summaryrefslogtreecommitdiff
path: root/sepolicy/whitechapel/vendor/google/storageproxyd.te
diff options
context:
space:
mode:
Diffstat (limited to 'sepolicy/whitechapel/vendor/google/storageproxyd.te')
-rw-r--r--sepolicy/whitechapel/vendor/google/storageproxyd.te23
1 files changed, 23 insertions, 0 deletions
diff --git a/sepolicy/whitechapel/vendor/google/storageproxyd.te b/sepolicy/whitechapel/vendor/google/storageproxyd.te
new file mode 100644
index 00000000..bf29cbf2
--- /dev/null
+++ b/sepolicy/whitechapel/vendor/google/storageproxyd.te
@@ -0,0 +1,23 @@
+type sg_device, dev_type;
+type persist_ss_file, file_type, vendor_persist_type;
+
+# Handle wake locks
+wakelock_use(tee)
+
+allow tee persist_ss_file:file create_file_perms;
+allow tee persist_ss_file:dir create_dir_perms;
+allow tee persist_file:dir r_dir_perms;
+allow tee mnt_vendor_file:dir r_dir_perms;
+allow tee tee_data_file:dir create_dir_perms;
+allow tee tee_data_file:lnk_file r_file_perms;
+allow tee sg_device:chr_file rw_file_perms;
+allow tee self:capability { setgid setuid };
+
+# Allow storageproxyd access to gsi_public_metadata_file
+read_fstab(tee)
+
+# storageproxyd starts before /data is mounted. It handles /data not being there
+# gracefully. However, attempts to access /data trigger a denial.
+dontaudit tee unlabeled:dir { search };
+
+set_prop(tee, vendor_trusty_storage_prop)
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 03:22:35 +0000