1 allow tee self:capability { chown setgid setuid sys_rawio sys_admin }; 2 3 # scan SCSI devices 4 allow tee device:dir r_dir_perms; 5 allow tee sg_device:chr_file { ioctl open read setattr write }; 6 7 # access to ssd partition for HW FDE 8 allow tee block_device:dir r_dir_perms; 9 allow tee ssd_block_device:blk_file { open read write }; 10 11 # Set the sys.listeners.registered property 12 set_prop(tee, system_prop) 13 14 # TODO(b/36644492): Remove data_between_core_and_vendor_violators once 15 # tee no longer directly accesses /data owned by the frameworks. 16 typeattribute tee data_between_core_and_vendor_violators; 17 allow tee system_data_file:dir r_dir_perms; 18 allow tee fingerprintd_data_file:dir rw_dir_perms; 19 allow tee fingerprintd_data_file:file create_file_perms; 20 21 # /persist 22 r_dir_file(tee, persist_file) 23 allow tee persist_data_file:dir create_dir_perms; 24 allow tee persist_data_file:file create_file_perms; 25
