platform_system_sepolicy/public/hal_keymaster.te
Alex Klyubin f86d54f0d1 No access to tee domain over Unix domain sockets
The tee domain is a vendor domain. Thus it cannot be accessed by
non-vendor components over Unix domain sockets.

It appears that the rules granting this access are not needed.

Test: Flash a clean build with this change. Confirm that bullhead,
      angler, sailfish, ryu, boot without new denials.
      Confirm that YouTube, Netflix, Google Play Movies play back
      videos without new denials.
Bug: 36714625
Bug: 36715266

Change-Id: I639cecd07c9a3cfb257e62622b51b7823613472a
2017-04-03 11:26:01 -07:00

5 lines
203 B
Text

# HwBinder IPC from client to server
binder_call(hal_keymaster_client, hal_keymaster_server)
allow hal_keymaster tee_device:chr_file rw_file_perms;
allow hal_keymaster ion_device:chr_file r_file_perms;