mobicore: Add sepolicy for trustonic HALs

Change-Id: I061a91244c8ce5e9fb3528e1a188187a551a786a
Signed-off-by: SamarV-121 <samarvispute121@gmail.com>

diff --git a/tee/mobicore/common/attributes b/tee/mobicore/common/attributes
new file mode 100644 (file)
index 0000000..b19b41e
--- /dev/null
+++ b/tee/mobicore/common/attributes
@@ -0,0 +1,6 @@
+attribute hal_tee_client;
+attribute hal_tee_server;
+attribute hal_tee;
+attribute hal_teeregistry_client;
+attribute hal_teeregistry_server;
+attribute hal_teeregistry;

diff --git a/tee/mobicore/common/file_contexts b/tee/mobicore/common/file_contexts
index c81d9567a83cfec8766b631df115dffeb44414c9..a0c31105b083f9a503b2296cca40431ce02b4994 100644 (file)
--- a/tee/mobicore/common/file_contexts
+++ b/tee/mobicore/common/file_contexts
@@ -5,3 +5,6 @@
 /dev/t-base-tui                              u:object_r:tee_device:s0
 
 /(vendor|system/vendor)/app/mcRegistry(/.*)? u:object_r:mobicore_vendor_file:s0
+
+/(vendor|system/vendor)/bin/hw/vendor\.trustonic\.tee@[0-9]\.[0-9]-service                        u:object_r:hal_tee_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.trustonic\.teeregistry@[0-9]\.[0-9]-service                u:object_r:hal_teeregistry_default_exec:s0

diff --git a/tee/mobicore/common/hal_tee_default.te b/tee/mobicore/common/hal_tee_default.te
new file mode 100644 (file)
index 0000000..11c19f3
--- /dev/null
+++ b/tee/mobicore/common/hal_tee_default.te
@@ -0,0 +1,17 @@
+type hal_tee_default, domain;
+type hal_tee_default_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_tee_default)
+
+hal_client_domain(hal_tee_default, hal_allocator)
+hal_server_domain(hal_tee_default, hal_tee)
+
+binder_call(hal_tee_client, hal_tee_server)
+binder_call(hal_tee_server, hal_tee_client)
+
+add_hwservice(hal_tee_server, hal_tee_hwservice)
+allow hal_tee_client hal_tee_hwservice:hwservice_manager find;
+
+allow hal_tee_default hidl_memory_hwservice:hwservice_manager find;
+
+allow hal_tee_default tee_device:chr_file rw_file_perms;

diff --git a/tee/mobicore/common/hal_teeregistry_default.te b/tee/mobicore/common/hal_teeregistry_default.te
new file mode 100644 (file)
index 0000000..e8081ba
--- /dev/null
+++ b/tee/mobicore/common/hal_teeregistry_default.te
@@ -0,0 +1,21 @@
+type hal_teeregistry_default, domain;
+type hal_teeregistry_default_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_teeregistry_default)
+
+hal_client_domain(hal_teeregistry_default, hal_allocator)
+hal_server_domain(hal_teeregistry_default, hal_teeregistry)
+
+binder_call(hal_teeregistry_client, hal_teeregistry_server)
+binder_call(hal_teeregistry_server, hal_teeregistry_client)
+
+add_hwservice(hal_teeregistry_server, hal_teeregistry_hwservice)
+allow hal_teeregistry_client hal_teeregistry_hwservice:hwservice_manager find;
+
+allow hal_teeregistry_default hidl_memory_hwservice:hwservice_manager find;
+
+allow hal_teeregistry_default tee_device:chr_file rw_file_perms;
+
+allow hal_teeregistry_default mobicore_vendor_data_file:dir create_dir_perms;
+allow hal_teeregistry_default mobicore_vendor_data_file:file create_file_perms;
+allow hal_teeregistry_default mobicore_vendor_file:file r_file_perms;

diff --git a/tee/mobicore/common/hwservice.te b/tee/mobicore/common/hwservice.te
new file mode 100644 (file)
index 0000000..ad72d05
--- /dev/null
+++ b/tee/mobicore/common/hwservice.te
@@ -0,0 +1,2 @@
+type hal_tee_hwservice, hwservice_manager_type;
+type hal_teeregistry_hwservice, hwservice_manager_type;

diff --git a/tee/mobicore/common/hwservice_contexts b/tee/mobicore/common/hwservice_contexts
new file mode 100644 (file)
index 0000000..91ae376
--- /dev/null
+++ b/tee/mobicore/common/hwservice_contexts
@@ -0,0 +1,3 @@
+vendor.trustonic.tee::ITee                                           u:object_r:hal_tee_hwservice:s0
+vendor.trustonic.tee.tui::ITui                                       u:object_r:hal_tee_hwservice:s0
+vendor.trustonic.teeregistry::ITeeRegistry                           u:object_r:hal_teeregistry_hwservice:s0