| history
tee/mobicore/property_contexts	[deleted file]	patch \| blob \| blame \| history
tee/mobicore/tee.te	[deleted file]	patch \| blob \| blame \| history
tee/mobicore/treble/property_contexts	[new file with mode: 0644]	patch \| blob
tee/mobicore/vendor_init.te	[deleted file]	patch \| blob \| blame \| history