Allow TEE storageproxyd permissions needed for DSU handling

Allows the vendor TEE access to GSI metadata files (which are publicly readable). Storageproxyd needs access to this metadata to determine if a GSI image is currently booted. Also allows the TEE domain to make new directories in its data path. Test: access /metadata/gsi/dsu/booted from storageproxyd Bug: 203719297 Change-Id: I696ef8912de396531987e1104fb2b7ceebfbe44c
author: Stephen Crane <cranes@google.com> 2021-12-14 14:32:20 -0800
committer: Stephen Crane <cranes@google.com> 2021-12-14 14:32:20 -0800
commit: 5e4cb318325a0985b12f634adee5a16a09a7da8f (patch)
tree: cb9f1fcb3a3402ee9d0d80cbed0c063a766e2bae /sepolicy
parent: 646d43c9f68cb1d3066768560a4065f562e00c0d (diff)
download: trusty-5e4cb318325a0985b12f634adee5a16a09a7da8f.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/sepolicy/storageproxyd.te b/sepolicy/storageproxyd.te
index 578106b..d394b60 100644
--- a/sepolicy/storageproxyd.te
+++ b/sepolicy/storageproxyd.te
@@ -2,3 +2,8 @@ type rpmb_virt_device, dev_type;
 
 allow tee rpmb_virt_device:chr_file { open read write };
 allow tee self:capability { setgid setuid };
+
+allow tee tee_data_file:dir rw_dir_perms;
+
+# Allow storageproxyd access to gsi_public_metadata_file
+read_fstab(tee)
author	Stephen Crane <cranes@google.com>	2021-12-14 14:32:20 -0800
committer	Stephen Crane <cranes@google.com>	2021-12-14 14:32:20 -0800
commit	5e4cb318325a0985b12f634adee5a16a09a7da8f (patch)
tree	cb9f1fcb3a3402ee9d0d80cbed0c063a766e2bae /sepolicy
parent	646d43c9f68cb1d3066768560a4065f562e00c0d (diff)
download	trusty-5e4cb318325a0985b12f634adee5a16a09a7da8f.tar.gz