Blame - common/qseecomd.te - platform_device_qcom_sepolicy-legacy

blob: 48489ad1bea6b819872eafd3b4f7ffef91dd5d05 [file] [log] [blame]

Dinesh K Garg	e5bafbf	2014-10-22 00:13:49 -0700	[diff] [blame]	1	# tee starts as root, and drops privileges
Avijit Kanti Das	441bad4	2015-05-12 14:07:41 -0700	[diff] [blame]	2	allow tee self:capability {
				3	setuid
				4	setgid
				5	sys_admin
				6	chown
				7	dac_override
				8	sys_rawio
				9	};
Dinesh K Garg	e5bafbf	2014-10-22 00:13:49 -0700	[diff] [blame]	10
Dinesh K Garg	09a2f19	2014-10-31 16:28:22 -0700	[diff] [blame]	11	# Need to directly manipulate certain block devices
Dinesh K Garg	e5bafbf	2014-10-22 00:13:49 -0700	[diff] [blame]	12	# for anti-rollback protection
				13	allow tee block_device:dir r_dir_perms;
Dinesh K Garg	e5bafbf	2014-10-22 00:13:49 -0700	[diff] [blame]	14	allow tee rpmb_device:blk_file rw_file_perms;
				15
Krishna Konda	d27bc3f	2015-01-16 10:53:35 -0800	[diff] [blame]	16	# Need to figure out how many scsi generic devices are preset
				17	# before being able to identify which one is rpmb device
				18	allow tee device:dir r_dir_perms;
				19	allow tee sg_device:chr_file { rw_file_perms setattr };
Dinesh K Garg	09a2f19	2014-10-31 16:28:22 -0700	[diff] [blame]	20
				21	# Allow qseecom to qsee folder so that listeners can create
				22	# respective directories
				23	allow tee data_qsee_file:dir create_dir_perms;
				24	allow tee data_qsee_file:file create_file_perms;
Dinesh K Garg	e5bafbf	2014-10-22 00:13:49 -0700	[diff] [blame]	25	allow tee system_data_file:dir r_dir_perms;
				26
				27	allow tee persist_file:dir r_dir_perms;
				28	r_dir_file(tee, persist_data_file)
Avijit Kanti Das	441bad4	2015-05-12 14:07:41 -0700	[diff] [blame]	29
Dinesh K Garg	e5bafbf	2014-10-22 00:13:49 -0700	[diff] [blame]	30	# Write to drm related pieces of persist partition
				31	allow tee persist_drm_file:dir create_dir_perms;
				32	allow tee persist_drm_file:file create_file_perms;
				33
Zhen Kong	b5c2e62	2017-09-19 12:18:24 -0700	[diff] [blame]	34	# Allow SFS to write to data partition
Zhen Kong	21e053d	2017-10-11 12:02:29 -0700	[diff] [blame]	35	allow tee data_tzstorage_file:dir create_dir_perms;
				36	allow tee data_tzstorage_file:file create_file_perms;
Zhen Kong	b5c2e62	2017-09-19 12:18:24 -0700	[diff] [blame]	37
Dinesh K Garg	e5bafbf	2014-10-22 00:13:49 -0700	[diff] [blame]	38	# Provide tee access to ssd partition for HW FDE
				39	allow tee ssd_device:blk_file rw_file_perms;
				40
				41	# allow tee to operate tee device
				42	allow tee tee_device:chr_file rw_file_perms;
				43
				44	# allow tee to load firmware images
Avijit Kanti Das	441bad4	2015-05-12 14:07:41 -0700	[diff] [blame]	45	r_dir_file(tee, firmware_file)
Dinesh K Garg	e5bafbf	2014-10-22 00:13:49 -0700	[diff] [blame]	46
				47	# allow qseecom access to time domain
				48	allow tee time_daemon:unix_stream_socket connectto;
Dinesh K Garg	09a2f19	2014-10-31 16:28:22 -0700	[diff] [blame]	49
				50	# allow tee access for secure UI to work
Dinesh K Garg	09a2f19	2014-10-31 16:28:22 -0700	[diff] [blame]	51	allow tee graphics_device:dir r_dir_perms;
Avijit Kanti Das	441bad4	2015-05-12 14:07:41 -0700	[diff] [blame]	52	allow tee graphics_device:chr_file r_file_perms;
Dinesh K Garg	09a2f19	2014-10-31 16:28:22 -0700	[diff] [blame]	53
Dany Rybnikov	ce07716	2016-03-14 14:22:47 +0200	[diff] [blame]	54	#allow tee access for secure touch to work
				55	allow tee sysfs_securetouch:file rw_file_perms;
				56
Ravi Kumar Siddojigari	c7def12	2017-06-13 00:49:19 +0530	[diff] [blame]	57	#allow tee surfaceflinger_service : service_manager find;
Arun Kumar K.R	804eccd	2015-08-26 16:35:06 -0700	[diff] [blame]	58
Dinesh K Garg	09a2f19	2014-10-31 16:28:22 -0700	[diff] [blame]	59	binder_call(tee, surfaceflinger)
Ravi Kumar Siddojigari	c7def12	2017-06-13 00:49:19 +0530	[diff] [blame]	60	#binder_use(tee)
Dinesh K Garg	09a2f19	2014-10-31 16:28:22 -0700	[diff] [blame]	61
sahil madeka	a3608c9	2017-05-12 15:41:40 -0700	[diff] [blame]	62	set_prop(tee, system_prop);
				63
Avijit Kanti Das	441bad4	2015-05-12 14:07:41 -0700	[diff] [blame]	64
Dinesh K Garg	09a2f19	2014-10-31 16:28:22 -0700	[diff] [blame]	65	userdebug_or_eng(`
				66	allow tee su:unix_dgram_socket sendto;
David Ng	14a42d6	2016-03-07 15:35:02 -0800	[diff] [blame]	67	#allow tee shell_data_file:file rw_file_perms;
				68	#allow tee shell_data_file:dir search;
Dinesh K Garg	09a2f19	2014-10-31 16:28:22 -0700	[diff] [blame]	69	')
Biswajit Paul	28439f9	2015-07-15 13:28:27 -0700	[diff] [blame]	70
Biswajit Paul	28439f9	2015-07-15 13:28:27 -0700	[diff] [blame]	71
				72	#allow access to qfp-daemon
				73	allow tee qfp-daemon_data_file:dir create_dir_perms;
				74	allow tee qfp-daemon_data_file:file create_file_perms;
Abir Ghosh	2cd6e6e	2017-02-08 15:08:55 +0530	[diff] [blame]	75	allow tee persist_qti_fp_file:dir create_dir_perms;
				76	allow tee persist_qti_fp_file:file create_file_perms;
Biswajit Paul	28439f9	2015-07-15 13:28:27 -0700	[diff] [blame]	77
Abir Ghosh	2cb3439	2017-06-21 15:26:04 -0700	[diff] [blame]	78	# Provide access to Q VoicePrint
				79	allow tee qvop-daemon_data_file:dir create_dir_perms;
				80	allow tee qvop-daemon_data_file:file create_file_perms;
				81
Amir Samuelov	33976ed	2016-09-09 07:24:00 +0300	[diff] [blame]	82	# Allow access to qsee_ipc_irq_spss device
				83	allow tee qsee_ipc_irq_spss_device:chr_file rw_file_perms;
				84
Avijit Kanti Das	8469d2c	2015-09-18 07:55:17 -0700	[diff] [blame]	85	#allow access to fingerprintd data file
				86	allow tee fingerprintd_data_file:dir create_dir_perms;
				87	allow tee fingerprintd_data_file:file create_file_perms;
Brahmaji K	fab6271	2017-08-24 15:09:40 +0530	[diff] [blame]	88
				89	#secureUI
				90	hal_client_domain(tee, hal_tui_comm);
				91	hal_client_domain(tee, hal_qdutils_disp);
				92	hal_client_domain(tee, hal_graphics_allocator);
Brahmaji K	13d470b	2017-10-31 18:09:51 +0530	[diff] [blame]	93	vndbinder_use(tee);
				94	allow tee qdisplay_service:service_manager find;
				95	hal_client_domain(tee, hal_display_config);
				96	binder_call(tee, hal_graphics_composer_default);