diff options
-rw-r--r-- | sepolicy/credmgrd.te | 10 | ||||
-rw-r--r-- | sepolicy/idd.te | 3 | ||||
-rw-r--r-- | sepolicy/keystore.te | 8 | ||||
-rw-r--r-- | sepolicy/property.te | 3 | ||||
-rw-r--r-- | sepolicy/property_contexts | 10 | ||||
-rw-r--r-- | sepolicy/qseecomd.te | 29 | ||||
-rw-r--r-- | sepolicy/vold.te | 7 |
7 files changed, 65 insertions, 5 deletions
diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te index 929a2ab..662b76d 100644 --- a/sepolicy/credmgrd.te +++ b/sepolicy/credmgrd.te @@ -61,15 +61,15 @@ allow credmgrd ion_device:chr_file { ioctl open read }; #============= credmgr init script ============== allow credmgrd cache_file:dir { add_name search }; -allow credmgrd cache_file:file { create getattr open read unlink write }; -allow credmgrd credmgrd_data_file:dir { getattr relabelto reparent rename rmdir search }; -allow credmgrd devpts:chr_file { getattr ioctl open read write }; +allow credmgrd credmgrd_data_file:dir { add_name getattr relabelto reparent rename rmdir search }; +allow credmgrd credmgrd_data_file:file { append getattr open read unlink write }; +allow credmgrd credmgrd_prop:property_service set; +allow credmgrd init:unix_stream_socket connectto; allow credmgrd property_socket:sock_file write; allow credmgrd shell_exec:file { getattr read }; -allow credmgrd system_data_file:dir { add_name remove_name write }; allow credmgrd system_file:file execute_no_trans; allow credmgrd system_prop:property_service set; -allow credmgrd system_data_file:dir { create relabelfrom setattr }; +allow credmgrd system_data_file:dir { add_name create relabelfrom remove_name setattr write }; #TODO: wrong labeled on dest socket? allow credmgrd init:unix_stream_socket connectto; diff --git a/sepolicy/idd.te b/sepolicy/idd.te index df2eb1c..6ec0b3c 100644 --- a/sepolicy/idd.te +++ b/sepolicy/idd.te @@ -30,3 +30,6 @@ allow iddd tmpfs:dir search; # Allow proc socket search allow iddd proc:file { getattr open read }; +# Allow idd to read ro.semc +allow iddd ta_prop:file { getattr open read }; + diff --git a/sepolicy/keystore.te b/sepolicy/keystore.te new file mode 100644 index 0000000..4857479 --- /dev/null +++ b/sepolicy/keystore.te @@ -0,0 +1,8 @@ +allow keystore tee_device:chr_file rw_file_perms; +allow keystore firmware_file:file r_file_perms; +allow keystore tee_prop:file { getattr open read }; + + +allow vold keystore:keystore_key { get_state get insert delete exist list sign verify }; +auditallow vold keystore:keystore_key { get_state get insert delete exist list sign verify }; + diff --git a/sepolicy/property.te b/sepolicy/property.te new file mode 100644 index 0000000..a9978eb --- /dev/null +++ b/sepolicy/property.te @@ -0,0 +1,3 @@ +type timekeep_prop, property_type; +type tee_prop, property_type; +type ta_prop, property_type; diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts new file mode 100644 index 0000000..a6b2b29 --- /dev/null +++ b/sepolicy/property_contexts @@ -0,0 +1,10 @@ + +sys.keymaster.loaded u:object_r:tee_prop:s0 +sys.listeners.registered u:object_r:tee_prop:s0 +persist.sys.timeadjust u:object_r:timekeep_prop:s0 +persist.service.bdroid.bdaddr u:object_r:bluetooth_prop:s0 +persist.tareset.notfirstboot u:object_r:ta_prop:s0 +sys.credmgrdready u:object_r:credmgrd_prop:s0 +ro.semc. u:object_r:ta_prop:s0 +ro.sony.color_id u:object_r:ta_prop:s0 +init.taimport u:object_r:ta_prop:s0 diff --git a/sepolicy/qseecomd.te b/sepolicy/qseecomd.te new file mode 100644 index 0000000..7e61f6d --- /dev/null +++ b/sepolicy/qseecomd.te @@ -0,0 +1,29 @@ + +# tee starts as root, and drops privileges +allow tee self:capability { + setuid + setgid +}; + +# Need to directly manipulate certain block devices +# for anti-rollback protection +allow tee block_device:dir r_dir_perms; +allow tee rpmb_device:blk_file rw_file_perms; + +# Provide tee access to ssd partition for HW FDE +allow tee ssd_device:blk_file rw_file_perms; + +# Allow tee to directly save and load fingerprint data +allow tee fingerprintd_data_file:dir rw_dir_perms; +allow tee fingerprintd_data_file:file create_file_perms; +allow tee system_data_file:dir r_dir_perms; + +# allow tee to load firmware images +r_dir_file(tee, firmware_file) + +binder_use(tee) + +# Provide tee ability to access QMUXD/IPCRouter for QMI +qmux_socket(tee); + +set_prop(tee, tee_prop) diff --git a/sepolicy/vold.te b/sepolicy/vold.te new file mode 100644 index 0000000..e5b776e --- /dev/null +++ b/sepolicy/vold.te @@ -0,0 +1,7 @@ +allow vold diag_data_file:dir { read open ioctl }; +allow vold tee_prop:file { getattr open read }; +allow vold firmware_file:file { getattr open read }; +allow vold iddd_file:dir read; +allow vold tee_device:unix_stream_socket connectto; +allow vold tee_device:sock_file write; + |