bsp/non_plat/tee.te - LeafOS-Devices/android_device_mediatek_sepolicy - Gitiles

 # ==============================================
 # Common SEPolicy Rule
 # ==============================================

 # Date : 2016/06/01
 # Operation: TEEI integration
 # Purpose: Microtrust teei_daemon service
 allow tee self:capability { sys_module setuid setgid sys_rawio };

 allow tee teei_config_device:chr_file rw_file_perms;
 allow tee teei_client_device:chr_file { create setattr unlink rw_file_perms };
 allow tee teei_vfs_device:chr_file rw_file_perms;
 allow tee teei_rpmb_device:chr_file rw_file_perms;
 allow tee teei_data_file:dir create_dir_perms;
 allow tee teei_data_file:file create_file_perms;

 allow tee teei_control_file:dir r_dir_perms;
 allow tee teei_control_file:file rw_file_perms;;
 allow tee teei_control_file:lnk_file rw_file_perms;;

 # allow teei_daemon access /persist section
 allow tee mnt_vendor_file:dir create_dir_perms;
 allow tee mnt_vendor_file:file create_file_perms;
 allow tee persist_data_file:dir create_dir_perms;
 allow tee persist_data_file:file create_file_perms;

 # enable access android property
 set_prop(tee, vendor_mtk_soter_teei_prop)

 # for debug only
 allow tee kmsg_device:chr_file w_file_perms;

 # allow tee read ut_keymaster data
 allow tee ut_keymaster_device:chr_file rw_file_perms;

 # allow load teei drm drivers
 allow tee block_device:dir search;
 allow tee teei_rpmb_device:blk_file rw_file_perms;
 allow tee nvram_device:blk_file rw_file_perms;

 # kernel device
 allow tee tkcore_admin_device:chr_file rw_file_perms;

 # sfs
 allow tee tkcore_data_file:dir create_dir_perms;
 allow tee tkcore_data_file:file { create_file_perms link };

 # persist
 allow tee protect_f_data_file:dir search;
 allow tee tkcore_protect_data_file:dir create_dir_perms;
 allow tee tkcore_protect_data_file:file { create_file_perms link };

 #rpmb
 allow tee self:capability sys_rawio;
 allow tee block_device:dir search;
 set_prop(tee, vendor_mtk_rpmb_ready_prop)

 allow tee rpmb_block_device:blk_file rw_file_perms;
 allowxperm tee rpmb_block_device:blk_file ioctl { MMC_IOCTLCMD MMC_IOC_MULTI_CMD UFS_IOCTLCMD UFS_IOCTL_RPMB };
 allow tee rpmb_device:chr_file rw_file_perms;
 allowxperm tee rpmb_device:chr_file ioctl { MMC_IOCTLCMD MMC_IOC_MULTI_CMD UFS_IOCTLCMD UFS_IOCTL_RPMB };

 # systa loading
 allow tee tkcore_systa_file:dir r_dir_perms;
 allow tee tkcore_systa_file:file r_file_perms;

 # spta mgmt/loading
 allow tee tkcore_spta_file:dir create_dir_perms;
 allow tee tkcore_spta_file:file create_file_perms;

 # logging
 allow tee tkcore_log_file:file create_file_perms;

 # allow tkcore to read/write vendor.trustkernel.* properties
 set_prop(tee, vendor_mtk_trustkernel_tee_prop);

 # maintaining version through /proc fs
 allow tee proc_tkcore:file rw_file_perms;
 allow tee proc_tkcore:dir search;

 allow tee bootdevice_block_device:blk_file rw_file_perms;
 allowxperm tee bootdevice_block_device:blk_file ioctl { MMC_IOC_MULTI_CMD UFS_IOCTL_RPMB};
 allow tee tee_data_file:dir create_dir_perms;
	# ==============================================
	# Common SEPolicy Rule
	# ==============================================

	# Date : 2016/06/01
	# Operation: TEEI integration
	# Purpose: Microtrust teei_daemon service
	allow tee self:capability { sys_module setuid setgid sys_rawio };

	allow tee teei_config_device:chr_file rw_file_perms;
	allow tee teei_client_device:chr_file { create setattr unlink rw_file_perms };
	allow tee teei_vfs_device:chr_file rw_file_perms;
	allow tee teei_rpmb_device:chr_file rw_file_perms;
	allow tee teei_data_file:dir create_dir_perms;
	allow tee teei_data_file:file create_file_perms;

	allow tee teei_control_file:dir r_dir_perms;
	allow tee teei_control_file:file rw_file_perms;;
	allow tee teei_control_file:lnk_file rw_file_perms;;

	# allow teei_daemon access /persist section
	allow tee mnt_vendor_file:dir create_dir_perms;
	allow tee mnt_vendor_file:file create_file_perms;
	allow tee persist_data_file:dir create_dir_perms;
	allow tee persist_data_file:file create_file_perms;

	# enable access android property
	set_prop(tee, vendor_mtk_soter_teei_prop)

	# for debug only
	allow tee kmsg_device:chr_file w_file_perms;

	# allow tee read ut_keymaster data
	allow tee ut_keymaster_device:chr_file rw_file_perms;

	# allow load teei drm drivers
	allow tee block_device:dir search;
	allow tee teei_rpmb_device:blk_file rw_file_perms;
	allow tee nvram_device:blk_file rw_file_perms;

	# kernel device
	allow tee tkcore_admin_device:chr_file rw_file_perms;

	# sfs
	allow tee tkcore_data_file:dir create_dir_perms;
	allow tee tkcore_data_file:file { create_file_perms link };

	# persist
	allow tee protect_f_data_file:dir search;
	allow tee tkcore_protect_data_file:dir create_dir_perms;
	allow tee tkcore_protect_data_file:file { create_file_perms link };

	#rpmb
	allow tee self:capability sys_rawio;
	allow tee block_device:dir search;
	set_prop(tee, vendor_mtk_rpmb_ready_prop)

	allow tee rpmb_block_device:blk_file rw_file_perms;
	allowxperm tee rpmb_block_device:blk_file ioctl { MMC_IOCTLCMD MMC_IOC_MULTI_CMD UFS_IOCTLCMD UFS_IOCTL_RPMB };
	allow tee rpmb_device:chr_file rw_file_perms;
	allowxperm tee rpmb_device:chr_file ioctl { MMC_IOCTLCMD MMC_IOC_MULTI_CMD UFS_IOCTLCMD UFS_IOCTL_RPMB };

	# systa loading
	allow tee tkcore_systa_file:dir r_dir_perms;
	allow tee tkcore_systa_file:file r_file_perms;

	# spta mgmt/loading
	allow tee tkcore_spta_file:dir create_dir_perms;
	allow tee tkcore_spta_file:file create_file_perms;

	# logging
	allow tee tkcore_log_file:file create_file_perms;

	# allow tkcore to read/write vendor.trustkernel.* properties
	set_prop(tee, vendor_mtk_trustkernel_tee_prop);

	# maintaining version through /proc fs
	allow tee proc_tkcore:file rw_file_perms;
	allow tee proc_tkcore:dir search;

	allow tee bootdevice_block_device:blk_file rw_file_perms;
	allowxperm tee bootdevice_block_device:blk_file ioctl { MMC_IOC_MULTI_CMD UFS_IOCTL_RPMB};
	allow tee tee_data_file:dir create_dir_perms;