304d653637
"tee" domain is a vendor domain. Hence its rules should live on the vendor image. What's left as public API is that: 1. tee domain exists and that it is permitted to sys_rawio capability, 2. tee_device type exists and apps are not permitted to access character devices labeled tee_device. If you were relying on system/sepolicy automatically labeling /dev/tf_driver as tee_device or labeling /system/bin/tf_daemon as tee_exec, then you need to add these rules to your device-specific file_contexts. Test: mmm system/sepolicy Test: bullhead, angler, and sailfish boot up without new denials Bug: 36714625 Bug: 36714625 Bug: 36720355 Change-Id: Ie21619ff3c44ef58675c369061b4afdd7e8501c6
7 lines
139 B
Text
7 lines
139 B
Text
##
|
|
# trusted execution environment (tee) daemon
|
|
#
|
|
type tee, domain;
|
|
|
|
# Device(s) for communicating with the TEE
|
|
type tee_device, dev_type;
|