From: Jan Altensen Date: Sun, 18 Oct 2020 11:38:56 +0000 (+0200) Subject: mobicore: split into legacy and treble folders X-Git-Url: https://git.stricted.de/?p=GitHub%2FLineageOS%2Fandroid_device_samsung_slsi_sepolicy.git;a=commitdiff_plain;h=c65590b7211ca033191f8808944e13d2fab2b730 mobicore: split into legacy and treble folders Change-Id: I44bdbc49944be89314f1f96d8a2c1c9fb58e1352 (cherry picked from commit 15a5fc063c5f37847cdc6e631e0deaeba28efbd7) --- diff --git a/sepolicy.mk b/sepolicy.mk index 68644a6..09305d6 100644 --- a/sepolicy.mk +++ b/sepolicy.mk @@ -18,6 +18,19 @@ BOARD_PLAT_PUBLIC_SEPOLICY_DIR += \ BOARD_SEPOLICY_DIRS += \ device/samsung_slsi/sepolicy/tee/teegris/vendor else ifeq ($(BOARD_SEPOLICY_TEE_FLAVOR),mobicore) +POLICY_TYPE := legacy +# a device might not set the shipping api level +# check if its empty to avoid erroring out in the next if +ifeq ($(PRODUCT_SHIPPING_API_LEVEL),) +$(warning no product shipping level defined, defaulting to legacy policy) +# devices launched with oreo or later should be treble +else ifneq ($(call math_gt_or_eq,$(PRODUCT_SHIPPING_API_LEVEL),26),) +POLICY_TYPE := treble +endif + +BOARD_SEPOLICY_DIRS += \ + device/samsung_slsi/sepolicy/tee/mobicore/$(POLICY_TYPE) + BOARD_SEPOLICY_DIRS += \ - device/samsung_slsi/sepolicy/tee/mobicore + device/samsung_slsi/sepolicy/tee/mobicore/common endif diff --git a/tee/mobicore/common/file.te b/tee/mobicore/common/file.te new file mode 100644 index 0000000..b6898fd --- /dev/null +++ b/tee/mobicore/common/file.te @@ -0,0 +1,2 @@ +type mobicore_vendor_data_file, file_type, data_file_type; +type mobicore_data_file, file_type, core_data_file_type, data_file_type; diff --git a/tee/mobicore/common/file_contexts b/tee/mobicore/common/file_contexts new file mode 100644 index 0000000..0a339be --- /dev/null +++ b/tee/mobicore/common/file_contexts @@ -0,0 +1,3 @@ +/dev/mobicore u:object_r:tee_device:s0 +/dev/mobicore-user u:object_r:tee_device:s0 +/dev/t-base-tui u:object_r:tee_device:s0 diff --git a/tee/mobicore/common/hal_fingerprint_default.te b/tee/mobicore/common/hal_fingerprint_default.te new file mode 100644 index 0000000..ceb8aa4 --- /dev/null +++ b/tee/mobicore/common/hal_fingerprint_default.te @@ -0,0 +1,2 @@ +# /dev/mobicore-user +allow hal_fingerprint_default tee_device:chr_file rw_file_perms; diff --git a/tee/mobicore/common/hal_gatekeeper_default.te b/tee/mobicore/common/hal_gatekeeper_default.te new file mode 100644 index 0000000..c63173c --- /dev/null +++ b/tee/mobicore/common/hal_gatekeeper_default.te @@ -0,0 +1,2 @@ +# /dev/mobicore-user +allow hal_gatekeeper_default tee_device:chr_file rw_file_perms; diff --git a/tee/mobicore/common/hal_keymaster_default.te b/tee/mobicore/common/hal_keymaster_default.te new file mode 100644 index 0000000..357775b --- /dev/null +++ b/tee/mobicore/common/hal_keymaster_default.te @@ -0,0 +1 @@ +get_prop(hal_keymaster_default, tee_prop) diff --git a/tee/mobicore/common/property.te b/tee/mobicore/common/property.te new file mode 100644 index 0000000..183c2a5 --- /dev/null +++ b/tee/mobicore/common/property.te @@ -0,0 +1 @@ +type tee_prop, property_type; diff --git a/tee/mobicore/common/tee.te b/tee/mobicore/common/tee.te new file mode 100644 index 0000000..40359c6 --- /dev/null +++ b/tee/mobicore/common/tee.te @@ -0,0 +1,15 @@ +allow tee efs_file:dir { search getattr }; +allow tee efs_file:file r_file_perms; +allow tee gatekeeper_efs_file:dir r_dir_perms; +allow tee gatekeeper_efs_file:file r_file_perms; +allow tee init:unix_stream_socket connectto; +allow tee property_socket:sock_file write; +allow tee prov_efs_file:dir search; + +set_prop(tee, tee_prop) + +# /dev/t-base-tui +allow tee tee_device:chr_file r_file_perms; + +allow tee mobicore_vendor_data_file:dir r_dir_perms; +allow tee mobicore_vendor_data_file:file rw_file_perms; diff --git a/tee/mobicore/file.te b/tee/mobicore/file.te deleted file mode 100644 index b6898fd..0000000 --- a/tee/mobicore/file.te +++ /dev/null @@ -1,2 +0,0 @@ -type mobicore_vendor_data_file, file_type, data_file_type; -type mobicore_data_file, file_type, core_data_file_type, data_file_type; diff --git a/tee/mobicore/file_contexts b/tee/mobicore/file_contexts deleted file mode 100644 index 0a339be..0000000 --- a/tee/mobicore/file_contexts +++ /dev/null @@ -1,3 +0,0 @@ -/dev/mobicore u:object_r:tee_device:s0 -/dev/mobicore-user u:object_r:tee_device:s0 -/dev/t-base-tui u:object_r:tee_device:s0 diff --git a/tee/mobicore/hal_fingerprint_default.te b/tee/mobicore/hal_fingerprint_default.te deleted file mode 100644 index ceb8aa4..0000000 --- a/tee/mobicore/hal_fingerprint_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# /dev/mobicore-user -allow hal_fingerprint_default tee_device:chr_file rw_file_perms; diff --git a/tee/mobicore/hal_gatekeeper_default.te b/tee/mobicore/hal_gatekeeper_default.te deleted file mode 100644 index c63173c..0000000 --- a/tee/mobicore/hal_gatekeeper_default.te +++ /dev/null @@ -1,2 +0,0 @@ -# /dev/mobicore-user -allow hal_gatekeeper_default tee_device:chr_file rw_file_perms; diff --git a/tee/mobicore/hal_keymaster_default.te b/tee/mobicore/hal_keymaster_default.te deleted file mode 100644 index 357775b..0000000 --- a/tee/mobicore/hal_keymaster_default.te +++ /dev/null @@ -1 +0,0 @@ -get_prop(hal_keymaster_default, tee_prop) diff --git a/tee/mobicore/init.te b/tee/mobicore/init.te deleted file mode 100644 index d32233d..0000000 --- a/tee/mobicore/init.te +++ /dev/null @@ -1,2 +0,0 @@ -# /dev/mobicore, /dev/t-base-tui -allow init tee_device:chr_file rw_file_perms; diff --git a/tee/mobicore/legacy/init.te b/tee/mobicore/legacy/init.te new file mode 100644 index 0000000..d32233d --- /dev/null +++ b/tee/mobicore/legacy/init.te @@ -0,0 +1,2 @@ +# /dev/mobicore, /dev/t-base-tui +allow init tee_device:chr_file rw_file_perms; diff --git a/tee/mobicore/legacy/property_contexts b/tee/mobicore/legacy/property_contexts new file mode 100644 index 0000000..d9bae11 --- /dev/null +++ b/tee/mobicore/legacy/property_contexts @@ -0,0 +1 @@ +sys.mobicoredaemon.enable u:object_r:tee_prop:s0 diff --git a/tee/mobicore/legacy/tee.te b/tee/mobicore/legacy/tee.te new file mode 100644 index 0000000..df22691 --- /dev/null +++ b/tee/mobicore/legacy/tee.te @@ -0,0 +1 @@ +set_prop(tee, system_prop) diff --git a/tee/mobicore/legacy/vendor_init.te b/tee/mobicore/legacy/vendor_init.te new file mode 100644 index 0000000..57f9235 --- /dev/null +++ b/tee/mobicore/legacy/vendor_init.te @@ -0,0 +1 @@ +allow vendor_init mobicore_data_file:dir setattr; diff --git a/tee/mobicore/property.te b/tee/mobicore/property.te deleted file mode 100644 index 183c2a5..0000000 --- a/tee/mobicore/property.te +++ /dev/null @@ -1 +0,0 @@ -type tee_prop, property_type; diff --git a/tee/mobicore/property_contexts b/tee/mobicore/property_contexts deleted file mode 100644 index fb62b98..0000000 --- a/tee/mobicore/property_contexts +++ /dev/null @@ -1 +0,0 @@ -sys.mobicoredaemon.enable u:object_r:tee_prop:s0 diff --git a/tee/mobicore/tee.te b/tee/mobicore/tee.te deleted file mode 100644 index 667c8be..0000000 --- a/tee/mobicore/tee.te +++ /dev/null @@ -1,15 +0,0 @@ -allow tee efs_file:dir { search getattr }; -allow tee efs_file:file r_file_perms; -allow tee gatekeeper_efs_file:dir r_dir_perms; -allow tee gatekeeper_efs_file:file r_file_perms; -allow tee init:unix_stream_socket connectto; -allow tee property_socket:sock_file write; -allow tee prov_efs_file:dir search; -allow tee system_prop:property_service set; -allow tee tee_prop:property_service set; - -# /dev/t-base-tui -allow tee tee_device:chr_file r_file_perms; - -allow tee mobicore_vendor_data_file:dir r_dir_perms; -allow tee mobicore_vendor_data_file:file rw_file_perms; diff --git a/tee/mobicore/treble/property_contexts b/tee/mobicore/treble/property_contexts new file mode 100644 index 0000000..618c059 --- /dev/null +++ b/tee/mobicore/treble/property_contexts @@ -0,0 +1 @@ +vendor.sys.mobicoredaemon.enable u:object_r:tee_prop:s0 diff --git a/tee/mobicore/vendor_init.te b/tee/mobicore/vendor_init.te deleted file mode 100644 index 57f9235..0000000 --- a/tee/mobicore/vendor_init.te +++ /dev/null @@ -1 +0,0 @@ -allow vendor_init mobicore_data_file:dir setattr;