sepolicy: Update policy for secure components

Playready stores license under /data/data/app_ms. All TZ apps including Playready would create their own directory under /data/misc/qsee. To get test apps working with older dir structure, userdebug mode build would have permision to create directory under /data/data. Test apps based on newer targets must move to new structure. Also add policies for secureUI. Change-Id: Ibc4412ca9e8e065d54263bb46333bd223dfb553d
author: Dinesh K Garg <dineshg@codeaurora.org> 2014-10-31 16:28:22 -0700
committer: Biswajit Paul <biswajitpaul@codeaurora.org> 2014-11-14 10:49:17 -0800
commit: 09a2f199d82ec120cf39873e572f6bfc05960876 (patch)
tree: a82f3a85c6d33d70c26787cb5526241099386a0b /common
parent: 08eb185144fe19785d32bde6732d2815bff08a8c (diff)
download: android_device_qcom_sepolicy-09a2f199d82ec120cf39873e572f6bfc05960876.tar.gz
android_device_qcom_sepolicy-09a2f199d82ec120cf39873e572f6bfc05960876.tar.bz2
android_device_qcom_sepolicy-09a2f199d82ec120cf39873e572f6bfc05960876.zip
5 files changed, 30 insertions, 8 deletions
diff --git a/common/file.te b/common/file.te
index 7af3c98c..622f6d8f 100644
--- a/common/file.te
+++ b/common/file.te
@@ -26,7 +26,7 @@ type sysrq_trigger_proc, fs_type, mlstrustedobject;
 type persist_file, file_type;
 type persist_data_file, file_type;
 type persist_drm_file, file_type;
-type data_drm_file, file_type;
+type data_qsee_file, file_type;
 
 type diag_data_file, file_type, data_file_type;
 
diff --git a/common/file_contexts b/common/file_contexts
index 1b0489ca..02167aa4 100755
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -208,7 +208,7 @@
 /data/misc/display(/.*)?                                            u:object_r:display_config:s0
 /data/misc/ipa(/.*)?                                                u:object_r:ipacm_data_file:s0
 /data/dpm(/.*)?                                                     u:object_r:dpmd_data_file:s0
-/data/data/app_ms(/.*)?                                             u:object_r:data_drm_file:s0
+/data/misc/qsee(/.*)?                                               u:object_r:data_qsee_file:s0
 /data/misc/location(/.*)?                                           u:object_r:location_data_file:s0
 /data/FTM_AP(/.*)?                                                  u:object_r:mmi_data_file:s0
 
diff --git a/common/qseecomd.te b/common/qseecomd.te
index de5810a3..cb81b097 100755
--- a/common/qseecomd.te
+++ b/common/qseecomd.te
@@ -1,15 +1,16 @@
 # tee starts as root, and drops privileges
-allow tee self:capability { setuid setgid dac_override };
+allow tee self:capability { setuid setgid dac_override sys_rawio };
 
-# Need to directly minipulate certain block devices
+# Need to directly manipulate certain block devices
 # for anti-rollback protection
 allow tee block_device:dir r_dir_perms;
-allow tee self:capability sys_rawio;
 allow tee rpmb_device:blk_file rw_file_perms;
 
-# Allow qseecom complete access to /data/data/app_ms
-allow tee data_drm_file:dir create_dir_perms;
-allow tee data_drm_file:file create_file_perms;
+
+# Allow qseecom to qsee folder so that listeners can create
+# respective directories
+allow tee data_qsee_file:dir create_dir_perms;
+allow tee data_qsee_file:file create_file_perms;
 allow tee system_data_file:dir r_dir_perms;
 
 allow tee persist_file:dir r_dir_perms;
@@ -30,3 +31,19 @@ allow tee firmware_file:file r_file_perms;
 
 # allow qseecom access to time domain
 allow tee time_daemon:unix_stream_socket connectto;
+
+# allow tee access for secure UI to work
+allow tee graphics_device:chr_file r_file_perms;
+allow tee graphics_device:dir r_dir_perms;
+
+binder_call(tee, surfaceflinger)
+binder_use(tee)
+
+allow tee system_app:unix_dgram_socket sendto;
+unix_socket_connect(tee, property, init)
+
+userdebug_or_eng(`
+  allow tee su:unix_dgram_socket sendto;
+  allow tee shell_data_file:file rw_file_perms;
+  allow tee shell_data_file:dir search;
+')
diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te
index 33f857d2..9c984ace 100644
--- a/common/surfaceflinger.te
+++ b/common/surfaceflinger.te
@@ -8,3 +8,4 @@ userdebug_or_eng(`
 ')
 
 binder_call(surfaceflinger, location)
+binder_call(surfaceflinger, tee)
diff --git a/common/system_app.te b/common/system_app.te
index 7844edfb..0a4238a0 100644
--- a/common/system_app.te
+++ b/common/system_app.te
@@ -18,7 +18,11 @@ allow system_app cne_service:service_manager add;
 
 userdebug_or_eng(`
   allow system_app debugfs:file r_file_perms;
+  allow system_app su:unix_dgram_socket sendto;
 ')
 allow system_app cnd_data_file:dir w_dir_perms;
 allow system_app cnd_data_file:file create_file_perms;
 allow system_app bluetooth:unix_stream_socket ioctl;
+
+# access to tee domain
+allow system_app tee:unix_dgram_socket sendto;
author	Dinesh K Garg <dineshg@codeaurora.org>	2014-10-31 16:28:22 -0700
committer	Biswajit Paul <biswajitpaul@codeaurora.org>	2014-11-14 10:49:17 -0800
commit	09a2f199d82ec120cf39873e572f6bfc05960876 (patch)
tree	a82f3a85c6d33d70c26787cb5526241099386a0b /common
parent	08eb185144fe19785d32bde6732d2815bff08a8c (diff)
download	android_device_qcom_sepolicy-09a2f199d82ec120cf39873e572f6bfc05960876.tar.gz android_device_qcom_sepolicy-09a2f199d82ec120cf39873e572f6bfc05960876.tar.bz2 android_device_qcom_sepolicy-09a2f199d82ec120cf39873e572f6bfc05960876.zip