non_plat: Label /dev/tee* and grant required perms to domains

/dev/tee* are accessed by domains that interact with TEE and thus
require access to them too.

Test: Boot and observe that denials are not visible in logs anymore

Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: I7b0944a1063da8561d2928e4110674ce4845ecea

non_plat/device.te

@@ -278,5 +278,8 @@ type teei_fp_device, dev_type;
 type teei_rpmb_device, dev_type;
 type teei_vfs_device, dev_type;
 
+type teei_client_device, dev_type;
+typeattribute teei_client_device mlstrustedobject;
+
 # Keymaster
 type ut_keymaster_device, dev_type;

non_plat/file_contexts

@@ -697,6 +697,8 @@
 /dev/rpmb0 u:object_r:teei_rpmb_device:s0
 /dev/emmcrpmb0 u:object_r:teei_rpmb_device:s0
 /dev/tz_vfs u:object_r:teei_vfs_device:s0
+/dev/tee0 u:object_r:teei_client_device:s0
+/dev/teei_client u:object_r:teei_client_device:s0
 
 /data/vendor/thh(/.*)? u:object_r:vendor_teei_data_file:s0
 

non_plat/hal_drm_widevine.te

@@ -14,3 +14,4 @@ allow hal_drm_widevine hal_allocator_server:fd use;
 allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
 allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
 
+allow hal_drm_widevine teei_client_device:chr_file rw_file_perms;

non_plat/hal_fingerprint_default.te

@@ -1 +1,3 @@
 allow hal_fingerprint_default teei_fp_device:chr_file { read write open ioctl };
+
+allow hal_fingerprint_default teei_client_device:chr_file { read write open ioctl };

non_plat/hal_gatekeeper_default.te

@@ -0,0 +1 @@
+allow hal_gatekeeper_default teei_client_device:chr_file rw_file_perms;

non_plat/hal_graphics_allocator_default.te

@@ -20,3 +20,6 @@ allow hal_graphics_allocator_default debugfs_tracing:file open;
 #============= hal_graphics_allocator_default ==============
 allow hal_graphics_allocator_default proc_ged:file r_file_perms;
 allowxperm hal_graphics_allocator_default proc_ged:file ioctl { proc_ged_ioctls };
+
+# TEE
+allow hal_graphics_allocator_default teei_client_device:chr_file rw_file_perms;

non_plat/hal_keymaster_attestation.te

@@ -17,3 +17,5 @@ allow hal_keymaster_attestation persist_data_file:dir { write search add_name };
 allow hal_keymaster_attestation persist_data_file:file { write create open getattr };
 
 allow hal_keymaster_attestation ut_keymaster_device:chr_file { read write ioctl open };
+
+allow hal_keymaster_attestation teei_client_device:chr_file { read write open ioctl};

non_plat/hal_keymaster_default.te

@@ -1 +1,3 @@
 allow hal_keymaster_default ut_keymaster_device:chr_file { read write open ioctl};
+
+allow hal_keymaster_default teei_client_device:chr_file { read write open ioctl};

non_plat/init.te

@@ -145,3 +145,6 @@ allow init proc_cpu_alignment:file w_file_perms;
 # Purpose: Allow to relabelto for selinux_android_restorecon
 allow init boot_block_device:lnk_file relabelto;
 allow init vbmeta_block_device:lnk_file relabelto;
+
+# TEE
+allow init teei_client_device:chr_file rw_file_perms;

non_plat/kernel.te

@@ -87,3 +87,6 @@ allow kernel vendor_file:file r_file_perms;
 # Operation: SQC
 # Purpose: Allow VOW kthread to write debug PCM dump
 allow kernel mtk_audiohal_data_file:file write;
+
+# TEE
+allow kernel teei_client_device:chr_file rw_file_perms;

non_plat/mediacodec.te

@@ -156,4 +156,7 @@ allowxperm mediacodec proc_m4u:file ioctl MTK_M4U_T_CONFIG_PORT_ARRAY;
 # Date : 2019/12/12
 # Purpose : allow media sources to access /sys/bus/platform/drivers/mem_bw_ctrl/*
 allow mediacodec sysfs_concurrency_scenario:file rw_file_perms;
-allow mediacodec sysfs_concurrency_scenario:dir search;
+allow mediacodec sysfs_concurrency_scenario:dir search;
+
+# TEE
+allow mediacodec teei_client_device:chr_file rw_file_perms;

non_plat/meta_tst.te

@@ -419,3 +419,6 @@ allow meta_tst adsp_device:chr_file rw_file_perms;
 # Operation: P migration
 # Purpose : audio scp recovery
 allow meta_tst audio_scp_device:chr_file r_file_perms;
+
+# TEE
+allow meta_tst teei_client_device:chr_file { create setattr unlink rw_file_perms };;

non_plat/mtk_hal_camera.te

@@ -365,3 +365,6 @@ allow mtk_hal_camera camera_vendor_data_file:dir create_dir_perms;
 allow mtk_hal_camera camera_vendor_data_file:file create_file_perms;
 
 allow mtk_hal_camera seninf_device:chr_file rw_file_perms;
+
+# TEE
+allow mtk_hal_camera teei_client_device:chr_file rw_file_perms;

non_plat/system_server.te

@@ -278,4 +278,6 @@ allow system_server sf_rtt_file:dir rmdir;
 # Operation : Q Migration
 allow system_server storage_stub_file:dir getattr;
 
+# TEE
 allow system_server teei_fp_device:chr_file rw_file_perms;
+allow system_server teei_client_device:chr_file r_file_perms;

non_plat/tee.te

@@ -7,3 +7,5 @@ allow tee teei_vfs_device:chr_file rw_file_perms;
 
 allow tee vendor_teei_data_file:dir create_dir_perms;
 allow tee vendor_teei_data_file:file create_file_perms;
+
+allow tee teei_client_device:chr_file { create setattr unlink rw_file_perms };;

non_plat/vold.te

@@ -48,3 +48,5 @@ allow vold swap_block_device:blk_file getattr;
 allow vold sysfs_mmcblk:file rw_file_perms;
 
 allow vold ut_keymaster_device:chr_file { read write open ioctl};
+
+allow vold teei_client_device:chr_file { read write open ioctl};