0f6c047d2e
As a result, Keymaster and DRM HALs are permitted to talk to tee domain over sockets. Unfortunately, the tee domain needs to remain on the exemptions list because drmserver, mediaserver, and surfaceflinger are currently permitted to talk to this domain over sockets. We need to figure out why global policy even defines a TEE domain... Test: mmm system/sepolicy Bug: 36601092 Bug: 36601602 Bug: 36714625 Bug: 36715266 Change-Id: I0b95e23361204bd046ae5ad22f9f953c810c1895
20 lines
755 B
Text
20 lines
755 B
Text
##
|
|
# trusted execution environment (tee) daemon
|
|
#
|
|
type tee, domain, domain_deprecated;
|
|
type tee_exec, exec_type, file_type;
|
|
type tee_device, dev_type;
|
|
|
|
allow tee self:capability { dac_override };
|
|
allow tee tee_device:chr_file rw_file_perms;
|
|
allow tee tee_data_file:dir rw_dir_perms;
|
|
allow tee tee_data_file:file create_file_perms;
|
|
allow tee self:netlink_socket create_socket_perms_no_ioctl;
|
|
allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
|
|
allow tee ion_device:chr_file r_file_perms;
|
|
r_dir_file(tee, sysfs_type)
|
|
|
|
# TODO(b/36720355): Remove this once tee no longer access non-vendor files
|
|
typeattribute tee coredata_in_vendor_violators;
|
|
allow tee system_data_file:file { getattr read };
|
|
allow tee system_data_file:lnk_file r_file_perms;
|