| type sg_device, dev_type; |
| type persist_ss_file, file_type, vendor_persist_type; |
| |
| # Handle wake locks |
| wakelock_use(tee) |
| |
| allow tee persist_ss_file:file create_file_perms; |
| allow tee persist_ss_file:dir create_dir_perms; |
| allow tee persist_file:dir r_dir_perms; |
| allow tee mnt_vendor_file:dir r_dir_perms; |
| allow tee tee_data_file:dir create_dir_perms; |
| allow tee tee_data_file:lnk_file r_file_perms; |
| allow tee sg_device:chr_file rw_file_perms; |
| allow tee self:capability { setgid setuid }; |
| |
| # Allow storageproxyd access to gsi_public_metadata_file |
| read_fstab(tee) |
| |
| # storageproxyd starts before /data is mounted. It handles /data not being there |
| # gracefully. However, attempts to access /data trigger a denial. |
| dontaudit tee unlabeled:dir { search }; |