diff options
author | Stephen Crane <cranes@google.com> | 2021-12-14 14:32:20 -0800 |
---|---|---|
committer | Stephen Crane <cranes@google.com> | 2021-12-14 14:32:20 -0800 |
commit | 5e4cb318325a0985b12f634adee5a16a09a7da8f (patch) | |
tree | cb9f1fcb3a3402ee9d0d80cbed0c063a766e2bae /sepolicy | |
parent | 646d43c9f68cb1d3066768560a4065f562e00c0d (diff) | |
download | trusty-5e4cb318325a0985b12f634adee5a16a09a7da8f.tar.gz |
Allow TEE storageproxyd permissions needed for DSU handling
Allows the vendor TEE access to GSI metadata files (which are publicly
readable). Storageproxyd needs access to this metadata to determine if a
GSI image is currently booted. Also allows the TEE domain to make new
directories in its data path.
Test: access /metadata/gsi/dsu/booted from storageproxyd
Bug: 203719297
Change-Id: I696ef8912de396531987e1104fb2b7ceebfbe44c
Diffstat (limited to 'sepolicy')
-rw-r--r-- | sepolicy/storageproxyd.te | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/sepolicy/storageproxyd.te b/sepolicy/storageproxyd.te index 578106b..d394b60 100644 --- a/sepolicy/storageproxyd.te +++ b/sepolicy/storageproxyd.te @@ -2,3 +2,8 @@ type rpmb_virt_device, dev_type; allow tee rpmb_virt_device:chr_file { open read write }; allow tee self:capability { setgid setuid }; + +allow tee tee_data_file:dir rw_dir_perms; + +# Allow storageproxyd access to gsi_public_metadata_file +read_fstab(tee) |