sepolicy: allow gatekeeperd to access firmware_files (ex. kmota)
The proprietary Qualcomm library /vendor/lib/hw/gatekeeper.<soc>.so and
its 64-bit counterpart attempt to open firmware images such as kmota.mdt
and keymaste.mdt. Although we don't have visibility in the details of
exactly why these images are being opened (perhaps only checking for their
presence?), the Qualcomm gatekeeper library is trusted to be responsible,
and so we comply with it's demands for access to the (normally read-only)
/firmware filesystem.
Change-Id: I2c88cc8884cf78f5bdcc9af2bce5f2dfa80f3fe0
diff --git a/common/gatekeeperd.te b/common/gatekeeperd.te
new file mode 100644
index 0000000..00a32af
--- /dev/null
+++ b/common/gatekeeperd.te
@@ -0,0 +1,2 @@
+# allow gatekeeperd to open firmware images (ex. kmota)
+r_dir_file(gatekeeperd, firmware_file)