Skip to content
Snippets Groups Projects
Commit e07b8a56 authored by rpcraig's avatar rpcraig
Browse files

Trusted Execution Environment policy.

parent a1ce2fa2
Branches
Tags
No related merge requests found
......@@ -18,3 +18,4 @@ allow drmserver sdcard:dir search;
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver self:{ tcp_socket udp_socket } *;
allow drmserver tee_device:chr_file rw_file_perms;
......@@ -12,3 +12,5 @@ type_transition gpsd gps_data_file:sock_file gps_socket;
allow gpsd gps_socket:sock_file create_file_perms;
# XXX Label sysfs files with a specific type?
allow gpsd sysfs:file rw_file_perms;
allow gpsd gps_device:chr_file rw_file_perms;
......@@ -6,3 +6,4 @@ init_daemon_domain(keystore)
allow keystore keystore_data_file:dir create_dir_perms;
allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
allow keystore keystore_exec:file { getattr };
allow keystore tee_device:chr_file rw_file_perms;
......@@ -42,3 +42,5 @@ allow mediaserver qtaguid_proc:file rw_file_perms;
allow mediaserver qtaguid_device:chr_file r_file_perms;
# Allow abstract socket connection
allow mediaserver rild:unix_stream_socket connectto;
allow mediaserver tee_device:chr_file rw_file_perms;
tee.te 0 → 100644
##
# trusted execution environment (tee) daemon
#
type tee, domain;
type tee_exec, exec_type, file_type;
type tee_device, dev_type;
type tee_data_file, file_type, data_file_type;
init_daemon_domain(tee)
allow tee self:capability { dac_override };
allow tee tee_device:chr_file rw_file_perms;
allow tee tee_data_file:dir { getattr write add_name };
allow tee tee_data_file:file create_file_perms;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment