diff options
author | Dinesh K Garg <dineshg@codeaurora.org> | 2014-10-31 16:28:22 -0700 |
---|---|---|
committer | Biswajit Paul <biswajitpaul@codeaurora.org> | 2014-11-14 10:49:17 -0800 |
commit | 09a2f199d82ec120cf39873e572f6bfc05960876 (patch) | |
tree | a82f3a85c6d33d70c26787cb5526241099386a0b /common | |
parent | 08eb185144fe19785d32bde6732d2815bff08a8c (diff) | |
download | android_device_qcom_sepolicy-09a2f199d82ec120cf39873e572f6bfc05960876.tar.gz android_device_qcom_sepolicy-09a2f199d82ec120cf39873e572f6bfc05960876.tar.bz2 android_device_qcom_sepolicy-09a2f199d82ec120cf39873e572f6bfc05960876.zip |
sepolicy: Update policy for secure components
Playready stores license under /data/data/app_ms. All TZ apps including
Playready would create their own directory under /data/misc/qsee.
To get test apps working with older dir structure, userdebug mode
build would have permision to create directory under /data/data.
Test apps based on newer targets must move to new structure.
Also add policies for secureUI.
Change-Id: Ibc4412ca9e8e065d54263bb46333bd223dfb553d
Diffstat (limited to 'common')
-rw-r--r-- | common/file.te | 2 | ||||
-rwxr-xr-x | common/file_contexts | 2 | ||||
-rwxr-xr-x | common/qseecomd.te | 29 | ||||
-rw-r--r-- | common/surfaceflinger.te | 1 | ||||
-rw-r--r-- | common/system_app.te | 4 |
5 files changed, 30 insertions, 8 deletions
diff --git a/common/file.te b/common/file.te index 7af3c98c..622f6d8f 100644 --- a/common/file.te +++ b/common/file.te @@ -26,7 +26,7 @@ type sysrq_trigger_proc, fs_type, mlstrustedobject; type persist_file, file_type; type persist_data_file, file_type; type persist_drm_file, file_type; -type data_drm_file, file_type; +type data_qsee_file, file_type; type diag_data_file, file_type, data_file_type; diff --git a/common/file_contexts b/common/file_contexts index 1b0489ca..02167aa4 100755 --- a/common/file_contexts +++ b/common/file_contexts @@ -208,7 +208,7 @@ /data/misc/display(/.*)? u:object_r:display_config:s0 /data/misc/ipa(/.*)? u:object_r:ipacm_data_file:s0 /data/dpm(/.*)? u:object_r:dpmd_data_file:s0 -/data/data/app_ms(/.*)? u:object_r:data_drm_file:s0 +/data/misc/qsee(/.*)? u:object_r:data_qsee_file:s0 /data/misc/location(/.*)? u:object_r:location_data_file:s0 /data/FTM_AP(/.*)? u:object_r:mmi_data_file:s0 diff --git a/common/qseecomd.te b/common/qseecomd.te index de5810a3..cb81b097 100755 --- a/common/qseecomd.te +++ b/common/qseecomd.te @@ -1,15 +1,16 @@ # tee starts as root, and drops privileges -allow tee self:capability { setuid setgid dac_override }; +allow tee self:capability { setuid setgid dac_override sys_rawio }; -# Need to directly minipulate certain block devices +# Need to directly manipulate certain block devices # for anti-rollback protection allow tee block_device:dir r_dir_perms; -allow tee self:capability sys_rawio; allow tee rpmb_device:blk_file rw_file_perms; -# Allow qseecom complete access to /data/data/app_ms -allow tee data_drm_file:dir create_dir_perms; -allow tee data_drm_file:file create_file_perms; + +# Allow qseecom to qsee folder so that listeners can create +# respective directories +allow tee data_qsee_file:dir create_dir_perms; +allow tee data_qsee_file:file create_file_perms; allow tee system_data_file:dir r_dir_perms; allow tee persist_file:dir r_dir_perms; @@ -30,3 +31,19 @@ allow tee firmware_file:file r_file_perms; # allow qseecom access to time domain allow tee time_daemon:unix_stream_socket connectto; + +# allow tee access for secure UI to work +allow tee graphics_device:chr_file r_file_perms; +allow tee graphics_device:dir r_dir_perms; + +binder_call(tee, surfaceflinger) +binder_use(tee) + +allow tee system_app:unix_dgram_socket sendto; +unix_socket_connect(tee, property, init) + +userdebug_or_eng(` + allow tee su:unix_dgram_socket sendto; + allow tee shell_data_file:file rw_file_perms; + allow tee shell_data_file:dir search; +') diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te index 33f857d2..9c984ace 100644 --- a/common/surfaceflinger.te +++ b/common/surfaceflinger.te @@ -8,3 +8,4 @@ userdebug_or_eng(` ') binder_call(surfaceflinger, location) +binder_call(surfaceflinger, tee) diff --git a/common/system_app.te b/common/system_app.te index 7844edfb..0a4238a0 100644 --- a/common/system_app.te +++ b/common/system_app.te @@ -18,7 +18,11 @@ allow system_app cne_service:service_manager add; userdebug_or_eng(` allow system_app debugfs:file r_file_perms; + allow system_app su:unix_dgram_socket sendto; ') allow system_app cnd_data_file:dir w_dir_perms; allow system_app cnd_data_file:file create_file_perms; allow system_app bluetooth:unix_stream_socket ioctl; + +# access to tee domain +allow system_app tee:unix_dgram_socket sendto; |