qva/vendor/common/qseecomd.te - LeafOS-Project/android_device_qcom_sepolicy_vndr - Gitiles

 # Copyright (c) 2018, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
 # met:
 #     * Redistributions of source code must retain the above copyright
 #       notice, this list of conditions and the following disclaimer.
 #     * Redistributions in binary form must reproduce the above
 #       copyright notice, this list of conditions and the following
 #       disclaimer in the documentation and/or other materials provided
 #       with the distribution.
 #     * Neither the name of The Linux Foundation nor the names of its
 #       contributors may be used to endorse or promote products derived
 #       from this software without specific prior written permission.
 #
 # THIS SOFTWARE IS PROVIDED"AS IS" AND ANY EXPRESS OR IMPLIED
 # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
 # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
 # ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
 # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
 # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

 # Allow access to qsee_ipc_irq_spss device
 allow tee vendor_qsee_ipc_irq_spss_device:chr_file rw_file_perms;
 allow tee tee_device:chr_file rw_file_perms;
 hal_client_domain(tee, vendor_hal_soter);
 unix_socket_connect(tee, property, init)
 # Allow access to qsee data file
 allow tee vendor_data_qsee_file:dir create_dir_perms;
 allow tee vendor_data_qsee_file:file create_file_perms;
 # allow tee access for secure UI to work
 allow tee graphics_device:dir r_dir_perms;
 allow tee graphics_device:chr_file r_file_perms;
 allow tee vendor_data_file:dir r_dir_perms;

 dontaudit tee rootfs:dir { read };

 wakelock_use(tee)
 r_dir_file(tee, firmware_file)
 allow tee vendor_qfp-daemon_data_file:dir create_dir_perms;
 allow tee vendor_qfp-daemon_data_file:file create_file_perms;
 allow tee vendor_persist_qti_fp_file:dir create_dir_perms;
 allow tee vendor_persist_qti_fp_file:file create_file_perms;

 allowxperm tee vendor_rpmb_device:blk_file ioctl { MMC_IOC_CMD };
 allowxperm tee vendor_rpmb_device:chr_file ioctl {MMC_IOC_MULTI_CMD};

 # As each dma buf is seperate device, need to allow access to those devices
 allow tee vendor_dmabuf_qseecom_heap_device:chr_file r_file_perms;
 allow tee vendor_dmabuf_qseecom_ta_heap_device:chr_file r_file_perms;
 allow tee vendor_dmabuf_user_contig_heap_device:chr_file r_file_perms;
 # Allow get prop  access for User space reboot property
 get_prop(tee, userspace_reboot_exported_prop);
	# Copyright (c) 2018, The Linux Foundation. All rights reserved.
	#
	# Redistribution and use in source and binary forms, with or without
	# modification, are permitted provided that the following conditions are
	# met:
	# * Redistributions of source code must retain the above copyright
	# notice, this list of conditions and the following disclaimer.
	# * Redistributions in binary form must reproduce the above
	# copyright notice, this list of conditions and the following
	# disclaimer in the documentation and/or other materials provided
	# with the distribution.
	# * Neither the name of The Linux Foundation nor the names of its
	# contributors may be used to endorse or promote products derived
	# from this software without specific prior written permission.
	#
	# THIS SOFTWARE IS PROVIDED"AS IS" AND ANY EXPRESS OR IMPLIED
	# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
	# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
	# ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
	# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
	# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
	# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
	# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
	# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
	# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
	# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

	# Allow access to qsee_ipc_irq_spss device
	allow tee vendor_qsee_ipc_irq_spss_device:chr_file rw_file_perms;
	allow tee tee_device:chr_file rw_file_perms;
	hal_client_domain(tee, vendor_hal_soter);
	unix_socket_connect(tee, property, init)
	# Allow access to qsee data file
	allow tee vendor_data_qsee_file:dir create_dir_perms;
	allow tee vendor_data_qsee_file:file create_file_perms;
	# allow tee access for secure UI to work
	allow tee graphics_device:dir r_dir_perms;
	allow tee graphics_device:chr_file r_file_perms;
	allow tee vendor_data_file:dir r_dir_perms;

	dontaudit tee rootfs:dir { read };

	wakelock_use(tee)
	r_dir_file(tee, firmware_file)
	allow tee vendor_qfp-daemon_data_file:dir create_dir_perms;
	allow tee vendor_qfp-daemon_data_file:file create_file_perms;
	allow tee vendor_persist_qti_fp_file:dir create_dir_perms;
	allow tee vendor_persist_qti_fp_file:file create_file_perms;

	allowxperm tee vendor_rpmb_device:blk_file ioctl { MMC_IOC_CMD };
	allowxperm tee vendor_rpmb_device:chr_file ioctl {MMC_IOC_MULTI_CMD};

	# As each dma buf is seperate device, need to allow access to those devices
	allow tee vendor_dmabuf_qseecom_heap_device:chr_file r_file_perms;
	allow tee vendor_dmabuf_qseecom_ta_heap_device:chr_file r_file_perms;
	allow tee vendor_dmabuf_user_contig_heap_device:chr_file r_file_perms;
	# Allow get prop access for User space reboot property
	get_prop(tee, userspace_reboot_exported_prop);