1# tee starts as root, and drops privileges 2allow tee self:capability { setuid setgid sys_rawio }; 3 4allow tee block_device:dir r_dir_perms; 5allow tee drm_block_device:blk_file rw_file_perms; 6allow tee ssd_block_device:blk_file rw_file_perms; 7 8# Need to figure out how many scsi generic devices are preset 9# before being able to identify which one is rpmb device 10allow tee device:dir r_dir_perms; 11 12# allow tee to load firmware images 13allow tee firmware_file:dir r_dir_perms; 14allow tee firmware_file:file r_file_perms; 15 16r_dir_file(tee, persist_data_file) 17 18allow tee persist_file:dir r_dir_perms; 19 20# Write to drm related pieces of persist partition 21allow tee persist_drm_file:dir create_dir_perms; 22allow tee persist_drm_file:file create_file_perms; 23 24# allow tee to access persist_data_file 25allow tee persist_data_file:dir create_dir_perms; 26allow tee persist_data_file:file create_file_perms; 27 28# allow tee to operate tee device 29allow tee tee_device:chr_file rw_file_perms; 30 31# allow tee access for secure UI to work 32allow tee graphics_device:chr_file r_file_perms; 33allow tee graphics_device:dir r_dir_perms; 34 35set_prop(tee, qseecomtee_prop) 36 37binder_call(tee, surfaceflinger) 38binder_use(tee) 39 40allow tee system_app:unix_dgram_socket sendto; 41 42allow tee time_daemon:unix_stream_socket connectto; 43 44# allow tee to access data partition 45allow tee system_data_file:dir r_dir_perms; 46 47# fingerprint (HAL) 48allow tee fingerprintd_data_file:dir rw_dir_perms; 49allow tee fingerprintd_data_file:file create_file_perms; 50