79 lines
2.3 KiB
Text
79 lines
2.3 KiB
Text
# tee starts as root, and drops privileges
|
|
allow tee self:capability {
|
|
setuid
|
|
setgid
|
|
sys_admin
|
|
chown
|
|
dac_override
|
|
sys_rawio
|
|
};
|
|
|
|
# Need to directly manipulate certain block devices
|
|
# for anti-rollback protection
|
|
allow tee block_device:dir r_dir_perms;
|
|
allow tee rpmb_device:blk_file rw_file_perms;
|
|
|
|
# Need to figure out how many scsi generic devices are preset
|
|
# before being able to identify which one is rpmb device
|
|
allow tee device:dir r_dir_perms;
|
|
allow tee sg_device:chr_file { rw_file_perms setattr };
|
|
|
|
# Allow qseecom to qsee folder so that listeners can create
|
|
# respective directories
|
|
allow tee data_qsee_file:dir create_dir_perms;
|
|
allow tee data_qsee_file:file create_file_perms;
|
|
allow tee system_data_file:dir r_dir_perms;
|
|
|
|
allow tee persist_file:dir r_dir_perms;
|
|
r_dir_file(tee, persist_data_file)
|
|
|
|
# Write to drm related pieces of persist partition
|
|
allow tee persist_drm_file:dir create_dir_perms;
|
|
allow tee persist_drm_file:file create_file_perms;
|
|
|
|
# Provide tee access to ssd partition for HW FDE
|
|
allow tee ssd_device:blk_file rw_file_perms;
|
|
|
|
# allow tee to operate tee device
|
|
allow tee tee_device:chr_file rw_file_perms;
|
|
|
|
# allow tee to load firmware images
|
|
r_dir_file(tee, firmware_file)
|
|
|
|
# allow qseecom access to time domain
|
|
allow tee time_daemon:unix_stream_socket connectto;
|
|
|
|
# allow tee access for secure UI to work
|
|
allow tee graphics_device:dir r_dir_perms;
|
|
allow tee graphics_device:chr_file r_file_perms;
|
|
|
|
#allow tee access for secure touch to work
|
|
allow tee sysfs_securetouch:file rw_file_perms;
|
|
|
|
allow tee surfaceflinger_service : service_manager find;
|
|
|
|
binder_call(tee, surfaceflinger)
|
|
binder_use(tee)
|
|
|
|
allow tee system_app:unix_dgram_socket sendto;
|
|
|
|
# allow qseecom access to set system property
|
|
set_prop(tee, system_prop)
|
|
|
|
userdebug_or_eng(`
|
|
allow tee su:unix_dgram_socket sendto;
|
|
#allow tee shell_data_file:file rw_file_perms;
|
|
#allow tee shell_data_file:dir search;
|
|
')
|
|
|
|
#allow access to qfp-daemon
|
|
allow tee qfp-daemon_data_file:dir create_dir_perms;
|
|
allow tee qfp-daemon_data_file:file create_file_perms;
|
|
|
|
# Allow access to qsee_ipc_irq_spss device
|
|
allow tee qsee_ipc_irq_spss_device:chr_file rw_file_perms;
|
|
|
|
#allow access to fingerprintd data file
|
|
allow tee fingerprintd_data_file:dir create_dir_perms;
|
|
allow tee fingerprintd_data_file:file create_file_perms;
|
|
|