author | Hangyu Li <hangyu.li@amlogic.com> | 2020-11-09 10:53:24 (GMT) |
---|---|---|
committer | Hangyu Li <hangyu.li@amlogic.com> | 2020-11-10 02:38:30 (GMT) |
commit | 6e124081967bb8bf8b98769efd0c0aed3f040d5c (patch) | |
tree | fc82991d98271e5aba34a95b8d7b2edd52d3c563 | |
parent | 66056a85f091756396e8bf5d95e568b2214aa72f (diff) | |
download | common-6e124081967bb8bf8b98769efd0c0aed3f040d5c.zip common-6e124081967bb8bf8b98769efd0c0aed3f040d5c.tar.gz common-6e124081967bb8bf8b98769efd0c0aed3f040d5c.tar.bz2 |
rpmb: add sepolicy for tee access rpmb device [1/1]
PD#SWPL-36250
Problem:
kernel v5.4 rpmb device node changed to /dev/mmcblk1rpmb,
tee could not access rpmb device when selinux enforced
Solution:
add sepolicy to make tee access rpmb device
Verify:
Android R + ohm
Change-Id: Ifa3eb1a357333e3eba31bf59d0182a54e833bcd0
Signed-off-by: Hangyu Li <hangyu.li@amlogic.com>
-rw-r--r-- | sepolicy/device.te | 1 | ||||
-rw-r--r-- | sepolicy/file_contexts | 1 | ||||
-rw-r--r-- | sepolicy/tee.te | 3 |
3 files changed, 5 insertions, 0 deletions
diff --git a/sepolicy/device.te b/sepolicy/device.te index 173dc59..2e29824 100644 --- a/sepolicy/device.te +++ b/sepolicy/device.te @@ -47,6 +47,7 @@ type hidraw_device, dev_type; type vbi_device, dev_type; type hidraw_audio_device, dev_type; type media_device, dev_type; +type rpmb_device, dev_type; typeattribute product_block_device super_block_device_type; typeattribute odm_block_device super_block_device_type; diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts index fa8f00b..2b31c18 100644 --- a/sepolicy/file_contexts +++ b/sepolicy/file_contexts @@ -70,6 +70,7 @@ /dev/block/mmcblk[0-9] u:object_r:sda_block_device:s0 /dev/block/mmcblk[0-9]p(.*) u:object_r:sda_block_device:s0 /dev/block/mmcblk[0-9]rpmb u:object_r:sda_block_device:s0 +/dev/mmcblk[0-9]rpmb u:object_r:rpmb_device:s0 /dev/block/frp u:object_r:frp_block_device:s0 /dev/block/by-name/frp u:object_r:frp_block_device:s0 diff --git a/sepolicy/tee.te b/sepolicy/tee.te index 205f4fe..b03ec8c 100644 --- a/sepolicy/tee.te +++ b/sepolicy/tee.te @@ -2,8 +2,10 @@ allow tee self:capability { sys_rawio }; allow tee sysfs_xbmc:file { read open }; allow tee block_device:dir { open read search}; allow tee sda_block_device:blk_file rw_file_perms; +allow tee rpmb_device:chr_file rw_file_perms; allowxperm tee sda_block_device:blk_file ioctl { MMC_IOC_CMD MMC_IOC_MULTI_CMD }; +allowxperm tee rpmb_device:chr_file ioctl { MMC_IOC_CMD MMC_IOC_MULTI_CMD }; allow tee drm_device:chr_file rw_file_perms; allow tee tee_vendor_file:dir { add_name write create ioctl remove_name open read rmdir getattr search }; @@ -12,6 +14,7 @@ allow tee tee_vendor_file:file { write create open unlink link read rename }; allow tee system_data_file:file read; allow tee sda_block_device:blk_file ioctl; +allow tee rpmb_device:chr_file ioctl; allow tee mnt_vendor_file:dir { add_name create remove_name write }; allow tee mnt_vendor_file:file { create open read rename write unlink link getattr }; |