1 allow tee drm_block_device:blk_file rw_file_perms; 2 3 # tee starts as root, and drops privileges 4 allow tee self:capability { setuid setgid }; 5 6 # Need to directly minipulate certain block devices 7 # for anti-rollback protection 8 allow tee block_device:dir search; 9 allow tee self:capability sys_rawio; 10 allow tee drm_block_device:blk_file rw_file_perms; 11 12 allow tee persist_file:dir r_dir_perms; 13 r_dir_file(tee, persist_data_file) 14 # Write to drm related pieces of persist partition 15 allow tee persist_drm_file:dir create_dir_perms; 16 allow tee persist_drm_file:file create_file_perms; 17
