From aaaafebf1c6b1d86ca31dfea04d9e1de8620363e Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Thu, 29 Jun 2017 15:41:11 -0700
Subject: [PATCH] Allow qseecomd to write to persist_data

Needed for drm.
avc: denied { read } for comm="qseecomd" name="/" dev="sdd3" ino=2
scontext=u:r:tee:s0 tcontext=u:object_r:persist_file:s0 tclass=dir
avc: denied { open } for comm="qseecomd" path="/persist" dev="sdd3"
scontext=u:r:tee:s0 tcontext=u:object_r:persist_file:s0 tclass=dir
avc: denied { write } for comm="qseecomd" name="widevine" dev="sdd3"
ino=97 scontext=u:r:tee:s0 tcontext=u:object_r:persist_data_file:s0
tclass=dir
avc: denied { add_name } for comm="qseecomd" scontext=u:r:tee:s0
tcontext=u:object_r:persist_data_file:s0 tclass=dir permissive=1
avc: denied { create } for comm="qseecomd scontext=u:r:tee:s0
tcontext=u:object_r:persist_data_file:s0 tclass=file permissive=1
avc: denied { write } for comm="qseecomd" scontext=u:r:tee:s0
tcontext=u:object_r:persist_data_file:s0
tclass=file permissive=1:persist_file:s0 tclass=dir permissive=1
avc: denied { open } scontext=u:r:tee:s0
tcontext=u:object_r:persist_file:s0 tclass=dir permissive=1
avc: denied { write } for comm="qseecomd" name="widevine"
scontext=u:r:tee:s0 tcontext=u:object_r:persist_data_file:s0
tclass=dir permissive=1
avc: denied { add_name } for comm="qseecomd" scontext=u:r:tee:s0
tcontext=u:object_r:persist_data_file:s0 tclass=dir permissive=1
avc: denied { create } for comm="qseecomd" scontext=u:r:tee:s0
tcontext=u:object_r:persist_data_file:s0 tclass=file permissive=1
avc: denied { write } scontext=u:r:tee:s0
tcontext=u:object_r:persist_data_file:s0 tclass=file permissive=1

Bug: 63051358
Test: build
Change-Id: I28bd0cd816720a85fc840890a74929939366de6d
---
 sepolicy/vendor/tee.te | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te
index 32f7b32a..0ddf90ff 100644
--- a/sepolicy/vendor/tee.te
+++ b/sepolicy/vendor/tee.te
@@ -10,11 +10,11 @@ allow tee block_device:dir { getattr search };
 allow tee ssd_block_device:blk_file rw_file_perms;
 allow tee sg_device:chr_file { rw_file_perms setattr };
 
-r_dir_file(tee, persist_data_file)
-
-allow tee persist_file:dir search;
+allow tee persist_file:dir r_dir_perms;
 allow tee persist_drm_file:dir create_dir_perms;
 allow tee persist_drm_file:file create_file_perms;
+allow tee persist_data_file:dir create_dir_perms;
+allow tee persist_data_file:file create_file_perms;
 
 allow tee system_data_file:dir r_dir_perms;