vendor/tee.te - LeafOS-Project/android_system_sepolicy - Gitiles

 ##
 # trusted execution environment (tee) daemon
 #
 typeattribute tee domain_deprecated;

 type tee_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(tee)

 allow tee self:capability { dac_override };
 allow tee tee_device:chr_file rw_file_perms;
 allow tee tee_data_file:dir rw_dir_perms;
 allow tee tee_data_file:file create_file_perms;
 allow tee self:netlink_socket create_socket_perms_no_ioctl;
 allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow tee ion_device:chr_file r_file_perms;
 r_dir_file(tee, sysfs_type)

 # TODO(b/36720355): Remove this once tee no longer access non-vendor files
 typeattribute tee coredata_in_vendor_violators;
 allow tee system_data_file:file { getattr read };
 allow tee system_data_file:lnk_file r_file_perms;
	##
	# trusted execution environment (tee) daemon
	#
	typeattribute tee domain_deprecated;

	type tee_exec, exec_type, vendor_file_type, file_type;
	init_daemon_domain(tee)

	allow tee self:capability { dac_override };
	allow tee tee_device:chr_file rw_file_perms;
	allow tee tee_data_file:dir rw_dir_perms;
	allow tee tee_data_file:file create_file_perms;
	allow tee self:netlink_socket create_socket_perms_no_ioctl;
	allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
	allow tee ion_device:chr_file r_file_perms;
	r_dir_file(tee, sysfs_type)

	# TODO(b/36720355): Remove this once tee no longer access non-vendor files
	typeattribute tee coredata_in_vendor_violators;
	allow tee system_data_file:file { getattr read };
	allow tee system_data_file:lnk_file r_file_perms;