whitechapel/vendor/google/storageproxyd.te - device/google/gs101-sepolicy - Git at Google

 type sg_device, dev_type;
 type persist_ss_file, file_type, vendor_persist_type;

 # Handle wake locks
 wakelock_use(tee)

 allow tee persist_ss_file:file create_file_perms;
 allow tee persist_ss_file:dir create_dir_perms;
 allow tee persist_file:dir r_dir_perms;
 allow tee mnt_vendor_file:dir r_dir_perms;
 allow tee tee_data_file:dir create_dir_perms;
 allow tee tee_data_file:lnk_file r_file_perms;
 allow tee sg_device:chr_file rw_file_perms;
 allow tee self:capability { setgid setuid };

 # Allow storageproxyd access to gsi_public_metadata_file
 read_fstab(tee)

 # storageproxyd starts before /data is mounted. It handles /data not being there
 # gracefully. However, attempts to access /data trigger a denial.
 dontaudit tee unlabeled:dir { search };
	type sg_device, dev_type;
	type persist_ss_file, file_type, vendor_persist_type;

	# Handle wake locks
	wakelock_use(tee)

	allow tee persist_ss_file:file create_file_perms;
	allow tee persist_ss_file:dir create_dir_perms;
	allow tee persist_file:dir r_dir_perms;
	allow tee mnt_vendor_file:dir r_dir_perms;
	allow tee tee_data_file:dir create_dir_perms;
	allow tee tee_data_file:lnk_file r_file_perms;
	allow tee sg_device:chr_file rw_file_perms;
	allow tee self:capability { setgid setuid };

	# Allow storageproxyd access to gsi_public_metadata_file
	read_fstab(tee)

	# storageproxyd starts before /data is mounted. It handles /data not being there
	# gracefully. However, attempts to access /data trigger a denial.
	dontaudit tee unlabeled:dir { search };