mobicore: Add missing vendor_file_type attribute to mobicore_vendor_file

 * also take away the write access from these HALs
   which are causing neverallows
 * Thanks fcuzzocrea for notifying

Change-Id: Id647d208bd9c44189935d5467ec99edb81a57e64
Signed-off-by: SamarV-121 <samarvispute121@gmail.com>

diff --git a/tee/mobicore/common/file.te b/tee/mobicore/common/file.te
index 479906cb1ebb0d93a2bda19d8e3cbe1271002817..beac200ab58919b55d1b4006160b647ccaa2748c 100644 (file)
--- a/tee/mobicore/common/file.te
+++ b/tee/mobicore/common/file.te
@@ -1,4 +1,4 @@
 type mobicore_vendor_data_file, file_type, data_file_type;
 type mobicore_data_file, file_type, core_data_file_type, data_file_type;
 type gatekeeper_efs_file, file_type;
-type mobicore_vendor_file, file_type;
+type mobicore_vendor_file, file_type, vendor_file_type;

diff --git a/tee/mobicore/common/hal_gatekeeper_default.te b/tee/mobicore/common/hal_gatekeeper_default.te
index 0b8d0037f3a3b9fcaf3affc0748d2c4545e7d8d0..5b017e53c1e9888ae654881efd4ce7bfde266308 100644 (file)
--- a/tee/mobicore/common/hal_gatekeeper_default.te
+++ b/tee/mobicore/common/hal_gatekeeper_default.te
@@ -3,4 +3,4 @@ allow hal_gatekeeper_default tee_device:chr_file rw_file_perms;
 
 # /vendor/app/mcRegistry/
 allow hal_gatekeeper_default mobicore_vendor_file:dir search;
-allow hal_gatekeeper_default mobicore_vendor_file:file rw_file_perms;
+allow hal_gatekeeper_default mobicore_vendor_file:file r_file_perms;

diff --git a/tee/mobicore/common/hal_keymaster_default.te b/tee/mobicore/common/hal_keymaster_default.te
index ec1add1bad0c549992f98825c4c9a7106602c168..8d3f63d1f11b314347945c28426edcb3092cd2a5 100644 (file)
--- a/tee/mobicore/common/hal_keymaster_default.te
+++ b/tee/mobicore/common/hal_keymaster_default.te
@@ -2,4 +2,4 @@ get_prop(hal_keymaster_default, tee_prop)
 
 # /vendor/app/mcRegistry/
 allow hal_keymaster_default mobicore_vendor_file:dir search;
-allow hal_keymaster_default mobicore_vendor_file:file rw_file_perms;
+allow hal_keymaster_default mobicore_vendor_file:file r_file_perms;