Merge "Move TEE rules to vendor image" into oc-dev

fbccda34 · TreeHugger Robot · Android (Google) Code Review · 29f273ce · 304d6536 · fbccda34
Commit fbccda34 authored 7 years ago by TreeHugger Robot Committed by Android (Google) Code Review 7 years ago
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -145,7 +145,6 @@
 /dev/socket/zygote_secondary	u:object_r:zygote_socket:s0
 /dev/spdif_out.*	u:object_r:audio_device:s0
 /dev/tegra.*		u:object_r:video_device:s0
-/dev/tf_driver		u:object_r:tee_device:s0
 /dev/tty		u:object_r:owntty_device:s0
 /dev/tty[0-9]*		u:object_r:tty_device:s0
 /dev/ttyS[0-9]*		u:object_r:serial_device:s0
@@ -216,7 +215,6 @@
 /system/bin/dhcpcd-6.8.2	u:object_r:dhcp_exec:s0
 /system/bin/mtpd	u:object_r:mtp_exec:s0
 /system/bin/pppd	u:object_r:ppp_exec:s0
-/system/bin/tf_daemon	u:object_r:tee_exec:s0
 /system/bin/racoon	u:object_r:racoon_exec:s0
 /system/xbin/su		u:object_r:su_exec:s0
 /system/xbin/perfprofd  u:object_r:perfprofd_exec:s0

--- a/private/tee.te
+++ b/private/tee.te
-init_daemon_domain(tee)
-# TODO(b/36714625, b/36715266): Remove this once drmserver, mediaserver, and surfaceflinger no
-# longer communicate with tee daemon over sockets
-typeattribute tee socket_between_core_and_vendor_violators;
--- a/public/tee.te
+++ b/public/tee.te
 ##
 # trusted execution environment (tee) daemon
 #
-type tee, domain, domain_deprecated;
+type tee, domain;
-type tee_exec, exec_type, file_type;
-type tee_device, dev_type;
-allow tee self:capability { dac_override };
-allow tee tee_device:chr_file rw_file_perms;
-allow tee tee_data_file:dir rw_dir_perms;
-allow tee tee_data_file:file create_file_perms;
-allow tee self:netlink_socket create_socket_perms_no_ioctl;
-allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow tee ion_device:chr_file r_file_perms;
-r_dir_file(tee, sysfs_type)
-# TODO(b/36720355): Remove this once tee no longer access non-vendor files
+# Device(s) for communicating with the TEE
-typeattribute tee coredata_in_vendor_violators;
+type tee_device, dev_type;
-allow tee system_data_file:file { getattr read };
-allow tee system_data_file:lnk_file r_file_perms;
--- a/vendor/tee.te
+++ b/vendor/tee.te
+##
+# trusted execution environment (tee) daemon
+#
+typeattribute tee domain_deprecated;
+type tee_exec, exec_type, file_type;
+init_daemon_domain(tee)
+# TODO(b/36714625, b/36715266): Remove this once drmserver, mediaserver, and surfaceflinger no
+# longer communicate with tee daemon over sockets
+typeattribute tee socket_between_core_and_vendor_violators;
+allow tee self:capability { dac_override };
+allow tee tee_device:chr_file rw_file_perms;
+allow tee tee_data_file:dir rw_dir_perms;
+allow tee tee_data_file:file create_file_perms;
+allow tee self:netlink_socket create_socket_perms_no_ioctl;
+allow tee self:netlink_generic_socket create_socket_perms_no_ioctl;
+allow tee ion_device:chr_file r_file_perms;
+r_dir_file(tee, sysfs_type)
+# TODO(b/36720355): Remove this once tee no longer access non-vendor files
+typeattribute tee coredata_in_vendor_violators;
+allow tee system_data_file:file { getattr read };
+allow tee system_data_file:lnk_file r_file_perms;