platform_system_sepolicy/vendor
Alex Klyubin 304d653637 Move TEE rules to vendor image
"tee" domain is a vendor domain. Hence its rules should live on the
vendor image.

What's left as public API is that:
1. tee domain exists and that it is permitted to sys_rawio capability,
2. tee_device type exists and apps are not permitted to access
   character devices labeled tee_device.

If you were relying on system/sepolicy automatically labeling
/dev/tf_driver as tee_device or labeling /system/bin/tf_daemon as
tee_exec, then you need to add these rules to your device-specific
file_contexts.

Test: mmm system/sepolicy
Test: bullhead, angler, and sailfish boot up without new denials
Bug: 36714625
Bug: 36714625
Bug: 36720355
Change-Id: Ie21619ff3c44ef58675c369061b4afdd7e8501c6
2017-04-03 11:11:48 -07:00
..
file.te sepolicy: Move hostapd to vendor 2017-03-09 11:17:45 +08:00
file_contexts Initial sepolicy for vndservicemanager. 2017-03-23 00:20:43 +00:00
hal_audio_default.te Ban vendor components access to core data types 2017-03-28 15:44:39 -07:00
hal_bluetooth_default.te Disallow HAL access to Bluetooth data files 2017-03-30 16:00:23 +00:00
hal_bootctl_default.te Switch Boot Control HAL policy to _client/_server 2017-03-17 17:22:06 -07:00
hal_camera_default.te Ban vendor components access to core data types 2017-03-28 15:44:39 -07:00
hal_configstore_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_contexthub_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_drm_default.te tee domain is a vendor domain 2017-03-29 13:13:27 -07:00
hal_dumpstate_default.te Switch Dumpstate HAL policy to _client/_server 2017-02-22 10:15:24 -08:00
hal_fingerprint_default.te Ban vendor components access to core data types 2017-03-28 15:44:39 -07:00
hal_gatekeeper_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_gnss_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_graphics_allocator_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_graphics_composer_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_health_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_ir_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_keymaster_default.te tee domain is a vendor domain 2017-03-29 13:13:27 -07:00
hal_light_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_memtrack_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_nfc_default.te Tighten restrictions on core <-> vendor socket comms 2017-03-31 09:17:54 -07:00
hal_omx.te mediacodec violates "no Binder in vendor" rule 2017-03-24 17:22:17 -07:00
hal_power_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_sensors_default.te Switch Sensors HAL policy to _client/_server 2017-03-14 12:43:29 -07:00
hal_thermal_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_usb_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_vibrator_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_vr_default.te Annotate most remaining HALs with _client/_server 2017-03-16 19:55:16 -07:00
hal_wifi_default.te Switch Wi-Fi HAL policy to _client/_server 2017-02-22 15:12:19 -08:00
hal_wifi_supplicant_default.te Ban vendor components access to core data types 2017-03-28 15:44:39 -07:00
hostapd.te Ban vendor components access to core data types 2017-03-28 15:44:39 -07:00
rild.te Annotate rild with socket_between_core_and_vendor_violators 2017-03-30 11:05:14 +09:00
tee.te Move TEE rules to vendor image 2017-04-03 11:11:48 -07:00
vndservicemanager.te Vendor domains must not use Binder 2017-03-24 07:54:00 -07:00