diff options
author | Krishna Konda <kkonda@codeaurora.org> | 2015-01-16 10:53:35 -0800 |
---|---|---|
committer | Krishna Konda <kkonda@codeaurora.org> | 2015-01-29 16:33:59 -0800 |
commit | d27bc3f38f0397857554ba93a3ed5a3d26fbdaa5 (patch) | |
tree | 8665b699213b3a8e76934cca086a94400977e3a1 /common | |
parent | 05f7876c31b6b9d52f66612e1a6bc7b28008273e (diff) | |
download | android_device_qcom_sepolicy-d27bc3f38f0397857554ba93a3ed5a3d26fbdaa5.tar.gz android_device_qcom_sepolicy-d27bc3f38f0397857554ba93a3ed5a3d26fbdaa5.tar.bz2 android_device_qcom_sepolicy-d27bc3f38f0397857554ba93a3ed5a3d26fbdaa5.zip |
sepolicy: Update sepolicy for qseecom rpmb component
UFS is another primary storage device that is supported and has a RPMB
partition that is used by the rpmb listener in qseecom. This change
updates the selinux policy to allow access to scsi generic devices (as
current UFS devices work as scsi devices) for the rpmb component to
function as expected.
CRs-Fixed: 781763
Change-Id: I74b7d1739720b9e0d4feff04962d9dd3e16e9c20
Diffstat (limited to 'common')
-rwxr-xr-x | common/device.te | 1 | ||||
-rw-r--r-- | common/file_contexts | 1 | ||||
-rwxr-xr-x | common/qseecomd.te | 6 |
3 files changed, 7 insertions, 1 deletions
diff --git a/common/device.te b/common/device.te index 4c0aa2c2..983156de 100755 --- a/common/device.te +++ b/common/device.te @@ -41,6 +41,7 @@ type modem_efs_partition_device, dev_type; #Define device for partition links type ssd_device, dev_type; type rpmb_device, dev_type; +type sg_device, dev_type; #ESOC device type esoc_device, dev_type; diff --git a/common/file_contexts b/common/file_contexts index f9cbc6c0..9283f7de 100644 --- a/common/file_contexts +++ b/common/file_contexts @@ -32,6 +32,7 @@ /dev/block/bootdevice/by-name/fsc u:object_r:modem_efs_partition_device:s0 /dev/block/bootdevice/by-name/ssd u:object_r:ssd_device:s0 /dev/block/mmcblk0rpmb u:object_r:rpmb_device:s0 +/dev/sg.* u:object_r:sg_device:s0 /dev/ccid_bridge u:object_r:usb_uicc_device:s0 /dev/block/bootdevice/by-name/mdm1m9kefs1 u:object_r:efs_boot_dev:s0 /dev/block/bootdevice/by-name/mdm1m9kefs2 u:object_r:efs_boot_dev:s0 diff --git a/common/qseecomd.te b/common/qseecomd.te index 974aff1e..42f4bf95 100755 --- a/common/qseecomd.te +++ b/common/qseecomd.te @@ -1,11 +1,15 @@ # tee starts as root, and drops privileges -allow tee self:capability { setuid setgid dac_override sys_rawio }; +allow tee self:capability { setuid setgid sys_admin chown dac_override sys_rawio }; # Need to directly manipulate certain block devices # for anti-rollback protection allow tee block_device:dir r_dir_perms; allow tee rpmb_device:blk_file rw_file_perms; +# Need to figure out how many scsi generic devices are preset +# before being able to identify which one is rpmb device +allow tee device:dir r_dir_perms; +allow tee sg_device:chr_file { rw_file_perms setattr }; # Allow qseecom to qsee folder so that listeners can create # respective directories |