1 # tee starts as root, and drops privileges 2 allow tee self:capability { setuid setgid sys_rawio }; 3 4 allow tee block_device:dir r_dir_perms; 5 allow tee drm_block_device:blk_file rw_file_perms; 6 allow tee ssd_block_device:blk_file rw_file_perms; 7 8 # Need to figure out how many scsi generic devices are preset 9 # before being able to identify which one is rpmb device 10 allow tee device:dir r_dir_perms; 11 12 # allow tee to load firmware images 13 allow tee firmware_file:dir r_dir_perms; 14 allow tee firmware_file:file r_file_perms; 15 16 r_dir_file(tee, persist_data_file) 17 18 allow tee persist_file:dir r_dir_perms; 19 20 # Write to drm related pieces of persist partition 21 allow tee persist_drm_file:dir create_dir_perms; 22 allow tee persist_drm_file:file create_file_perms; 23 24 # allow tee to access persist_data_file 25 allow tee persist_data_file:dir create_dir_perms; 26 allow tee persist_data_file:file create_file_perms; 27 28 # allow tee to operate tee device 29 allow tee tee_device:chr_file rw_file_perms; 30 31 # allow tee access for secure UI to work 32 allow tee graphics_device:chr_file r_file_perms; 33 allow tee graphics_device:dir r_dir_perms; 34 35 set_prop(tee, qseecomtee_prop) 36 37 binder_call(tee, surfaceflinger) 38 binder_use(tee) 39 40 allow tee system_app:unix_dgram_socket sendto; 41 42 allow tee time_daemon:unix_stream_socket connectto; 43 44 # allow tee to access data partition 45 allow tee system_data_file:dir r_dir_perms; 46 47 # fingerprint (HAL) 48 allow tee fingerprintd_data_file:dir rw_dir_perms; 49 allow tee fingerprintd_data_file:file create_file_perms; 50
