NekoSakura/android_device_mediatek_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

non_plat: Label /dev/teei_config and allow tee rw permissions to it

Browse Source 
Denials observed without this change:
    7.811050] .(2)[398:logd.auditd]type=1400 audit(1609581532.144:5): avc: denied { read write } for comm="teei_daemon" name="teei_config" dev="tmpfs" ino=3600 scontext=u:r:tee:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
[    7.813712] .(2)[398:logd.auditd]type=1400 audit(1609581532.144:6): avc: denied { open } for comm="teei_daemon" path="/dev/teei_config" dev="tmpfs" ino=3600 scontext=u:r:tee:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
[    7.816434] .(2)[398:logd.auditd]type=1400 audit(1609581532.144:6): avc: denied { open } for comm="teei_daemon" path="/dev/teei_config" dev="tmpfs" ino=3600 scontext=u:r:tee:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
[    7.819089] .(2)[398:logd.auditd]type=1400 audit(1609581532.144:7): avc: denied { ioctl } for comm="teei_daemon" path="/dev/teei_config" dev="tmpfs" ino=3600 ioctlcmd=0x5403 scontext=u:r:tee:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1

Test: Boot and notice that denials no longer appears

Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: Ia779816cbf9312b50a5f5101f7935f1a83b210f2
This commit is contained in:
Aayush Gupta 2021-01-03 10:27:50 +05:30
parent a20c39e9f3
commit 91547390a8
3 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
non_plat/device.te
View File

@ -276,6 +276,7 @@ type dri_device, dev_type, mlstrustedobject;
# TEE
type teei_fp_device, dev_type;
type teei_rpmb_device, dev_type;
type teei_config_device, dev_type;
type teei_vfs_device, dev_type;
type teei_client_device, dev_type;

1
non_plat/file_contexts
View File

@ -699,6 +699,7 @@
/dev/tz_vfs u:object_r:teei_vfs_device:s0
/dev/tee0 u:object_r:teei_client_device:s0
/dev/teei_client u:object_r:teei_client_device:s0
/dev/teei_config u:object_r:teei_config_device:s0
/data/vendor/thh(/.*)? u:object_r:vendor_teei_data_file:s0

1
non_plat/tee.te
View File

@ -9,5 +9,6 @@ allow tee vendor_teei_data_file:dir create_dir_perms;
allow tee vendor_teei_data_file:file create_file_perms;
allow tee teei_client_device:chr_file { create setattr unlink rw_file_perms };;
allow tee teei_config_device:chr_file rw_file_perms;
allow tee property_socket:sock_file write;