diff options
author | rpcraig <rpcraig@tycho.ncsc.mil> | 2012-08-13 06:09:39 -0400 |
---|---|---|
committer | rpcraig <rpcraig@tycho.ncsc.mil> | 2012-08-13 06:09:39 -0400 |
commit | e07b8a56b9ce87733024797018543c7faf7e6aa2 (patch) | |
tree | 93ed70a9ba0db23b8003a6b4da5684e48672e6e3 | |
parent | a1ce2fa2218a768823a7c39426983a248b6e4f50 (diff) | |
download | android_external_sepolicy-e07b8a56b9ce87733024797018543c7faf7e6aa2.tar.gz android_external_sepolicy-e07b8a56b9ce87733024797018543c7faf7e6aa2.tar.bz2 android_external_sepolicy-e07b8a56b9ce87733024797018543c7faf7e6aa2.zip |
Trusted Execution Environment policy.
-rw-r--r-- | drmserver.te | 1 | ||||
-rw-r--r-- | gpsd.te | 2 | ||||
-rw-r--r-- | keystore.te | 1 | ||||
-rw-r--r-- | mediaserver.te | 2 | ||||
-rw-r--r-- | tee.te | 13 |
5 files changed, 19 insertions, 0 deletions
diff --git a/drmserver.te b/drmserver.te index f30033a..63286d5 100644 --- a/drmserver.te +++ b/drmserver.te @@ -18,3 +18,4 @@ allow drmserver sdcard:dir search; allow drmserver drm_data_file:dir create_dir_perms; allow drmserver drm_data_file:file create_file_perms; allow drmserver self:{ tcp_socket udp_socket } *; +allow drmserver tee_device:chr_file rw_file_perms; @@ -12,3 +12,5 @@ type_transition gpsd gps_data_file:sock_file gps_socket; allow gpsd gps_socket:sock_file create_file_perms; # XXX Label sysfs files with a specific type? allow gpsd sysfs:file rw_file_perms; + +allow gpsd gps_device:chr_file rw_file_perms; diff --git a/keystore.te b/keystore.te index 6c4d610..20e7222 100644 --- a/keystore.te +++ b/keystore.te @@ -6,3 +6,4 @@ init_daemon_domain(keystore) allow keystore keystore_data_file:dir create_dir_perms; allow keystore keystore_data_file:notdevfile_class_set create_file_perms; allow keystore keystore_exec:file { getattr }; +allow keystore tee_device:chr_file rw_file_perms; diff --git a/mediaserver.te b/mediaserver.te index c8adf3a..e124db0 100644 --- a/mediaserver.te +++ b/mediaserver.te @@ -42,3 +42,5 @@ allow mediaserver qtaguid_proc:file rw_file_perms; allow mediaserver qtaguid_device:chr_file r_file_perms; # Allow abstract socket connection allow mediaserver rild:unix_stream_socket connectto; + +allow mediaserver tee_device:chr_file rw_file_perms; @@ -0,0 +1,13 @@ +## +# trusted execution environment (tee) daemon +# +type tee, domain; +type tee_exec, exec_type, file_type; +type tee_device, dev_type; +type tee_data_file, file_type, data_file_type; + +init_daemon_domain(tee) +allow tee self:capability { dac_override }; +allow tee tee_device:chr_file rw_file_perms; +allow tee tee_data_file:dir { getattr write add_name }; +allow tee tee_data_file:file create_file_perms; |