summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--sepolicy/credmgrd.te10
-rw-r--r--sepolicy/idd.te3
-rw-r--r--sepolicy/keystore.te8
-rw-r--r--sepolicy/property.te3
-rw-r--r--sepolicy/property_contexts10
-rw-r--r--sepolicy/qseecomd.te29
-rw-r--r--sepolicy/vold.te7
7 files changed, 65 insertions, 5 deletions
diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te
index 929a2ab..662b76d 100644
--- a/sepolicy/credmgrd.te
+++ b/sepolicy/credmgrd.te
@@ -61,15 +61,15 @@ allow credmgrd ion_device:chr_file { ioctl open read };
#============= credmgr init script ==============
allow credmgrd cache_file:dir { add_name search };
-allow credmgrd cache_file:file { create getattr open read unlink write };
-allow credmgrd credmgrd_data_file:dir { getattr relabelto reparent rename rmdir search };
-allow credmgrd devpts:chr_file { getattr ioctl open read write };
+allow credmgrd credmgrd_data_file:dir { add_name getattr relabelto reparent rename rmdir search };
+allow credmgrd credmgrd_data_file:file { append getattr open read unlink write };
+allow credmgrd credmgrd_prop:property_service set;
+allow credmgrd init:unix_stream_socket connectto;
allow credmgrd property_socket:sock_file write;
allow credmgrd shell_exec:file { getattr read };
-allow credmgrd system_data_file:dir { add_name remove_name write };
allow credmgrd system_file:file execute_no_trans;
allow credmgrd system_prop:property_service set;
-allow credmgrd system_data_file:dir { create relabelfrom setattr };
+allow credmgrd system_data_file:dir { add_name create relabelfrom remove_name setattr write };
#TODO: wrong labeled on dest socket?
allow credmgrd init:unix_stream_socket connectto;
diff --git a/sepolicy/idd.te b/sepolicy/idd.te
index df2eb1c..6ec0b3c 100644
--- a/sepolicy/idd.te
+++ b/sepolicy/idd.te
@@ -30,3 +30,6 @@ allow iddd tmpfs:dir search;
# Allow proc socket search
allow iddd proc:file { getattr open read };
+# Allow idd to read ro.semc
+allow iddd ta_prop:file { getattr open read };
+
diff --git a/sepolicy/keystore.te b/sepolicy/keystore.te
new file mode 100644
index 0000000..4857479
--- /dev/null
+++ b/sepolicy/keystore.te
@@ -0,0 +1,8 @@
+allow keystore tee_device:chr_file rw_file_perms;
+allow keystore firmware_file:file r_file_perms;
+allow keystore tee_prop:file { getattr open read };
+
+
+allow vold keystore:keystore_key { get_state get insert delete exist list sign verify };
+auditallow vold keystore:keystore_key { get_state get insert delete exist list sign verify };
+
diff --git a/sepolicy/property.te b/sepolicy/property.te
new file mode 100644
index 0000000..a9978eb
--- /dev/null
+++ b/sepolicy/property.te
@@ -0,0 +1,3 @@
+type timekeep_prop, property_type;
+type tee_prop, property_type;
+type ta_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
new file mode 100644
index 0000000..a6b2b29
--- /dev/null
+++ b/sepolicy/property_contexts
@@ -0,0 +1,10 @@
+
+sys.keymaster.loaded u:object_r:tee_prop:s0
+sys.listeners.registered u:object_r:tee_prop:s0
+persist.sys.timeadjust u:object_r:timekeep_prop:s0
+persist.service.bdroid.bdaddr u:object_r:bluetooth_prop:s0
+persist.tareset.notfirstboot u:object_r:ta_prop:s0
+sys.credmgrdready u:object_r:credmgrd_prop:s0
+ro.semc. u:object_r:ta_prop:s0
+ro.sony.color_id u:object_r:ta_prop:s0
+init.taimport u:object_r:ta_prop:s0
diff --git a/sepolicy/qseecomd.te b/sepolicy/qseecomd.te
new file mode 100644
index 0000000..7e61f6d
--- /dev/null
+++ b/sepolicy/qseecomd.te
@@ -0,0 +1,29 @@
+
+# tee starts as root, and drops privileges
+allow tee self:capability {
+ setuid
+ setgid
+};
+
+# Need to directly manipulate certain block devices
+# for anti-rollback protection
+allow tee block_device:dir r_dir_perms;
+allow tee rpmb_device:blk_file rw_file_perms;
+
+# Provide tee access to ssd partition for HW FDE
+allow tee ssd_device:blk_file rw_file_perms;
+
+# Allow tee to directly save and load fingerprint data
+allow tee fingerprintd_data_file:dir rw_dir_perms;
+allow tee fingerprintd_data_file:file create_file_perms;
+allow tee system_data_file:dir r_dir_perms;
+
+# allow tee to load firmware images
+r_dir_file(tee, firmware_file)
+
+binder_use(tee)
+
+# Provide tee ability to access QMUXD/IPCRouter for QMI
+qmux_socket(tee);
+
+set_prop(tee, tee_prop)
diff --git a/sepolicy/vold.te b/sepolicy/vold.te
new file mode 100644
index 0000000..e5b776e
--- /dev/null
+++ b/sepolicy/vold.te
@@ -0,0 +1,7 @@
+allow vold diag_data_file:dir { read open ioctl };
+allow vold tee_prop:file { getattr open read };
+allow vold firmware_file:file { getattr open read };
+allow vold iddd_file:dir read;
+allow vold tee_device:unix_stream_socket connectto;
+allow vold tee_device:sock_file write;
+