From 8f11b8ddeb2541a51e2b5c948630aac8f865d5a3 Mon Sep 17 00:00:00 2001 From: Ravichandra Appegowda Date: Wed, 4 Dec 2024 11:16:35 +0000 Subject: [PATCH] trusty: sepolicy for mock rpmb Enabling mock rpmb module sepolicy which is required for creating of the creation of mock RPMB in /data on boot up. Tests Done: 1. Boot the device in MTL nuc. 2. storageproxyd service is running. Tracked-On: OAM-128292 Signed-off-by: Ravichandra Appegowda --- tee/trusty/mock_rpmb/file.te | 1 + tee/trusty/mock_rpmb/file_contexts | 4 ++++ tee/trusty/mock_rpmb/init.te | 1 + tee/trusty/mock_rpmb/rpmb_dev_mock_exec.te | 10 ++++++++++ tee/trusty/mock_rpmb/tee.te | 4 ++++ tee/trusty/property.te | 2 ++ tee/trusty/property_contexts | 2 ++ tee/trusty/tee.te | 1 + 8 files changed, 25 insertions(+) create mode 100644 tee/trusty/mock_rpmb/file.te create mode 100644 tee/trusty/mock_rpmb/file_contexts create mode 100644 tee/trusty/mock_rpmb/init.te create mode 100644 tee/trusty/mock_rpmb/rpmb_dev_mock_exec.te create mode 100644 tee/trusty/mock_rpmb/tee.te create mode 100644 tee/trusty/property.te create mode 100644 tee/trusty/property_contexts diff --git a/tee/trusty/mock_rpmb/file.te b/tee/trusty/mock_rpmb/file.te new file mode 100644 index 00000000..42d3878c --- /dev/null +++ b/tee/trusty/mock_rpmb/file.te @@ -0,0 +1 @@ +type rpmb_mock_data_file, file_type, data_file_type; diff --git a/tee/trusty/mock_rpmb/file_contexts b/tee/trusty/mock_rpmb/file_contexts new file mode 100644 index 00000000..5a938893 --- /dev/null +++ b/tee/trusty/mock_rpmb/file_contexts @@ -0,0 +1,4 @@ +# RPMB Mock +/vendor/bin/rpmb_dev u:object_r:rpmb_dev_mock_exec:s0 +/data/vendor/ss(/.*)? u:object_r:rpmb_mock_data_file:s0 + diff --git a/tee/trusty/mock_rpmb/init.te b/tee/trusty/mock_rpmb/init.te new file mode 100644 index 00000000..feed77e3 --- /dev/null +++ b/tee/trusty/mock_rpmb/init.te @@ -0,0 +1 @@ +allow init socket_device:sock_file create_file_perms; diff --git a/tee/trusty/mock_rpmb/rpmb_dev_mock_exec.te b/tee/trusty/mock_rpmb/rpmb_dev_mock_exec.te new file mode 100644 index 00000000..34d50dba --- /dev/null +++ b/tee/trusty/mock_rpmb/rpmb_dev_mock_exec.te @@ -0,0 +1,10 @@ +type rpmb_dev_mock, domain; +type rpmb_dev_mock_exec, vendor_file_type, exec_type, file_type; + +init_daemon_domain(rpmb_dev_mock) + +#allow rpmb_dev_mock rpmb_mock_data_file:file create_file_perms; +#allow rpmb_dev_mock rpmb_mock_data_file:dir create_dir_perms; + +allow rpmb_dev_mock mnt_vendor_file:file create_file_perms; +allow rpmb_dev_mock mnt_vendor_file:dir create_dir_perms; diff --git a/tee/trusty/mock_rpmb/tee.te b/tee/trusty/mock_rpmb/tee.te new file mode 100644 index 00000000..feb636e0 --- /dev/null +++ b/tee/trusty/mock_rpmb/tee.te @@ -0,0 +1,4 @@ +allow tee socket_device:sock_file rw_file_perms; +allow tee rpmb_mock_data_file:file create_file_perms; +allow tee rpmb_mock_data_file:dir create_dir_perms; +allow tee rpmb_dev_mock:unix_stream_socket connectto; diff --git a/tee/trusty/property.te b/tee/trusty/property.te new file mode 100644 index 00000000..7a5dab6c --- /dev/null +++ b/tee/trusty/property.te @@ -0,0 +1,2 @@ +vendor_internal_prop(vendor_trusty_storage_prop) + diff --git a/tee/trusty/property_contexts b/tee/trusty/property_contexts new file mode 100644 index 00000000..a2f460a3 --- /dev/null +++ b/tee/trusty/property_contexts @@ -0,0 +1,2 @@ +ro.vendor.trusty.storage.fs_ready u:object_r:vendor_trusty_storage_prop:s0 + diff --git a/tee/trusty/tee.te b/tee/trusty/tee.te index 56455e79..ca360483 100644 --- a/tee/trusty/tee.te +++ b/tee/trusty/tee.te @@ -13,3 +13,4 @@ allow tee block_device:dir search; allow tee tee_device:blk_file rw_file_perms; allow tee gsi_metadata_file:dir search; allow tee metadata_file:dir search; +set_prop(tee, vendor_trusty_storage_prop)