Merge "sepolicy: secure_touch: enable secure touch for qseecomd"

4 files changed, 14 insertions, 0 deletions

diff --git a/common/file.te b/common/file.te
index 2d31a6d4..b2290e7e 100644
--- a/common/file.te
+++ b/common/file.te
@@ -206,3 +206,6 @@ type persist_time_file, file_type;
 
 # kgsl file type for sysfs access
 type sysfs_kgsl, sysfs_type, fs_type;
+
+# secure touch files
+type sysfs_securetouch, fs_type, sysfs_type;
diff --git a/common/init_shell.te b/common/init_shell.te
index 487caf05..22dc2769 100644
--- a/common/init_shell.te
+++ b/common/init_shell.te
@@ -160,6 +160,9 @@ allow qti_init_shell kernel:key search;
 # To change owner of /sys/devices/virtual/hsicctl/hsicctl0/modem_wait to radio
 allow qti_init_shell sysfs_hsic_modem_wait:file { r_file_perms setattr };
 
+# To change owner/permissions of secure touch sysfs files
+r_dir_file(qti_init_shell, sysfs_securetouch)
+
 # core-ctl
 allow qti_init_shell cgroup:dir add_name;
 
diff --git a/common/qseecomd.te b/common/qseecomd.te
index a2118202..8e2f8955 100644
--- a/common/qseecomd.te
+++ b/common/qseecomd.te
@@ -47,6 +47,9 @@ allow tee time_daemon:unix_stream_socket connectto;
 allow tee graphics_device:dir r_dir_perms;
 allow tee graphics_device:chr_file r_file_perms;
 
+#allow tee access for secure touch to work
+allow tee sysfs_securetouch:file rw_file_perms;
+
 allow tee surfaceflinger_service : service_manager  find;
 
 binder_call(tee, surfaceflinger)
diff --git a/msmcobalt/file_contexts b/msmcobalt/file_contexts
index e7f2d8a4..a3dde719 100644
--- a/msmcobalt/file_contexts
+++ b/msmcobalt/file_contexts
@@ -67,3 +67,8 @@
 ##################################
 # FBE
 /system/bin/init.qcom.qseecomd.sh						u:object_r:init-qcom-fbe-sh_exec:s0
+
+###################################
+# sysfs files
+#
+/sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input[0-9]/secure_touch_enable u:object_r:sysfs_securetouch:s0