From 91547390a8873ef79917384ef21effa32849f3f5 Mon Sep 17 00:00:00 2001
From: Aayush Gupta <aayushgupta219@gmail.com>
Date: Sun, 3 Jan 2021 10:27:50 +0530
Subject: [PATCH] non_plat: Label /dev/teei_config and allow tee rw permissions
 to it

Denials observed without this change:
    7.811050] .(2)[398:logd.auditd]type=1400 audit(1609581532.144:5): avc: denied { read write } for comm="teei_daemon" name="teei_config" dev="tmpfs" ino=3600 scontext=u:r:tee:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
[    7.813712] .(2)[398:logd.auditd]type=1400 audit(1609581532.144:6): avc: denied { open } for comm="teei_daemon" path="/dev/teei_config" dev="tmpfs" ino=3600 scontext=u:r:tee:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
[    7.816434] .(2)[398:logd.auditd]type=1400 audit(1609581532.144:6): avc: denied { open } for comm="teei_daemon" path="/dev/teei_config" dev="tmpfs" ino=3600 scontext=u:r:tee:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1
[    7.819089] .(2)[398:logd.auditd]type=1400 audit(1609581532.144:7): avc: denied { ioctl } for comm="teei_daemon" path="/dev/teei_config" dev="tmpfs" ino=3600 ioctlcmd=0x5403 scontext=u:r:tee:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1

Test: Boot and notice that denials no longer appears

Signed-off-by: Aayush Gupta <aayushgupta219@gmail.com>
Change-Id: Ia779816cbf9312b50a5f5101f7935f1a83b210f2
---
 non_plat/device.te     | 1 +
 non_plat/file_contexts | 1 +
 non_plat/tee.te        | 1 +
 3 files changed, 3 insertions(+)

diff --git a/non_plat/device.te b/non_plat/device.te
index ffd225d..6375965 100644
--- a/non_plat/device.te
+++ b/non_plat/device.te
@@ -276,6 +276,7 @@ type dri_device, dev_type, mlstrustedobject;
 # TEE
 type teei_fp_device, dev_type;
 type teei_rpmb_device, dev_type;
+type teei_config_device, dev_type;
 type teei_vfs_device, dev_type;
 
 type teei_client_device, dev_type;
diff --git a/non_plat/file_contexts b/non_plat/file_contexts
index 28048d0..6eaee6f 100644
--- a/non_plat/file_contexts
+++ b/non_plat/file_contexts
@@ -699,6 +699,7 @@
 /dev/tz_vfs u:object_r:teei_vfs_device:s0
 /dev/tee0 u:object_r:teei_client_device:s0
 /dev/teei_client u:object_r:teei_client_device:s0
+/dev/teei_config u:object_r:teei_config_device:s0
 
 /data/vendor/thh(/.*)? u:object_r:vendor_teei_data_file:s0
 
diff --git a/non_plat/tee.te b/non_plat/tee.te
index b3d6428..0d3b25e 100644
--- a/non_plat/tee.te
+++ b/non_plat/tee.te
@@ -9,5 +9,6 @@ allow tee vendor_teei_data_file:dir create_dir_perms;
 allow tee vendor_teei_data_file:file create_file_perms;
 
 allow tee teei_client_device:chr_file { create setattr unlink rw_file_perms };;
+allow tee teei_config_device:chr_file rw_file_perms;
 
 allow tee property_socket:sock_file write;