From: SamarV-121 Date: Thu, 15 Jul 2021 17:13:40 +0000 (+0530) Subject: mobicore: Add sepolicy for trustonic HALs X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=f3f6824111b3b39281dbdc96d6749dc82a69979b;p=GitHub%2FLineageOS%2Fandroid_device_samsung_slsi_sepolicy.git mobicore: Add sepolicy for trustonic HALs Change-Id: I061a91244c8ce5e9fb3528e1a188187a551a786a Signed-off-by: SamarV-121 --- diff --git a/tee/mobicore/common/attributes b/tee/mobicore/common/attributes new file mode 100644 index 0000000..b19b41e --- /dev/null +++ b/tee/mobicore/common/attributes @@ -0,0 +1,6 @@ +attribute hal_tee_client; +attribute hal_tee_server; +attribute hal_tee; +attribute hal_teeregistry_client; +attribute hal_teeregistry_server; +attribute hal_teeregistry; diff --git a/tee/mobicore/common/file_contexts b/tee/mobicore/common/file_contexts index c81d956..a0c3110 100644 --- a/tee/mobicore/common/file_contexts +++ b/tee/mobicore/common/file_contexts @@ -5,3 +5,6 @@ /dev/t-base-tui u:object_r:tee_device:s0 /(vendor|system/vendor)/app/mcRegistry(/.*)? u:object_r:mobicore_vendor_file:s0 + +/(vendor|system/vendor)/bin/hw/vendor\.trustonic\.tee@[0-9]\.[0-9]-service u:object_r:hal_tee_default_exec:s0 +/(vendor|system/vendor)/bin/hw/vendor\.trustonic\.teeregistry@[0-9]\.[0-9]-service u:object_r:hal_teeregistry_default_exec:s0 diff --git a/tee/mobicore/common/hal_tee_default.te b/tee/mobicore/common/hal_tee_default.te new file mode 100644 index 0000000..11c19f3 --- /dev/null +++ b/tee/mobicore/common/hal_tee_default.te @@ -0,0 +1,17 @@ +type hal_tee_default, domain; +type hal_tee_default_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_tee_default) + +hal_client_domain(hal_tee_default, hal_allocator) +hal_server_domain(hal_tee_default, hal_tee) + +binder_call(hal_tee_client, hal_tee_server) +binder_call(hal_tee_server, hal_tee_client) + +add_hwservice(hal_tee_server, hal_tee_hwservice) +allow hal_tee_client hal_tee_hwservice:hwservice_manager find; + +allow hal_tee_default hidl_memory_hwservice:hwservice_manager find; + +allow hal_tee_default tee_device:chr_file rw_file_perms; diff --git a/tee/mobicore/common/hal_teeregistry_default.te b/tee/mobicore/common/hal_teeregistry_default.te new file mode 100644 index 0000000..e8081ba --- /dev/null +++ b/tee/mobicore/common/hal_teeregistry_default.te @@ -0,0 +1,21 @@ +type hal_teeregistry_default, domain; +type hal_teeregistry_default_exec, exec_type, vendor_file_type, file_type; + +init_daemon_domain(hal_teeregistry_default) + +hal_client_domain(hal_teeregistry_default, hal_allocator) +hal_server_domain(hal_teeregistry_default, hal_teeregistry) + +binder_call(hal_teeregistry_client, hal_teeregistry_server) +binder_call(hal_teeregistry_server, hal_teeregistry_client) + +add_hwservice(hal_teeregistry_server, hal_teeregistry_hwservice) +allow hal_teeregistry_client hal_teeregistry_hwservice:hwservice_manager find; + +allow hal_teeregistry_default hidl_memory_hwservice:hwservice_manager find; + +allow hal_teeregistry_default tee_device:chr_file rw_file_perms; + +allow hal_teeregistry_default mobicore_vendor_data_file:dir create_dir_perms; +allow hal_teeregistry_default mobicore_vendor_data_file:file create_file_perms; +allow hal_teeregistry_default mobicore_vendor_file:file r_file_perms; diff --git a/tee/mobicore/common/hwservice.te b/tee/mobicore/common/hwservice.te new file mode 100644 index 0000000..ad72d05 --- /dev/null +++ b/tee/mobicore/common/hwservice.te @@ -0,0 +1,2 @@ +type hal_tee_hwservice, hwservice_manager_type; +type hal_teeregistry_hwservice, hwservice_manager_type; diff --git a/tee/mobicore/common/hwservice_contexts b/tee/mobicore/common/hwservice_contexts new file mode 100644 index 0000000..91ae376 --- /dev/null +++ b/tee/mobicore/common/hwservice_contexts @@ -0,0 +1,3 @@ +vendor.trustonic.tee::ITee u:object_r:hal_tee_hwservice:s0 +vendor.trustonic.tee.tui::ITui u:object_r:hal_tee_hwservice:s0 +vendor.trustonic.teeregistry::ITeeRegistry u:object_r:hal_teeregistry_hwservice:s0