Merge pull request #1082 from wenjz-qualcomm/main

tee_supplicant: Introduce SELinux domain for tee_supplicants

Author: pebenito

policy/modules/kernel/devices.if

@@ -5032,6 +5032,24 @@ interface(`dev_setattr_all_sysfs',`
     allow $1 sysfs_types:lnk_file { read_lnk_file_perms setattr };
 ')
 
+##########################################
+## <summary>
+##	Read and write the tee device.
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`dev_rw_tee',`
+	gen_require(`
+		type device_t, tee_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, tee_device_t)
+')
+
 ########################################
 ## <summary>
 ##	Read and write the TPM device.

policy/modules/services/tee_supplicant.fc

@@ -0,0 +1 @@
+/usr/bin/qtee_supplicant      --      gen_context(system_u:object_r:tee_supplicant_exec_t,s0)

policy/modules/services/tee_supplicant.if

@@ -0,0 +1,10 @@
+## <summary>tee_supplicant</summary>
+#
+## <desc>
+## qtee_supplicant is a userspace supplicant daemon that
+## services callback requests from QTEE via the Linux TEE subsystem.
+## It communicates with QTEE through /dev/tee0 and provides normal-world 
+## services required by trusted applications running in QTEE.
+##
+## https://github.com/qualcomm/minkipc/tree/main/qtee_supplicant
+## </desc>

policy/modules/services/tee_supplicant.te

@@ -0,0 +1,17 @@
+policy_module(tee_supplicant)
+
+########################################
+#
+# Declarations
+#
+
+type tee_supplicant_t;
+type tee_supplicant_exec_t;
+init_daemon_domain(tee_supplicant_t, tee_supplicant_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+dev_rw_tee(tee_supplicant_t)