allow tee system_data_root_file:dir r_dir_perms;
aosp/1106014 introduces a new class system_data_root_file and
tee needs access to that as well as system_data_file.
09-09 20:26:53.639 645 645 I auditd : type=1400 audit(0.0:9): avc: denied { read } for comm="qseecomd" name="/" dev="dm-2" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_root_file:s0 tclass=dir permissive=1
09-09 20:26:53.639 645 645 I qseecomd: type=1400 audit(0.0:9): avc: denied { read } for name="/" dev="dm-2" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_root_file:s0 tclass=dir permissive=1
09-09 20:26:53.639 645 645 I auditd : type=1400 audit(0.0:10): avc: denied { open } for comm="qseecomd" path="/data" dev="dm-2" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_root_file:s0 tclass=dir permissive=1
09-09 20:26:53.639 645 645 I qseecomd: type=1400 audit(0.0:10): avc: denied { open } for path="/data" dev="dm-2" ino=2 scontext=u:r:tee:s0 tcontext=u:object_r:system_data_root_file:s0 tclass=dir permissive=1
Bug: 140402208
Test: Flash Taimen device, enroll fingerprint, check log for denials
Change-Id: Ie976d7bbe4aeba875b96b6b82a94734b71ba1cb9
diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te
index 98ae143..c75e4b3 100644
--- a/sepolicy/vendor/tee.te
+++ b/sepolicy/vendor/tee.te
@@ -19,7 +19,7 @@
# TODO(b/36644492): Remove data_between_core_and_vendor_violators once
# tee no longer directly accesses /data owned by the frameworks.
typeattribute tee data_between_core_and_vendor_violators;
-allow tee system_data_file:dir r_dir_perms;
+allow tee { system_data_file system_data_root_file }:dir r_dir_perms;
allow tee fingerprintd_data_file:dir rw_dir_perms;
allow tee fingerprintd_data_file:file create_file_perms;