sepolicy: Update policy for secure components
Playready stores license under /data/data/app_ms. All TZ apps including
Playready would create their own directory under /data/misc/qsee.
To get test apps working with older dir structure, userdebug mode
build would have permision to create directory under /data/data.
Test apps based on newer targets must move to new structure.
Also add policies for secureUI.
Change-Id: Ibc4412ca9e8e065d54263bb46333bd223dfb553d
diff --git a/Android.mk b/Android.mk
index 6dd7185..8f2e7e1 100644
--- a/Android.mk
+++ b/Android.mk
@@ -98,4 +98,5 @@
BOARD_SEPOLICY_UNION += sensors.te
BOARD_SEPOLICY_UNION += sensors_test.te
#endif
+
endif
diff --git a/apq8084/Android.mk b/apq8084/Android.mk
index c750eef..4447397 100644
--- a/apq8084/Android.mk
+++ b/apq8084/Android.mk
@@ -1,2 +1 @@
-BOARD_SEPOLICY_DIRS := \
- device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
\ No newline at end of file
+BOARD_SEPOLICY_UNION += \
diff --git a/apq8084/qseecomd.te b/apq8084/qseecomd.te
new file mode 100644
index 0000000..049367c
--- /dev/null
+++ b/apq8084/qseecomd.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+ # Playready should be able to create/delete dir under /data/data
+ # Securemm should be able to create/delete dir under /data/misc
+ allow tee system_data_file:dir create_dir_perms;
+ allow tee system_data_file:file create_file_perms;
+')
diff --git a/common/file.te b/common/file.te
index 7af3c98..622f6d8 100644
--- a/common/file.te
+++ b/common/file.te
@@ -26,7 +26,7 @@
type persist_file, file_type;
type persist_data_file, file_type;
type persist_drm_file, file_type;
-type data_drm_file, file_type;
+type data_qsee_file, file_type;
type diag_data_file, file_type, data_file_type;
diff --git a/common/file_contexts b/common/file_contexts
index 1b0489c..02167aa 100755
--- a/common/file_contexts
+++ b/common/file_contexts
@@ -208,7 +208,7 @@
/data/misc/display(/.*)? u:object_r:display_config:s0
/data/misc/ipa(/.*)? u:object_r:ipacm_data_file:s0
/data/dpm(/.*)? u:object_r:dpmd_data_file:s0
-/data/data/app_ms(/.*)? u:object_r:data_drm_file:s0
+/data/misc/qsee(/.*)? u:object_r:data_qsee_file:s0
/data/misc/location(/.*)? u:object_r:location_data_file:s0
/data/FTM_AP(/.*)? u:object_r:mmi_data_file:s0
diff --git a/common/qseecomd.te b/common/qseecomd.te
index de5810a..cb81b09 100755
--- a/common/qseecomd.te
+++ b/common/qseecomd.te
@@ -1,15 +1,16 @@
# tee starts as root, and drops privileges
-allow tee self:capability { setuid setgid dac_override };
+allow tee self:capability { setuid setgid dac_override sys_rawio };
-# Need to directly minipulate certain block devices
+# Need to directly manipulate certain block devices
# for anti-rollback protection
allow tee block_device:dir r_dir_perms;
-allow tee self:capability sys_rawio;
allow tee rpmb_device:blk_file rw_file_perms;
-# Allow qseecom complete access to /data/data/app_ms
-allow tee data_drm_file:dir create_dir_perms;
-allow tee data_drm_file:file create_file_perms;
+
+# Allow qseecom to qsee folder so that listeners can create
+# respective directories
+allow tee data_qsee_file:dir create_dir_perms;
+allow tee data_qsee_file:file create_file_perms;
allow tee system_data_file:dir r_dir_perms;
allow tee persist_file:dir r_dir_perms;
@@ -30,3 +31,19 @@
# allow qseecom access to time domain
allow tee time_daemon:unix_stream_socket connectto;
+
+# allow tee access for secure UI to work
+allow tee graphics_device:chr_file r_file_perms;
+allow tee graphics_device:dir r_dir_perms;
+
+binder_call(tee, surfaceflinger)
+binder_use(tee)
+
+allow tee system_app:unix_dgram_socket sendto;
+unix_socket_connect(tee, property, init)
+
+userdebug_or_eng(`
+ allow tee su:unix_dgram_socket sendto;
+ allow tee shell_data_file:file rw_file_perms;
+ allow tee shell_data_file:dir search;
+')
diff --git a/common/surfaceflinger.te b/common/surfaceflinger.te
index 33f857d..9c984ac 100644
--- a/common/surfaceflinger.te
+++ b/common/surfaceflinger.te
@@ -8,3 +8,4 @@
')
binder_call(surfaceflinger, location)
+binder_call(surfaceflinger, tee)
diff --git a/common/system_app.te b/common/system_app.te
index 7844edf..0a4238a 100644
--- a/common/system_app.te
+++ b/common/system_app.te
@@ -18,7 +18,11 @@
userdebug_or_eng(`
allow system_app debugfs:file r_file_perms;
+ allow system_app su:unix_dgram_socket sendto;
')
allow system_app cnd_data_file:dir w_dir_perms;
allow system_app cnd_data_file:file create_file_perms;
allow system_app bluetooth:unix_stream_socket ioctl;
+
+# access to tee domain
+allow system_app tee:unix_dgram_socket sendto;
diff --git a/mpq8064/Android.mk b/mpq8064/Android.mk
index c750eef..4447397 100644
--- a/mpq8064/Android.mk
+++ b/mpq8064/Android.mk
@@ -1,2 +1 @@
-BOARD_SEPOLICY_DIRS := \
- device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
\ No newline at end of file
+BOARD_SEPOLICY_UNION += \
diff --git a/mpq8064/qseecomd.te b/mpq8064/qseecomd.te
new file mode 100644
index 0000000..049367c
--- /dev/null
+++ b/mpq8064/qseecomd.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+ # Playready should be able to create/delete dir under /data/data
+ # Securemm should be able to create/delete dir under /data/misc
+ allow tee system_data_file:dir create_dir_perms;
+ allow tee system_data_file:file create_file_perms;
+')
diff --git a/mpq8092/Android.mk b/mpq8092/Android.mk
index c750eef..4447397 100644
--- a/mpq8092/Android.mk
+++ b/mpq8092/Android.mk
@@ -1,2 +1 @@
-BOARD_SEPOLICY_DIRS := \
- device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
\ No newline at end of file
+BOARD_SEPOLICY_UNION += \
diff --git a/msm8916/Android.mk b/msm8916/Android.mk
index c750eef..4447397 100644
--- a/msm8916/Android.mk
+++ b/msm8916/Android.mk
@@ -1,2 +1 @@
-BOARD_SEPOLICY_DIRS := \
- device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
\ No newline at end of file
+BOARD_SEPOLICY_UNION += \
diff --git a/msm8939/Android.mk b/msm8939/Android.mk
index c750eef..4447397 100644
--- a/msm8939/Android.mk
+++ b/msm8939/Android.mk
@@ -1,2 +1 @@
-BOARD_SEPOLICY_DIRS := \
- device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
\ No newline at end of file
+BOARD_SEPOLICY_UNION += \
diff --git a/msm8960/Android.mk b/msm8960/Android.mk
index c750eef..4447397 100644
--- a/msm8960/Android.mk
+++ b/msm8960/Android.mk
@@ -1,2 +1 @@
-BOARD_SEPOLICY_DIRS := \
- device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
\ No newline at end of file
+BOARD_SEPOLICY_UNION += \
diff --git a/msm8960/qseecomd.te b/msm8960/qseecomd.te
new file mode 100644
index 0000000..049367c
--- /dev/null
+++ b/msm8960/qseecomd.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+ # Playready should be able to create/delete dir under /data/data
+ # Securemm should be able to create/delete dir under /data/misc
+ allow tee system_data_file:dir create_dir_perms;
+ allow tee system_data_file:file create_file_perms;
+')
diff --git a/msm8974/Android.mk b/msm8974/Android.mk
index c750eef..4447397 100644
--- a/msm8974/Android.mk
+++ b/msm8974/Android.mk
@@ -1,2 +1 @@
-BOARD_SEPOLICY_DIRS := \
- device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
\ No newline at end of file
+BOARD_SEPOLICY_UNION += \
diff --git a/msm8974/qseecomd.te b/msm8974/qseecomd.te
new file mode 100644
index 0000000..049367c
--- /dev/null
+++ b/msm8974/qseecomd.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+ # Playready should be able to create/delete dir under /data/data
+ # Securemm should be able to create/delete dir under /data/misc
+ allow tee system_data_file:dir create_dir_perms;
+ allow tee system_data_file:file create_file_perms;
+')
diff --git a/msm8994/Android.mk b/msm8994/Android.mk
index c750eef..4447397 100644
--- a/msm8994/Android.mk
+++ b/msm8994/Android.mk
@@ -1,2 +1 @@
-BOARD_SEPOLICY_DIRS := \
- device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
\ No newline at end of file
+BOARD_SEPOLICY_UNION += \
diff --git a/msm8x10/Android.mk b/msm8x10/Android.mk
index c750eef..09bbd96 100644
--- a/msm8x10/Android.mk
+++ b/msm8x10/Android.mk
@@ -1,2 +1 @@
-BOARD_SEPOLICY_DIRS := \
- device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
\ No newline at end of file
+ BOARD_SEPOLICY_UNION += \
diff --git a/msm8x10/qseecomd.te b/msm8x10/qseecomd.te
new file mode 100644
index 0000000..049367c
--- /dev/null
+++ b/msm8x10/qseecomd.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+ # Playready should be able to create/delete dir under /data/data
+ # Securemm should be able to create/delete dir under /data/misc
+ allow tee system_data_file:dir create_dir_perms;
+ allow tee system_data_file:file create_file_perms;
+')
diff --git a/msm8x26/Android.mk b/msm8x26/Android.mk
index c750eef..09bbd96 100644
--- a/msm8x26/Android.mk
+++ b/msm8x26/Android.mk
@@ -1,2 +1 @@
-BOARD_SEPOLICY_DIRS := \
- device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
\ No newline at end of file
+ BOARD_SEPOLICY_UNION += \
diff --git a/msm8x26/qseecomd.te b/msm8x26/qseecomd.te
new file mode 100644
index 0000000..049367c
--- /dev/null
+++ b/msm8x26/qseecomd.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+ # Playready should be able to create/delete dir under /data/data
+ # Securemm should be able to create/delete dir under /data/misc
+ allow tee system_data_file:dir create_dir_perms;
+ allow tee system_data_file:file create_file_perms;
+')
diff --git a/test/sectest.te b/test/sectest.te
old mode 100644
new mode 100755
index 97c8a8b..e248a61
--- a/test/sectest.te
+++ b/test/sectest.te
@@ -9,4 +9,14 @@
allow sectest persist_drm_file:dir create_dir_perms;
allow sectest persist_drm_file:file create_file_perms;
allow sectest tee_device:chr_file rw_file_perms;
+
+ # Allow qseecom to qsee folder so that listeners can create
+ # respective directories
+ allow sectest data_qsee_file:dir create_dir_perms;
+ allow sectest data_qsee_file:file create_file_perms;
+ allow sectest system_data_file:dir r_dir_perms;
+
+ # Allow secure apps to access /data for older targets
+ allow sectest system_data_file:dir create_dir_perms;
+ allow sectest system_data_file:file create_file_perms;
')