From 4e84fa0008f6fa47f8e64ddb2c973bfaf9052e36 Mon Sep 17 00:00:00 2001
From: Max Bires <jbires@google.com>
Date: Tue, 7 Feb 2017 12:43:55 -0800
Subject: [PATCH] Adding sg_device and allow rules to tee.te

There was a generic character file device that needed to be given its
own device type. Accordingly to the following denial, tee was given
several permissions to access this type

avc: denied { ioctl write setattr read } for pid=733 comm="qseecomd"
name="sg2" dev="tmpfs" ino=21736 scontext=u:r:tee:s0
tcontext=u:object_r:sg_device:s0 tclass=chr_file

According to the following denial type, tee was also given access actions
relating to tee capabilities

avc: denied { sys_admin } for pid=733 comm="qseecomd" capability=21
scontext=u:r:tee:s0 tcontext=u:r:tee:s0 tclass=capability

Bug: 34784662
Test: The above denials no longer appear in bootup logs
Change-Id: I26a63655597191da566f1ed1e290c6572abb0476
---
 sepolicy/device.te     | 1 +
 sepolicy/file_contexts | 1 +
 sepolicy/tee.te        | 5 ++++-
 3 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/sepolicy/device.te b/sepolicy/device.te
index 694bb58..216a165 100644
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -12,3 +12,4 @@ type avtimer_device, dev_type;
 type ssr_device, dev_type;
 type ramdump_device, dev_type;
 type hbtp_device, dev_type;
+type sg_device, dev_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index bdfb797..1e6bbc7 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -25,6 +25,7 @@
 /dev/ramdump_.*                                 u:object_r:ramdump_device:s0
 /dev/hbtp_input                                 u:object_r:hbtp_device:s0
 /dev/hbtp_vm                                    u:object_r:hbtp_device:s0
+/dev/sg[0-9]+                                   u:object_r:sg_device:s0
 
 # dev socket nodes
 /dev/socket/qmux_audio(/.*)?                    u:object_r:qmuxd_socket:s0
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
index de44b9d..521fa27 100644
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@@ -1,3 +1,6 @@
+allow tee self:capability { chown setgid setuid sys_admin sys_rawio };
+
 allow tee device:dir r_dir_perms;
 
-allow tee block_device:dir { getattr search};
+allow tee block_device:dir { getattr search };
+allow tee sg_device:chr_file { rw_file_perms setattr };