BOARD_SEPOLICY_DIRS += \
device/samsung_slsi/sepolicy/common/vendor
+
+ifeq ($(BOARD_SEPOLICY_TEE_FLAVOR),teegris)
+BOARD_SEPOLICY_DIRS += \
+ device/samsung_slsi/sepolicy/tee/teegris/vendor
+endif
--- /dev/null
+# device.te
+
+type tz_device, dev_type;
+type tz_user_device, dev_type;
--- /dev/null
+# file.te
+
+# DATA
+type tee_vendor_data_file, file_type, data_file_type;
+
+# DEV SOCKET
+type tz_socket, file_type;
--- /dev/null
+# file_contexts
+
+# DATA
+/data/vendor/tee(/.*)? u:object_r:tee_vendor_data_file:s0
+
+# DEV
+/dev/socket/tz u:object_r:tz_socket:s0
+/dev/tuihw u:object_r:tz_device:s0
+/dev/tzdev u:object_r:tz_user_device:s0
+/dev/tzic u:object_r:tz_device:s0
+/dev/tzirs u:object_r:tz_device:s0
+/dev/tziwsock u:object_r:tz_user_device:s0
+
+# VENDOR
+/(vendor|system/vendor)/bin/tzdaemon u:object_r:tzdaemon_exec:s0
+/(vendor|system/vendor)/bin/tzts_daemon u:object_r:tztsdaemon_exec:s0
+
+/(vendor|system/vendor)/lib(64)?/libteecl\.so u:object_r:same_process_hal_file:s0
--- /dev/null
+# property.te
+type vendor_secureos_prop, property_type;
+type vendor_tzdaemon_prop, property_type;
+type vendor_tztsdaemon_prop, property_type;
--- /dev/null
+# property_contexts
+
+# TEEGRIS
+vendor.secureos. u:object_r:vendor_secureos_prop:s0
+vendor.tzdaemon u:object_r:vendor_tzdaemon_prop:s0
+vendor.tzts_daemon u:object_r:vendor_tztsdaemon_prop:s0
--- /dev/null
+type tzdaemon, domain;
+type tzdaemon_exec, exec_type, vendor_file_type, file_type;
+
+# tzdaemon is started by init, type transit from init domain to tzdaemon domain
+init_daemon_domain(tzdaemon)
+
+set_prop(tzdaemon, vendor_tzdaemon_prop)
+set_prop(tzdaemon, vendor_secureos_prop)
+
+allow tzdaemon tz_device:chr_file rw_file_perms;
+allow tzdaemon tz_user_device:chr_file rw_file_perms;
+allow tzdaemon tz_socket:sock_file { write };
+
+# /dev/kmsg
+allow tzdaemon kmsg_device:chr_file rw_file_perms;
+
+# /data/vendor/tee
+allow tzdaemon tee_vendor_data_file:dir create_dir_perms;
+allow tzdaemon tee_vendor_data_file:file create_file_perms;
+
+# /proc/stat
+allow tzdaemon proc_stat:file r_file_perms;
--- /dev/null
+type tztsdaemon, domain;
+type tztsdaemon_exec, exec_type, vendor_file_type, file_type;
+
+# tztsdaemon is started by init, type transit from init domain to tztsdaemon domain
+init_daemon_domain(tztsdaemon)
+
+set_prop(tztsdaemon, vendor_tztsdaemon_prop)
+
+# /dev/tziwsock
+allow tztsdaemon tz_user_device:chr_file rw_file_perms;
projects / GitHub / LineageOS / android_device_samsung_slsi_sepolicy.git / commitdiff