commit 752d548ab3c1d6035ad998d44ef0652a3c37f57e
author Thiébaud Weksteen <tweek@google.com> Wed Nov 10 06:25:09 2021 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Wed Nov 10 06:25:09 2021 +0000
tree 4922f2c9a2fad2529778e95cef15f768fdb9aa23
parent c19611a1b05039b3b47e8e3a8104189d9df68c76
parent 55f1b0089100b5499fe6b0cf3f1357008adede51

Merge "Allow tee to access mnt_vendor_file" am: 435c1e8e7d am: ab07ab083b am: d787fc54a9 am: 55f1b00891

Original change: https://android-review.googlesource.com/c/device/google/redbull-sepolicy/+/1884509

Change-Id: I3bb5ce75ea23a77483115f301db09648421e7a9e

vendor/qcom/common/tee.te

diff --git a/vendor/qcom/common/tee.te b/vendor/qcom/common/tee.te
index 05a9c29..1aac029 100644
--- a/vendor/qcom/common/tee.te
+++ b/vendor/qcom/common/tee.te
@@ -11,12 +11,15 @@
 allow tee ssd_block_device:blk_file rw_file_perms;
 allow tee sg_device:chr_file { rw_file_perms setattr };
 
-allow tee mnt_vendor_file:dir search;
-allow tee persist_file:dir search;
+allow tee mnt_vendor_file:dir r_dir_perms;
+allow tee persist_file:dir r_dir_perms;
 allow tee persist_file:lnk_file read;
 allow tee persist_drm_file:dir create_dir_perms;
 allow tee persist_drm_file:file create_file_perms;
 
+# b/198130336
+dontaudit tee tmpfs:dir read;
+
 wakelock_use(tee);
 
 hwbinder_use(tee)