Allow tee to access mnt_vendor_file
avc: denied { read } for comm="qseecomd" name="/" dev="tmpfs" ino=9502
scontext=u:r:tee:s0 tcontext=u:object_r:tmpfs:s0 tclass=dir permissive=0
avc: denied { read } for comm="qseecomd" name="vendor" dev="tmpfs"
ino=9503 scontext=u:r:tee:s0 tcontext=u:object_r:mnt_vendor_file:s0
tclass=dir permissive=0
avc: denied { read } for comm="qseecomd" name="/" dev="sda2" ino=2
scontext=u:r:tee:s0 tcontext=u:object_r:persist_file:s0 tclass=dir
permissive=0avc: denied { read } for comm="qseecomd" name="/"
dev="tmpfs" ino=9502 scontext=u:r:tee:s0 tcontext=u:object_r:tmpfs:s0
tclass=dir permissive=0
Test: m sepolicy
Bug: 198130336
Change-Id: I862917823a0ff0d1685c03fa9232a25f01c8c4cd
diff --git a/vendor/qcom/common/tee.te b/vendor/qcom/common/tee.te
index 05a9c29..1aac029 100644
--- a/vendor/qcom/common/tee.te
+++ b/vendor/qcom/common/tee.te
@@ -11,12 +11,15 @@
allow tee ssd_block_device:blk_file rw_file_perms;
allow tee sg_device:chr_file { rw_file_perms setattr };
-allow tee mnt_vendor_file:dir search;
-allow tee persist_file:dir search;
+allow tee mnt_vendor_file:dir r_dir_perms;
+allow tee persist_file:dir r_dir_perms;
allow tee persist_file:lnk_file read;
allow tee persist_drm_file:dir create_dir_perms;
allow tee persist_drm_file:file create_file_perms;
+# b/198130336
+dontaudit tee tmpfs:dir read;
+
wakelock_use(tee);
hwbinder_use(tee)
