blob: 7e61f6ddb07caf9c69d59c6c9fffc9fcc14da495 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
# tee starts as root, and drops privileges
allow tee self:capability {
setuid
setgid
};
# Need to directly manipulate certain block devices
# for anti-rollback protection
allow tee block_device:dir r_dir_perms;
allow tee rpmb_device:blk_file rw_file_perms;
# Provide tee access to ssd partition for HW FDE
allow tee ssd_device:blk_file rw_file_perms;
# Allow tee to directly save and load fingerprint data
allow tee fingerprintd_data_file:dir rw_dir_perms;
allow tee fingerprintd_data_file:file create_file_perms;
allow tee system_data_file:dir r_dir_perms;
# allow tee to load firmware images
r_dir_file(tee, firmware_file)
binder_use(tee)
# Provide tee ability to access QMUXD/IPCRouter for QMI
qmux_socket(tee);
set_prop(tee, tee_prop)
|
