am 31326aeb: am 2fb3b804: am 1c524977: Merge "Upgrade SELinux policy for N5 DRM crypto"
* commit '31326aeb6e33ba0d7acc73f391d8c0820946f169':
Upgrade SELinux policy for N5 DRM crypto
diff --git a/sepolicy/device.te b/sepolicy/device.te
index 592f0b4..131553e 100644
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@@ -15,5 +15,10 @@
type modem_block_device, dev_type;
+# secure software download partition
+type ssd_block_device, dev_type;
+
+type drm_block_device, dev_type;
+
# Thermal engine
type thermal_engine_device, dev_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 8d9e755..7c59c72 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -30,11 +30,12 @@
# Block labeling
/dev/block/mmcblk0 u:object_r:root_block_device:s0
+/dev/block/mmcblk0rpmb u:object_r:drm_block_device:s0
/dev/block/platform/msm_sdcc\.1/by-name/modemst1 u:object_r:modem_block_device:s0
/dev/block/platform/msm_sdcc\.1/by-name/modemst2 u:object_r:modem_block_device:s0
/dev/block/platform/msm_sdcc\.1/by-name/fsc u:object_r:modem_block_device:s0
/dev/block/platform/msm_sdcc\.1/by-name/fsg u:object_r:modem_block_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/ssd u:object_r:modem_block_device:s0
+/dev/block/platform/msm_sdcc\.1/by-name/ssd u:object_r:ssd_block_device:s0
# CPU governor controls
/dev/socket/mpdecision(/.*)? u:object_r:mpdecision_socket:s0
diff --git a/sepolicy/rmt.te b/sepolicy/rmt.te
index 13834d0..a69f192 100644
--- a/sepolicy/rmt.te
+++ b/sepolicy/rmt.te
@@ -17,6 +17,7 @@
# Allow reads/writes to modem related block devices
allow rmt modem_block_device:blk_file rw_file_perms;
+allow rmt ssd_block_device:blk_file rw_file_perms;
# Allow shared memory logging access
allow rmt shared_log_device:chr_file rw_file_perms;
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
index 4fa79a9..7e226be 100644
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@@ -13,5 +13,17 @@
r_dir_file(tee, persist_data_file)
r_dir_file(tee, persist_drm_file)
# Write to drm related pieces of persist partition
-allow tee persist_drm_file:dir w_dir_perms;
-allow tee persist_drm_file:file w_file_perms;
+allow tee persist_drm_file:dir create_dir_perms;
+allow tee persist_drm_file:file create_file_perms;
+
+# b/15777869 - update for Nexus 5 modular DRM
+
+# tee starts as root, and drops privileges
+allow tee self:capability { setuid setgid };
+
+# Need to directly minipulate certain block devices
+# for anti-rollback protection
+allow tee block_device:dir search;
+allow tee self:capability sys_rawio;
+allow tee drm_block_device:blk_file rw_file_perms;
+allow tee ssd_block_device:blk_file rw_file_perms;