sepolicy: Add support for new mdtpd

MDTP daemon (mdtpd) was created. All MDTP threads were removed
from QSEECOM.
This change moves all MDTP specific rules from the qseecomd
domain to the mdtp domain.

Change-Id: I12f624c89f6fe43b09a7c748c2b0b26dc8c0a0ee

3 files changed, 33 insertions, 23 deletions

diff --git a/common/file_contexts b/common/file_contexts
index fe31cc18..f6b69d05 100644
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -222,7 +222,7 @@
 /system/bin/tbaseLoader                         u:object_r:tbaseLoader_exec:s0
 /system/bin/mcStarter                           u:object_r:mcStarter_exec:s0
 /system/bin/fstman                              u:object_r:fstman_exec:s0
-/system/vendor/bin/mdtp_service                 u:object_r:mdtpdaemon_exec:s0
+/system/vendor/bin/mdtpd                        u:object_r:mdtpdaemon_exec:s0
 
 ###################################
 # sysfs files
diff --git a/common/mdtp.te b/common/mdtp.te
index f69456c4..ee09f772 100644
--- a/common/mdtp.te
+++ b/common/mdtp.te
@@ -28,6 +28,17 @@
 type mdtpdaemon, domain;
 type mdtpdaemon_exec, exec_type, file_type;
 
+allow mdtpdaemon self:capability {
+    setuid
+    setgid
+};
+
+userdebug_or_eng(`
+    #Needed for kill(pid, 0) existance test
+    allow mdtpdaemon su:process signull;
+    allow mdtpdaemon self:capability kill;
+')
+
 #Allow for transition from init domain to mdtpdaemon
 init_daemon_domain(mdtpdaemon)
 
@@ -48,9 +59,30 @@ r_dir_file(mdtpdaemon, firmware_file)
 
 #Allow access to qsee directories
 allow mdtpdaemon data_qsee_file:dir create_dir_perms;
+allow mdtpdaemon data_qsee_file:file create_file_perms;
 
 #Allow access to qsee fifos
 allow mdtpdaemon data_qsee_file:fifo_file create_file_perms;
 
 #Allow access to tee device
 allow mdtpdaemon tee_device:chr_file rw_file_perms;
+
+# Provide access to block devices
+allow mdtpdaemon block_device:dir r_dir_perms;
+allow mdtpdaemon mdtp_device:blk_file rw_file_perms;
+allow mdtpdaemon dip_device:blk_file rw_file_perms;
+allow mdtpdaemon system_block_device:blk_file r_file_perms;
+
+# Provide access to QTI Crypto driver for MDTP
+# allow mdtpdaemon qce_device:chr_file rw_file_perms;
+
+# Provide read access to all /system files for MDTP file-to-block-mapping
+r_dir_file(mdtpdaemon, exec_type)
+r_dir_file(mdtpdaemon, system_file)
+
+# Provide mdtpd ability to access QMUXD/IPCRouter for QMI
+qmux_socket(mdtpdaemon);
+allow mdtpdaemon self:socket create_socket_perms;
+
+# Provide tee ability to run executables in rootfs for MDTP
+allow mdtpdaemon rootfs:file x_file_perms;
diff --git a/common/qseecomd.te b/common/qseecomd.te
index 0c077ea1..d09057ae 100644
--- a/common/qseecomd.te
+++ b/common/qseecomd.te
@@ -77,25 +77,3 @@ allow tee persist_qc_senseid_file:file create_file_perms;
 allow tee fingerprintd_data_file:dir create_dir_perms;
 allow tee fingerprintd_data_file:file create_file_perms;
 
-# Provide access to block devices for MDTP
-allow tee mdtp_device:blk_file rw_file_perms;
-allow tee dip_device:blk_file rw_file_perms;
-allow tee system_block_device:blk_file r_file_perms;
-
-# Provide access to QC Crypto driver for MDTP
-allow tee qce_device:chr_file rw_file_perms;
-
-# Provide access to /data/misc/qsee/mdtp for MDTP temp files
-allow tee data_qsee_file:dir create_dir_perms;
-allow tee data_qsee_file:{ file fifo_file } create_file_perms;
-
-# Provide read access to all /system files for MDTP file-to-block-mapping
-r_dir_file(tee, exec_type)
-r_dir_file(tee, system_file)
-
-# Provide tee ability to access QMUXD/IPCRouter for QMI
-qmux_socket(tee);
-allow tee self:socket create_socket_perms;
-
-# Provide tee ability to run executables in rootfs for MDTP
-allow tee rootfs:file x_file_perms;