From 0f6c047d2ef57e8860118219efe03e04ca6f54ed Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Tue, 28 Mar 2017 21:59:24 -0700
Subject: [PATCH] tee domain is a vendor domain

As a result, Keymaster and DRM HALs are permitted to talk to tee domain
over sockets. Unfortunately, the tee domain needs to remain on the
exemptions list because drmserver, mediaserver, and surfaceflinger are
currently permitted to talk to this domain over sockets.

We need to figure out why global policy even defines a TEE domain...

Test: mmm system/sepolicy
Bug: 36601092
Bug: 36601602
Bug: 36714625
Bug: 36715266
Change-Id: I0b95e23361204bd046ae5ad22f9f953c810c1895
---
 private/tee.te                  | 6 ++----
 public/file.te                  | 2 +-
 public/hal_keymaster.te         | 1 -
 public/tee.te                   | 3 +++
 vendor/hal_drm_default.te       | 2 --
 vendor/hal_keymaster_default.te | 3 ---
 6 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/private/tee.te b/private/tee.te
index 01a52def2..c29bee6c6 100644
--- a/private/tee.te
+++ b/private/tee.te
@@ -1,7 +1,5 @@
-typeattribute tee coredomain;
-
 init_daemon_domain(tee)
 
-# TODO(b/36601092, b/36601602): Remove this once Keymaster HAL and DRM HAL no longer communicate
-# with tee daemon over sockets or once the tee daemon is moved to vendor partition
+# TODO(b/36714625, b/36715266): Remove this once drmserver, mediaserver, and surfaceflinger no
+# longer communicate with tee daemon over sockets
 typeattribute tee socket_between_core_and_vendor_violators;
diff --git a/public/file.te b/public/file.te
index 21d574468..92fa4a35f 100644
--- a/public/file.te
+++ b/public/file.te
@@ -180,7 +180,7 @@ type wifi_data_file, file_type, data_file_type, core_data_file_type;
 type zoneinfo_data_file, file_type, data_file_type, core_data_file_type;
 type vold_data_file, file_type, data_file_type, core_data_file_type;
 type perfprofd_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
-type tee_data_file, file_type, data_file_type, core_data_file_type;
+type tee_data_file, file_type, data_file_type;
 type update_engine_data_file, file_type, data_file_type, core_data_file_type;
 # /data/misc/trace for method traces on userdebug / eng builds
 type method_trace_data_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index 5e66c8af4..d50812c39 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,7 +2,6 @@
 binder_call(hal_keymaster_client, hal_keymaster_server)
 
 allow hal_keymaster tee_device:chr_file rw_file_perms;
-# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
 allow hal_keymaster tee:unix_stream_socket connectto;
 
 allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/tee.te b/public/tee.te
index 45242817c..84e64920b 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -13,5 +13,8 @@ allow tee self:netlink_socket create_socket_perms_no_ioctl;
 allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow tee ion_device:chr_file r_file_perms;
 r_dir_file(tee, sysfs_type)
+
+# TODO(b/36720355): Remove this once tee no longer access non-vendor files
+typeattribute tee coredata_in_vendor_violators;
 allow tee system_data_file:file { getattr read };
 allow tee system_data_file:lnk_file r_file_perms;
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index c779711c9..ad1762f92 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -7,8 +7,6 @@ init_daemon_domain(hal_drm_default)
 allow hal_drm_default mediacodec:fd use;
 allow hal_drm_default { appdomain -isolated_app }:fd use;
 
-# TODO(b/36601602): Remove this once DRM HAL no longer uses Unix domain sockets to talk to tee daemon
-typeattribute hal_drm_default socket_between_core_and_vendor_violators;
 # TODO (b/36601695) remove hal_drm's access to /data or move to
 # /data/vendor/hardware/hal_drm. Remove coredata_in_vendor_violators
 # attribute.
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 2fd5b4461..32df262ab 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -3,6 +3,3 @@ hal_server_domain(hal_keymaster_default, hal_keymaster)
 
 type hal_keymaster_default_exec, exec_type, file_type;
 init_daemon_domain(hal_keymaster_default)
-
-# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
-typeattribute hal_keymaster_default socket_between_core_and_vendor_violators;
-- 
GitLab