From acd62758d942f8992df88004ea112dc3b8e52679 Mon Sep 17 00:00:00 2001 From: Aayush Gupta Date: Mon, 28 Dec 2020 12:16:17 +0530 Subject: [PATCH] non_plat: Label /dev/*rpmb* and grant tee permissions to manage it /dev/*rpmb* devices are accessed by tee. Label it and allow tee required permissions to manage it. Denial observed without this change: [ 46.559953] .(2)[399:logd.auditd]type=1400 audit(1609128921.644:391): avc: denied { ioctl } for comm="teei_daemon" path="/dev/rpmb0" dev="tmpfs" ino=17454 ioctlcmd=0x6 scontext=u:r:init:s0 tcontext=u:object_r:device:s0 tclass=chr_file permissive=1 Test: Boot and observe that denial no longer appears Signed-off-by: Aayush Gupta Change-Id: I3499e2a3ba177b8e69d8cdbb76939daf3f8bbc7b --- non_plat/device.te | 2 ++ non_plat/file_contexts | 3 +++ non_plat/tee.te | 3 +++ 3 files changed, 8 insertions(+) diff --git a/non_plat/device.te b/non_plat/device.te index 460e4a2..5f955cf 100644 --- a/non_plat/device.te +++ b/non_plat/device.te @@ -273,7 +273,9 @@ type m_bio_misc_device, dev_type; # Purpose : Add permission for gpu access type dri_device, dev_type, mlstrustedobject; +# TEE type teei_fp_device, dev_type; +type teei_rpmb_device, dev_type; # Keymaster type ut_keymaster_device, dev_type; diff --git a/non_plat/file_contexts b/non_plat/file_contexts index ba6de28..e0ccc1d 100644 --- a/non_plat/file_contexts +++ b/non_plat/file_contexts @@ -694,6 +694,9 @@ # TEE /dev/teei_fp u:object_r:teei_fp_device:s0 +/dev/rpmb0 u:object_r:teei_rpmb_device:s0 +/dev/emmcrpmb0 u:object_r:teei_rpmb_device:s0 + /(vendor|system\/vendor)/bin/teei_daemon u:object_r:tee_exec:s0 /(vendor|system\/vendor)/bin/teei_loader u:object_r:tee_exec:s0 diff --git a/non_plat/tee.te b/non_plat/tee.te index 5a67df5..754fda4 100644 --- a/non_plat/tee.te +++ b/non_plat/tee.te @@ -1 +1,4 @@ allow tee ut_keymaster_device:chr_file rw_file_perms; + +allow tee teei_rpmb_device:chr_file rw_file_perms; +allow tee teei_rpmb_device:blk_file { read write ioctl open };