From b59dc27a1b580a13c50477d2af1cbdaf95601d8f Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 9 Jul 2014 20:04:59 -0700
Subject: [PATCH] Drop sys_rawio neverallow for tee

The new Nexus 5 tee implementation requires raw block I/O
for anti-rollback protection.

Bug: 15777869
Change-Id: I57691a9d06b5a51e2699c240783ed56e3a003396
---
 domain.te | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/domain.te b/domain.te
index 0028a17a8..7d64cfa6c 100644
--- a/domain.te
+++ b/domain.te
@@ -169,8 +169,11 @@ neverallow { domain -unconfineddomain -recovery } unlabeled:dir_file_class_set c
 # with other UIDs to these whitelisted domains.
 neverallow { domain -debuggerd -vold -dumpstate -system_server } self:capability sys_ptrace;
 
-# Limit device node creation and raw I/O to these whitelisted domains.
-neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability { sys_rawio mknod };
+# Limit device node creation to these whitelisted domains.
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt } self:capability mknod;
+
+# Limit raw I/O to these whitelisted domains.
+neverallow { domain -kernel -init -recovery -ueventd -watchdogd -healthd -vold -uncrypt -tee } self:capability sys_rawio;
 
 # No process can map low memory (< CONFIG_LSM_MMAP_MIN_ADDR).
 neverallow domain self:memprotect mmap_zero;
-- 
GitLab