diff options
Diffstat (limited to 'sepolicy/qseecomd.te')
| -rw-r--r-- | sepolicy/qseecomd.te | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/sepolicy/qseecomd.te b/sepolicy/qseecomd.te new file mode 100644 index 0000000..7e61f6d --- /dev/null +++ b/sepolicy/qseecomd.te @@ -0,0 +1,29 @@ + +# tee starts as root, and drops privileges +allow tee self:capability { + setuid + setgid +}; + +# Need to directly manipulate certain block devices +# for anti-rollback protection +allow tee block_device:dir r_dir_perms; +allow tee rpmb_device:blk_file rw_file_perms; + +# Provide tee access to ssd partition for HW FDE +allow tee ssd_device:blk_file rw_file_perms; + +# Allow tee to directly save and load fingerprint data +allow tee fingerprintd_data_file:dir rw_dir_perms; +allow tee fingerprintd_data_file:file create_file_perms; +allow tee system_data_file:dir r_dir_perms; + +# allow tee to load firmware images +r_dir_file(tee, firmware_file) + +binder_use(tee) + +# Provide tee ability to access QMUXD/IPCRouter for QMI +qmux_socket(tee); + +set_prop(tee, tee_prop) |