tee: add mobicore sepolicy for exynos8895

Tested on dream2lte.

Change-Id: I6a9c001f22728eb68743e0833e97e6b4d09bf0d9

diff --git a/sepolicy.mk b/sepolicy.mk
index a58ff71c21c38ffd4381855fe18d051fc7d4eceb..68644a687cf72f53ec8cd94858e382ca08f12f8c 100644 (file)
--- a/sepolicy.mk
+++ b/sepolicy.mk
@@ -17,4 +17,7 @@ BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \
 
 BOARD_SEPOLICY_DIRS += \
     device/samsung_slsi/sepolicy/tee/teegris/vendor
+else ifeq ($(BOARD_SEPOLICY_TEE_FLAVOR),mobicore)
+BOARD_SEPOLICY_DIRS += \
+    device/samsung_slsi/sepolicy/tee/mobicore
 endif

diff --git a/tee/mobicore/file.te b/tee/mobicore/file.te
new file mode 100644 (file)
index 0000000..b6898fd
--- /dev/null
+++ b/tee/mobicore/file.te
@@ -0,0 +1,2 @@
+type mobicore_vendor_data_file, file_type, data_file_type;
+type mobicore_data_file, file_type, core_data_file_type, data_file_type;

diff --git a/tee/mobicore/file_contexts b/tee/mobicore/file_contexts
new file mode 100644 (file)
index 0000000..0a339be
--- /dev/null
+++ b/tee/mobicore/file_contexts
@@ -0,0 +1,3 @@
+/dev/mobicore                                u:object_r:tee_device:s0
+/dev/mobicore-user                           u:object_r:tee_device:s0
+/dev/t-base-tui                              u:object_r:tee_device:s0

diff --git a/tee/mobicore/hal_fingerprint_default.te b/tee/mobicore/hal_fingerprint_default.te
new file mode 100644 (file)
index 0000000..ceb8aa4
--- /dev/null
+++ b/tee/mobicore/hal_fingerprint_default.te
@@ -0,0 +1,2 @@
+# /dev/mobicore-user
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;

diff --git a/tee/mobicore/hal_gatekeeper_default.te b/tee/mobicore/hal_gatekeeper_default.te
new file mode 100644 (file)
index 0000000..c63173c
--- /dev/null
+++ b/tee/mobicore/hal_gatekeeper_default.te
@@ -0,0 +1,2 @@
+# /dev/mobicore-user
+allow hal_gatekeeper_default tee_device:chr_file rw_file_perms;

diff --git a/tee/mobicore/hal_keymaster_default.te b/tee/mobicore/hal_keymaster_default.te
new file mode 100644 (file)
index 0000000..357775b
--- /dev/null
+++ b/tee/mobicore/hal_keymaster_default.te
@@ -0,0 +1 @@
+get_prop(hal_keymaster_default, tee_prop)

diff --git a/tee/mobicore/init.te b/tee/mobicore/init.te
new file mode 100644 (file)
index 0000000..d32233d
--- /dev/null
+++ b/tee/mobicore/init.te
@@ -0,0 +1,2 @@
+# /dev/mobicore, /dev/t-base-tui
+allow init tee_device:chr_file rw_file_perms;

diff --git a/tee/mobicore/property.te b/tee/mobicore/property.te
new file mode 100644 (file)
index 0000000..183c2a5
--- /dev/null
+++ b/tee/mobicore/property.te
@@ -0,0 +1 @@
+type tee_prop, property_type;

diff --git a/tee/mobicore/property_contexts b/tee/mobicore/property_contexts
new file mode 100644 (file)
index 0000000..fb62b98
--- /dev/null
+++ b/tee/mobicore/property_contexts
@@ -0,0 +1 @@
+sys.mobicoredaemon.enable      u:object_r:tee_prop:s0

diff --git a/tee/mobicore/tee.te b/tee/mobicore/tee.te
new file mode 100644 (file)
index 0000000..667c8be
--- /dev/null
+++ b/tee/mobicore/tee.te
@@ -0,0 +1,15 @@
+allow tee efs_file:dir { search getattr };
+allow tee efs_file:file r_file_perms;
+allow tee gatekeeper_efs_file:dir r_dir_perms;
+allow tee gatekeeper_efs_file:file r_file_perms;
+allow tee init:unix_stream_socket connectto;
+allow tee property_socket:sock_file write;
+allow tee prov_efs_file:dir search;
+allow tee system_prop:property_service set;
+allow tee tee_prop:property_service set;
+
+# /dev/t-base-tui
+allow tee tee_device:chr_file r_file_perms;
+
+allow tee mobicore_vendor_data_file:dir r_dir_perms;
+allow tee mobicore_vendor_data_file:file rw_file_perms;

diff --git a/tee/mobicore/vendor_init.te b/tee/mobicore/vendor_init.te
new file mode 100644 (file)
index 0000000..57f9235
--- /dev/null
+++ b/tee/mobicore/vendor_init.te
@@ -0,0 +1 @@
+allow vendor_init mobicore_data_file:dir setattr;