tee is vendor domain
tee domain is a vendor domain and thus it is fine for Widevine DRM HAL
to talk to tee over sockets. This also adds TODO for the tee domain
about its use of non-vendor files.
Test: mmm system/sepolicy
Bug: 36601602
Change-Id: I0439bf77e64f9515f0cf2d0f7ee3c9eeb179b665
diff --git a/sepolicy/hal_drm_widevine.te b/sepolicy/hal_drm_widevine.te
index 523867a..3bc0bad 100644
--- a/sepolicy/hal_drm_widevine.te
+++ b/sepolicy/hal_drm_widevine.te
@@ -5,8 +5,9 @@
type hal_drm_widevine_exec, exec_type, file_type;
init_daemon_domain(hal_drm_widevine)
-# TODO(b/36601602): Remove this once DRM HAL no longer uses Unix domain sockets to talk to tee daemon
-typeattribute hal_drm_widevine socket_between_core_and_vendor_violators;
+# TODO(b/36576915): Remove this once Widevine-backed DRM HAL stops using Binder services,
+# such as mediametrics service it currently attempts to use
+typeattribute hal_drm_widevine binder_in_vendor_violators;
# TODO(b/36601695): Remove coredata_in_vendor_violators once hal_drm_widevine
# no longer directly access /data outside /data/vendor.
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
index 5787bda..07ffdc6 100644
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@@ -11,6 +11,8 @@
# Set the sys.listeners.registered property
set_prop(tee, system_prop)
+# TODO(b/36720355): Remove this once tee no longer access non-vendor files
+typeattribute tee coredata_in_vendor_violators;
allow tee system_data_file:dir r_dir_perms;
allow tee fingerprintd_data_file:dir rw_dir_perms;
allow tee fingerprintd_data_file:file create_file_perms;
