Adding sg_device and allow rules to tee.te

There was a generic character file device that needed to be given its own device type. Accordingly to the following denial, tee was given several permissions to access this type avc: denied { ioctl write setattr read } for pid=733 comm="qseecomd" name="sg2" dev="tmpfs" ino=21736 scontext=u:r:tee:s0 tcontext=u:object_r:sg_device:s0 tclass=chr_file According to the following denial type, tee was also given access actions relating to tee capabilities avc: denied { sys_admin } for pid=733 comm="qseecomd" capability=21 scontext=u:r:tee:s0 tcontext=u:r:tee:s0 tclass=capability Bug: 34784662 Test: The above denials no longer appear in bootup logs Change-Id: I26a63655597191da566f1ed1e290c6572abb0476
2026-02-01 07:33:36 +00:00 · 2017-02-07 12:43:55 -08:00
parent ba8687dbdd
commit 4e84fa0008
3 changed files with 6 additions and 1 deletions
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -12,3 +12,4 @@ type avtimer_device, dev_type;
 type ssr_device, dev_type;
 type ramdump_device, dev_type;
 type hbtp_device, dev_type;
+type sg_device, dev_type;
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -25,6 +25,7 @@
 /dev/ramdump_.*                                 u:object_r:ramdump_device:s0
 /dev/hbtp_input                                 u:object_r:hbtp_device:s0
 /dev/hbtp_vm                                    u:object_r:hbtp_device:s0
+/dev/sg[0-9]+                                   u:object_r:sg_device:s0

 # dev socket nodes
 /dev/socket/qmux_audio(/.*)?                    u:object_r:qmuxd_socket:s0
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@@ -1,3 +1,6 @@
+allow tee self:capability { chown setgid setuid sys_admin sys_rawio };
+
 allow tee device:dir r_dir_perms;

-allow tee block_device:dir { getattr search};
+allow tee block_device:dir { getattr search };
+allow tee sg_device:chr_file { rw_file_perms setattr };