Add SEPolicy rule for hal_drm_widevine
1. Add node /dev/qce.
2. Allow hal_drm_widevine r/w qce_device
3. Allow tee access for secure UI to work
Test: GtsMediaTestCases
Bug: 136317881
Bug: 165071964
Change-Id: If9e71f1415ec79154ccd582d033b0881f0d321cb
Merged-In: If9e71f1415ec79154ccd582d033b0881f0d321cb
(cherry picked from commit e8aaab33deffd4f8f9112e8058489d530e0b724c)
diff --git a/vendor/qcom/common/file_contexts b/vendor/qcom/common/file_contexts
index 7931a55..38d8a33 100644
--- a/vendor/qcom/common/file_contexts
+++ b/vendor/qcom/common/file_contexts
@@ -248,6 +248,7 @@
/dev/msm_.* u:object_r:audio_device:s0
/dev/ramdump_.* u:object_r:ramdump_device:s0
/dev/at_.* u:object_r:at_device:s0
+/dev/qce u:object_r:qce_device:s0
# dev socket nodes
/dev/socket/ipacm_log_file u:object_r:ipacm_socket:s0
diff --git a/vendor/qcom/common/hal_drm_widevine.te b/vendor/qcom/common/hal_drm_widevine.te
index 4b52daf..2f8fbdd 100644
--- a/vendor/qcom/common/hal_drm_widevine.te
+++ b/vendor/qcom/common/hal_drm_widevine.te
@@ -10,4 +10,6 @@
allow hal_drm_widevine hal_display_config_hwservice:hwservice_manager find;
binder_call(hal_drm_widevine, hal_graphics_composer_default)
-allow hal_drm_widevine { appdomain -isolated_app }:fd use;
\ No newline at end of file
+allow hal_drm_widevine { appdomain -isolated_app }:fd use;
+
+allow hal_drm_widevine qce_device:chr_file rw_file_perms;
diff --git a/vendor/qcom/common/tee.te b/vendor/qcom/common/tee.te
index b28b1b7..d1e8cc1 100644
--- a/vendor/qcom/common/tee.te
+++ b/vendor/qcom/common/tee.te
@@ -31,3 +31,6 @@
allow tee sysfs_wake_lock:file append;
allow tee time_daemon:unix_stream_socket connectto;
+
+# allow tee access for secure UI to work
+allow tee graphics_device:chr_file rw_file_perms;
