From: Andreas Schneider Date: Sun, 15 Mar 2020 18:09:12 +0000 (+0100) Subject: tee: Add policy for teegris X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=5b5ca512c6bc4ba3eb1b7e9d7b8cbc9f4fbcf695;p=GitHub%2FLineageOS%2Fandroid_device_samsung_slsi_sepolicy.git tee: Add policy for teegris Change-Id: I932448f021ba5da02d0469ff968529bc7981578a --- diff --git a/sepolicy.mk b/sepolicy.mk index 037d8b6..333b143 100644 --- a/sepolicy.mk +++ b/sepolicy.mk @@ -10,3 +10,8 @@ BOARD_PLAT_PRIVATE_SEPOLICY_DIR += \ BOARD_SEPOLICY_DIRS += \ device/samsung_slsi/sepolicy/common/vendor + +ifeq ($(BOARD_SEPOLICY_TEE_FLAVOR),teegris) +BOARD_SEPOLICY_DIRS += \ + device/samsung_slsi/sepolicy/tee/teegris/vendor +endif diff --git a/tee/teegris/vendor/device.te b/tee/teegris/vendor/device.te new file mode 100644 index 0000000..b9c83a5 --- /dev/null +++ b/tee/teegris/vendor/device.te @@ -0,0 +1,4 @@ +# device.te + +type tz_device, dev_type; +type tz_user_device, dev_type; diff --git a/tee/teegris/vendor/file.te b/tee/teegris/vendor/file.te new file mode 100644 index 0000000..8acdd68 --- /dev/null +++ b/tee/teegris/vendor/file.te @@ -0,0 +1,7 @@ +# file.te + +# DATA +type tee_vendor_data_file, file_type, data_file_type; + +# DEV SOCKET +type tz_socket, file_type; diff --git a/tee/teegris/vendor/file_contexts b/tee/teegris/vendor/file_contexts new file mode 100644 index 0000000..f66c3c6 --- /dev/null +++ b/tee/teegris/vendor/file_contexts @@ -0,0 +1,18 @@ +# file_contexts + +# DATA +/data/vendor/tee(/.*)? u:object_r:tee_vendor_data_file:s0 + +# DEV +/dev/socket/tz u:object_r:tz_socket:s0 +/dev/tuihw u:object_r:tz_device:s0 +/dev/tzdev u:object_r:tz_user_device:s0 +/dev/tzic u:object_r:tz_device:s0 +/dev/tzirs u:object_r:tz_device:s0 +/dev/tziwsock u:object_r:tz_user_device:s0 + +# VENDOR +/(vendor|system/vendor)/bin/tzdaemon u:object_r:tzdaemon_exec:s0 +/(vendor|system/vendor)/bin/tzts_daemon u:object_r:tztsdaemon_exec:s0 + +/(vendor|system/vendor)/lib(64)?/libteecl\.so u:object_r:same_process_hal_file:s0 diff --git a/tee/teegris/vendor/property.te b/tee/teegris/vendor/property.te new file mode 100644 index 0000000..231d68e --- /dev/null +++ b/tee/teegris/vendor/property.te @@ -0,0 +1,4 @@ +# property.te +type vendor_secureos_prop, property_type; +type vendor_tzdaemon_prop, property_type; +type vendor_tztsdaemon_prop, property_type; diff --git a/tee/teegris/vendor/property_contexts b/tee/teegris/vendor/property_contexts new file mode 100644 index 0000000..7ce7710 --- /dev/null +++ b/tee/teegris/vendor/property_contexts @@ -0,0 +1,6 @@ +# property_contexts + +# TEEGRIS +vendor.secureos. u:object_r:vendor_secureos_prop:s0 +vendor.tzdaemon u:object_r:vendor_tzdaemon_prop:s0 +vendor.tzts_daemon u:object_r:vendor_tztsdaemon_prop:s0 diff --git a/tee/teegris/vendor/tzdaemon.te b/tee/teegris/vendor/tzdaemon.te new file mode 100644 index 0000000..7293421 --- /dev/null +++ b/tee/teegris/vendor/tzdaemon.te @@ -0,0 +1,22 @@ +type tzdaemon, domain; +type tzdaemon_exec, exec_type, vendor_file_type, file_type; + +# tzdaemon is started by init, type transit from init domain to tzdaemon domain +init_daemon_domain(tzdaemon) + +set_prop(tzdaemon, vendor_tzdaemon_prop) +set_prop(tzdaemon, vendor_secureos_prop) + +allow tzdaemon tz_device:chr_file rw_file_perms; +allow tzdaemon tz_user_device:chr_file rw_file_perms; +allow tzdaemon tz_socket:sock_file { write }; + +# /dev/kmsg +allow tzdaemon kmsg_device:chr_file rw_file_perms; + +# /data/vendor/tee +allow tzdaemon tee_vendor_data_file:dir create_dir_perms; +allow tzdaemon tee_vendor_data_file:file create_file_perms; + +# /proc/stat +allow tzdaemon proc_stat:file r_file_perms; diff --git a/tee/teegris/vendor/tztsdaemon.te b/tee/teegris/vendor/tztsdaemon.te new file mode 100644 index 0000000..0a442c4 --- /dev/null +++ b/tee/teegris/vendor/tztsdaemon.te @@ -0,0 +1,10 @@ +type tztsdaemon, domain; +type tztsdaemon_exec, exec_type, vendor_file_type, file_type; + +# tztsdaemon is started by init, type transit from init domain to tztsdaemon domain +init_daemon_domain(tztsdaemon) + +set_prop(tztsdaemon, vendor_tztsdaemon_prop) + +# /dev/tziwsock +allow tztsdaemon tz_user_device:chr_file rw_file_perms;