From bd840684794071f9d5f9167d616748850124dd5a Mon Sep 17 00:00:00 2001
From: Zoltan Kuscsik <zoltan.kuscsik@linaro.org>
Date: Fri, 19 Aug 2016 11:03:15 +0200
Subject: [PATCH] Add SELinux support for tee-supplicant

Reusing the existing domain for tee defined
in system/sepolicy.

Signed-off-by: Zoltan Kuscsik <zoltan.kuscsik@linaro.org>
Reviewed-by: David Brown <david.brown@linaro.org>
---
 BoardConfig.mk         | 4 ++++
 init.hikey.rc          | 3 ++-
 sepolicy/file_contexts | 3 +++
 sepolicy/init.te       | 4 +++-
 ueventd.hikey.rc       | 2 ++
 5 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/BoardConfig.mk b/BoardConfig.mk
index a6c19366..88bdf38a 100644
--- a/BoardConfig.mk
+++ b/BoardConfig.mk
@@ -55,6 +55,10 @@ ENABLE_CPUSETS := true
 
 BOARD_SEPOLICY_DIRS := device/linaro/hikey/sepolicy
 
+BOARD_SEPOLICY_UNION += \
+    file_contexts \
+    sepolicy.te
+
 ifeq ($(HOST_OS), linux)
 ifeq ($(TARGET_SYSTEMIMAGES_USE_SQUASHFS), true)
 BOARD_SYSTEMIMAGE_FILE_SYSTEM_TYPE := squashfs
diff --git a/init.hikey.rc b/init.hikey.rc
index dddf8ec8..1b39a89b 100644
--- a/init.hikey.rc
+++ b/init.hikey.rc
@@ -90,9 +90,10 @@ service uim /system/bin/uim
     user root
     oneshot
 
-service tee-supplicant /system/bin/tee-supplicant
+service tee_supplicant /system/bin/tee-supplicant
     class main
     user root
+    group shell
     oneshot
 
 service wpa_supplicant /system/bin/wpa_supplicant \
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index e97b068d..10d4e165 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -4,3 +4,6 @@
 /dev/dri/card0         u:object_r:gpu_device:s0
 /dev/hci_tty           u:object_r:hci_attach_dev:s0
 /system/bin/uim        u:object_r:hci_attach_exec:s0
+/dev/tee[0-9]*              u:object_r:tee_device:s0
+/dev/teepriv[0-9]*          u:object_r:tee_device:s0
+/system/bin/tee-supplicant  u:object_r:tee_exec:s0
diff --git a/sepolicy/init.te b/sepolicy/init.te
index cd0bcac4..527b3aa9 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,4 +1,6 @@
 # init.hikey.usb.rc writes to /config/* to set up USB
 allow init configfs:dir create_file_perms;
 allow init configfs:file write;
-allow init configfs:lnk_file create;
+allow tee system_data_file:dir write;
+allow tee system_data_file:dir add_name;
+allow tee system_data_file:dir create;
diff --git a/ueventd.hikey.rc b/ueventd.hikey.rc
index 7a1eed61..a6f14d51 100644
--- a/ueventd.hikey.rc
+++ b/ueventd.hikey.rc
@@ -1,3 +1,5 @@
 /dev/hci_tty     0666 root root
 /dev/ttyAMA1     0660 bluetooth net_bt_stack
 /dev/mali        0666 system graphics
+/dev/tee0        0660   system     drmrpc
+/dev/teepriv0    0660   system     drmrpc