From 304d65363724db53348f6ddf0f7160ac2b72be1d Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Mon, 3 Apr 2017 11:05:45 -0700
Subject: [PATCH] Move TEE rules to vendor image

"tee" domain is a vendor domain. Hence its rules should live on the
vendor image.

What's left as public API is that:
1. tee domain exists and that it is permitted to sys_rawio capability,
2. tee_device type exists and apps are not permitted to access
   character devices labeled tee_device.

If you were relying on system/sepolicy automatically labeling
/dev/tf_driver as tee_device or labeling /system/bin/tf_daemon as
tee_exec, then you need to add these rules to your device-specific
file_contexts.

Test: mmm system/sepolicy
Test: bullhead, angler, and sailfish boot up without new denials
Bug: 36714625
Bug: 36714625
Bug: 36720355
Change-Id: Ie21619ff3c44ef58675c369061b4afdd7e8501c6
---
 private/file_contexts |  2 --
 private/tee.te        |  5 -----
 public/tee.te         | 19 +++----------------
 vendor/tee.te         | 25 +++++++++++++++++++++++++
 4 files changed, 28 insertions(+), 23 deletions(-)
 delete mode 100644 private/tee.te
 create mode 100644 vendor/tee.te

diff --git a/private/file_contexts b/private/file_contexts
index 7a52e5cd2..1d338bf5f 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -144,7 +144,6 @@
 /dev/socket/zygote_secondary	u:object_r:zygote_socket:s0
 /dev/spdif_out.*	u:object_r:audio_device:s0
 /dev/tegra.*		u:object_r:video_device:s0
-/dev/tf_driver		u:object_r:tee_device:s0
 /dev/tty		u:object_r:owntty_device:s0
 /dev/tty[0-9]*		u:object_r:tty_device:s0
 /dev/ttyS[0-9]*		u:object_r:serial_device:s0
@@ -215,7 +214,6 @@
 /system/bin/dhcpcd-6.8.2	u:object_r:dhcp_exec:s0
 /system/bin/mtpd	u:object_r:mtp_exec:s0
 /system/bin/pppd	u:object_r:ppp_exec:s0
-/system/bin/tf_daemon	u:object_r:tee_exec:s0
 /system/bin/racoon	u:object_r:racoon_exec:s0
 /system/xbin/su		u:object_r:su_exec:s0
 /system/xbin/perfprofd  u:object_r:perfprofd_exec:s0
diff --git a/private/tee.te b/private/tee.te
deleted file mode 100644
index c29bee6c6..000000000
--- a/private/tee.te
+++ /dev/null
@@ -1,5 +0,0 @@
-init_daemon_domain(tee)
-
-# TODO(b/36714625, b/36715266): Remove this once drmserver, mediaserver, and surfaceflinger no
-# longer communicate with tee daemon over sockets
-typeattribute tee socket_between_core_and_vendor_violators;
diff --git a/public/tee.te b/public/tee.te
index 84e64920b..f023d5c23 100644
--- a/public/tee.te
+++ b/public/tee.te
@@ -1,20 +1,7 @@
 ##
 # trusted execution environment (tee) daemon
 #
-type tee, domain, domain_deprecated;
-type tee_exec, exec_type, file_type;
-type tee_device, dev_type;
-
-allow tee self:capability { dac_override };
-allow tee tee_device:chr_file rw_file_perms;
-allow tee tee_data_file:dir rw_dir_perms;
-allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket create_socket_perms_no_ioctl;
-allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow tee ion_device:chr_file r_file_perms;
-r_dir_file(tee, sysfs_type)
+type tee, domain;
 
-# TODO(b/36720355): Remove this once tee no longer access non-vendor files
-typeattribute tee coredata_in_vendor_violators;
-allow tee system_data_file:file { getattr read };
-allow tee system_data_file:lnk_file r_file_perms;
+# Device(s) for communicating with the TEE
+type tee_device, dev_type;
diff --git a/vendor/tee.te b/vendor/tee.te
new file mode 100644
index 000000000..6278d4b09
--- /dev/null
+++ b/vendor/tee.te
@@ -0,0 +1,25 @@
+##
+# trusted execution environment (tee) daemon
+#
+typeattribute tee domain_deprecated;
+
+type tee_exec, exec_type, file_type;
+init_daemon_domain(tee)
+
+# TODO(b/36714625, b/36715266): Remove this once drmserver, mediaserver, and surfaceflinger no
+# longer communicate with tee daemon over sockets
+typeattribute tee socket_between_core_and_vendor_violators;
+
+allow tee self:capability { dac_override };
+allow tee tee_device:chr_file rw_file_perms;
+allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:file create_file_perms;
+allow tee self:netlink_socket create_socket_perms_no_ioctl;
+allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow tee ion_device:chr_file r_file_perms;
+r_dir_file(tee, sysfs_type)
+
+# TODO(b/36720355): Remove this once tee no longer access non-vendor files
+typeattribute tee coredata_in_vendor_violators;
+allow tee system_data_file:file { getattr read };
+allow tee system_data_file:lnk_file r_file_perms;
-- 
GitLab