v811_spc009/vendor/device/sepolicy/private/tee/system_teecd.te

type teecd_auth_exec, exec_type, file_type,system_file_type;
typeattribute system_teecd mlstrustedsubject;
init_daemon_domain(system_teecd)
domain_trans(init, teecd_auth_exec, system_teecd)

allow system_teecd system_data_file:file { getattr read };
allow system_teecd system_data_file:lnk_file r_file_perms;
allow system_teecd system_data_file:file r_file_perms;
allow system_teecd system_data_file:dir rw_dir_perms;

allow system_teecd self:netlink_socket create_socket_perms_no_ioctl;
allow system_teecd self:netlink_generic_socket create_socket_perms_no_ioctl;
r_dir_file(system_teecd, sysfs_tee)
allow system_teecd self:global_capability_class_set { sys_admin chown };
allow system_teecd kernel:process setsched;
#allow system_teecd tee_device:chr_file rw_file_perms;
allow system_teecd self:filesystem { associate };
allow system_teecd keystore:dir search;
allow system_teecd keystore:file r_file_perms;

#{ search } for pid=2893 comm="teecd" name="3273" dev="proc" ino=14400 scontext=u:r:tee:s0 tcontext=u:r:system_server:s0 tclass=dir
allow system_teecd system_server:dir { search };

# { read } for pid=2949 comm="teecd" name="cmdline" dev="proc" ino=10299 scontext=u:r:tee:s0 tcontext=u:r:system_server:s0 tclass=file
# { getattr } for pid=2783 comm="teecd" path="/proc/3273/cmdline" dev="proc" ino=11314 scontext=u:r:tee:s0 tcontext=u:r:system_server:s0 tclass=file
# { open } for pid=2783 comm="teecd" path="/proc/3273/cmdline" dev="proc" ino=11314 scontext=u:r:tee:s0 tcontext=u:r:system_server:s0 tclass=file
allow system_teecd system_server:file r_file_perms;

# { fowner } for pid=2769 comm="teecd" capability=3 scontext=u:r:tee:s0 tcontext=u:r:tee:s0 tclass=capability
# { fsetid } for pid=2769 comm="teecd" capability=4 scontext=u:r:tee:s0 tcontext=u:r:tee:s0 tclass=capability
allow system_teecd self:global_capability_class_set { fowner fsetid net_raw };

allow system_teecd self:tcp_socket { create connect name_connect ioctl getopt setopt read write };
allow system_teecd port:tcp_socket { name_connect };
allow system_teecd self:udp_socket { create connect ioctl getopt setopt read write };
allow system_teecd dnsproxyd_socket:sock_file { write };

allow system_teecd domain:dir { search };
allow system_teecd domain:file r_file_perms;

userdebug_or_eng(`
    allow system_teecd su:dir { search };
    allow system_teecd su:file r_file_perms;
')
allow { coredomain -app_zygote } system_teecd:unix_stream_socket connectto;
allow domain system_teecd:fd {use};

#{ setattr } for pid=2797 comm="init" ppid=1 ppid_comm="init" name="tee-multi-user" dev="tmpfs" ino=11687 scontext=u:r:init:s0 tcontext=u:object_r:socket_device:s0 tclass=sock_file permissive=0
allow tee_multi_user_socket socket_device:dir { write add_name };
allow tee_multi_user_socket socket_device:sock_file { create setattr };

allow system_teecd logd_prop:file { getattr open read };
allow system_teecd init:unix_stream_socket {read write listen accept connectto};
#allow system_teecd cpuctl_device:dir { search };
allow system_teecd self:global_capability_class_set { sys_nice };

#avc: denied { read } scontext=u:r:tui_daemon:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
allow system_teecd sysfs_tee:file {r_file_perms};
allow system_teecd hwservicemanager:binder { call transfer };
allow hwservicemanager system_teecd:binder { call transfer };

get_prop(system_teecd,hwservicemanager_prop)

allow system_teecd hal_libteec:binder { call transfer };
allow system_teecd hal_ext_libteec_hwservice_attr:hwservice_manager { find };

allow system_teecd hidl_memory_hwservice:hwservice_manager { find };
allow system_teecd servicemanager:binder { call transfer };

allow system_teecd system_server:binder { call transfer };
allow system_server system_teecd:binder { call transfer };

#allow fbe_ca system_teecd:binder { call transfer };

allow radio system_teecd:binder { call transfer };
allow system_teecd radio_data_file:file { append getattr ioctl read write };

allow priv_app system_teecd:binder { call transfer };
allow untrusted_app system_teecd:binder { call transfer };
allow untrusted_app_25 system_teecd:binder { call transfer };
allow untrusted_app_27 system_teecd:binder { call transfer };
allow platform_app system_teecd:binder { call transfer };
allow system_app system_teecd:binder { call transfer };

allow system_teecd priv_app:binder { call transfer };
allow system_teecd untrusted_app:binder { call transfer };
allow system_teecd untrusted_app_25:binder { call transfer };
allow system_teecd untrusted_app_27:binder { call transfer };
allow system_teecd platform_app:binder { call transfer };
allow system_teecd system_app:binder { call transfer };

allow priv_app system_teecd:fd { use };
allow untrusted_app system_teecd:fd { use };
allow untrusted_app_25 system_teecd:fd { use };
allow untrusted_app_27 system_teecd:fd { use };
allow platform_app system_teecd:fd { use };
allow system_app system_teecd:fd { use };

allow system_teecd app_data_file:file { append getattr ioctl read write };
allow system_teecd system_app_data_file:file { getattr read };
allow system_teecd priv_app:fd { use };
allow system_teecd platform_app:fd { use };
allow system_teecd system_app:fd { use };
allow system_teecd untrusted_app:fd { use };
allow system_teecd untrusted_app_25:fd { use };
allow system_teecd untrusted_app_27:fd { use };
allow nfc system_teecd:binder { call transfer };

#avc: denied { call  } for dsm=Q pid=864 comm="NetworkSessionS" scontext=u:r:mediaserver:s0 tcontext=u:r:system_teecd:s0 tclass=binder permissive=0 CMD=/system/bin/mediaserver
#avc: denied { transfer  } for dsm=Q pid=876 comm="wfd_looper" scontext=u:r:mediaserver:s0 tcontext=u:r:system_teecd:s0 tclass=binder permissive=0 CMD=/system/bin/mediaserver
allow mediaserver system_teecd:binder { call transfer  };
allow system_teecd tee:fd { use };