From fab78920c704e363dd09dd5b854ed9927c318a05 Mon Sep 17 00:00:00 2001
From: Henrik Grimler <henrik@grimler.se>
Date: Sat, 5 Sep 2020 20:23:59 +0200
Subject: [PATCH] tee: add mobicore sepolicy for exynos8895

Tested on dream2lte.

Change-Id: I6a9c001f22728eb68743e0833e97e6b4d09bf0d9
---
 sepolicy.mk                             |  3 +++
 tee/mobicore/file.te                    |  2 ++
 tee/mobicore/file_contexts              |  3 +++
 tee/mobicore/hal_fingerprint_default.te |  2 ++
 tee/mobicore/hal_gatekeeper_default.te  |  2 ++
 tee/mobicore/hal_keymaster_default.te   |  1 +
 tee/mobicore/init.te                    |  2 ++
 tee/mobicore/property.te                |  1 +
 tee/mobicore/property_contexts          |  1 +
 tee/mobicore/tee.te                     | 15 +++++++++++++++
 tee/mobicore/vendor_init.te             |  1 +
 11 files changed, 33 insertions(+)
 create mode 100644 tee/mobicore/file.te
 create mode 100644 tee/mobicore/file_contexts
 create mode 100644 tee/mobicore/hal_fingerprint_default.te
 create mode 100644 tee/mobicore/hal_gatekeeper_default.te
 create mode 100644 tee/mobicore/hal_keymaster_default.te
 create mode 100644 tee/mobicore/init.te
 create mode 100644 tee/mobicore/property.te
 create mode 100644 tee/mobicore/property_contexts
 create mode 100644 tee/mobicore/tee.te
 create mode 100644 tee/mobicore/vendor_init.te

diff --git a/sepolicy.mk b/sepolicy.mk
index a58ff71..68644a6 100644
--- a/sepolicy.mk
+++ b/sepolicy.mk
@@ -17,4 +17,7 @@ BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \
 
 BOARD_SEPOLICY_DIRS += \
     device/samsung_slsi/sepolicy/tee/teegris/vendor
+else ifeq ($(BOARD_SEPOLICY_TEE_FLAVOR),mobicore)
+BOARD_SEPOLICY_DIRS += \
+    device/samsung_slsi/sepolicy/tee/mobicore
 endif
diff --git a/tee/mobicore/file.te b/tee/mobicore/file.te
new file mode 100644
index 0000000..b6898fd
--- /dev/null
+++ b/tee/mobicore/file.te
@@ -0,0 +1,2 @@
+type mobicore_vendor_data_file, file_type, data_file_type;
+type mobicore_data_file, file_type, core_data_file_type, data_file_type;
diff --git a/tee/mobicore/file_contexts b/tee/mobicore/file_contexts
new file mode 100644
index 0000000..0a339be
--- /dev/null
+++ b/tee/mobicore/file_contexts
@@ -0,0 +1,3 @@
+/dev/mobicore                                u:object_r:tee_device:s0
+/dev/mobicore-user                           u:object_r:tee_device:s0
+/dev/t-base-tui                              u:object_r:tee_device:s0
diff --git a/tee/mobicore/hal_fingerprint_default.te b/tee/mobicore/hal_fingerprint_default.te
new file mode 100644
index 0000000..ceb8aa4
--- /dev/null
+++ b/tee/mobicore/hal_fingerprint_default.te
@@ -0,0 +1,2 @@
+# /dev/mobicore-user
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/hal_gatekeeper_default.te b/tee/mobicore/hal_gatekeeper_default.te
new file mode 100644
index 0000000..c63173c
--- /dev/null
+++ b/tee/mobicore/hal_gatekeeper_default.te
@@ -0,0 +1,2 @@
+# /dev/mobicore-user
+allow hal_gatekeeper_default tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/hal_keymaster_default.te b/tee/mobicore/hal_keymaster_default.te
new file mode 100644
index 0000000..357775b
--- /dev/null
+++ b/tee/mobicore/hal_keymaster_default.te
@@ -0,0 +1 @@
+get_prop(hal_keymaster_default, tee_prop)
diff --git a/tee/mobicore/init.te b/tee/mobicore/init.te
new file mode 100644
index 0000000..d32233d
--- /dev/null
+++ b/tee/mobicore/init.te
@@ -0,0 +1,2 @@
+# /dev/mobicore, /dev/t-base-tui
+allow init tee_device:chr_file rw_file_perms;
diff --git a/tee/mobicore/property.te b/tee/mobicore/property.te
new file mode 100644
index 0000000..183c2a5
--- /dev/null
+++ b/tee/mobicore/property.te
@@ -0,0 +1 @@
+type tee_prop, property_type;
diff --git a/tee/mobicore/property_contexts b/tee/mobicore/property_contexts
new file mode 100644
index 0000000..fb62b98
--- /dev/null
+++ b/tee/mobicore/property_contexts
@@ -0,0 +1 @@
+sys.mobicoredaemon.enable      u:object_r:tee_prop:s0
diff --git a/tee/mobicore/tee.te b/tee/mobicore/tee.te
new file mode 100644
index 0000000..667c8be
--- /dev/null
+++ b/tee/mobicore/tee.te
@@ -0,0 +1,15 @@
+allow tee efs_file:dir { search getattr };
+allow tee efs_file:file r_file_perms;
+allow tee gatekeeper_efs_file:dir r_dir_perms;
+allow tee gatekeeper_efs_file:file r_file_perms;
+allow tee init:unix_stream_socket connectto;
+allow tee property_socket:sock_file write;
+allow tee prov_efs_file:dir search;
+allow tee system_prop:property_service set;
+allow tee tee_prop:property_service set;
+
+# /dev/t-base-tui
+allow tee tee_device:chr_file r_file_perms;
+
+allow tee mobicore_vendor_data_file:dir r_dir_perms;
+allow tee mobicore_vendor_data_file:file rw_file_perms;
diff --git a/tee/mobicore/vendor_init.te b/tee/mobicore/vendor_init.te
new file mode 100644
index 0000000..57f9235
--- /dev/null
+++ b/tee/mobicore/vendor_init.te
@@ -0,0 +1 @@
+allow vendor_init mobicore_data_file:dir setattr;
-- 
2.20.1