Trusted Execution Environment policy.

drmserver.te

@@ -18,3 +18,4 @@ allow drmserver sdcard:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
 allow drmserver self:{ tcp_socket udp_socket } *;
+allow drmserver tee_device:chr_file rw_file_perms;

gpsd.te

@@ -12,3 +12,5 @@ type_transition gpsd gps_data_file:sock_file gps_socket;
 allow gpsd gps_socket:sock_file create_file_perms;
 # XXX Label sysfs files with a specific type?
 allow gpsd sysfs:file rw_file_perms;
+
+allow gpsd gps_device:chr_file rw_file_perms;

keystore.te

@@ -6,3 +6,4 @@ init_daemon_domain(keystore)
 allow keystore keystore_data_file:dir create_dir_perms;
 allow keystore keystore_data_file:notdevfile_class_set create_file_perms;
 allow keystore keystore_exec:file { getattr };
+allow keystore tee_device:chr_file rw_file_perms;

mediaserver.te

@@ -42,3 +42,5 @@ allow mediaserver qtaguid_proc:file rw_file_perms;
 allow mediaserver qtaguid_device:chr_file r_file_perms;
 # Allow abstract socket connection
 allow mediaserver rild:unix_stream_socket connectto;
+
+allow mediaserver tee_device:chr_file rw_file_perms;

tee.te

+##
+# trusted execution environment (tee) daemon
+#
+type tee, domain;
+type tee_exec, exec_type, file_type;
+type tee_device, dev_type;
+type tee_data_file, file_type, data_file_type;
+
+init_daemon_domain(tee)
+allow tee self:capability { dac_override };
+allow tee tee_device:chr_file rw_file_perms;
+allow tee tee_data_file:dir { getattr write add_name };
+allow tee tee_data_file:file create_file_perms;