Skip to content

Commit 1e619be

Browse files
wenjz-qualcommwenjz-qualcomm
committed
refpolicy: Introduce SELinux domain and policies for tee_supplicant
Introduce a new SELinux domain for the Qualcomm tee_supplicant to ensure proper labeling, isolation and access control under the target refpolicy. Signed-off-by: Wenjia Zhang <wenjia.zhang@oss.qualcomm.com>
1 parent bc91965 commit 1e619be

File tree

2 files changed

+110
-0
lines changed

2 files changed

+110
-0
lines changed

dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-targeted/0059-tee_supplicant-Introduce-SELinux-domain-for-tee_supp.patch

Lines changed: 105 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,105 @@
1+
From b2f7220034bd340574d14222e88cb762f56bafa5 Mon Sep 17 00:00:00 2001
2+
From: Wenjia Zhang <wenjz@qti.qualcomm.com>
3+
Date: Thu, 5 Feb 2026 13:48:10 +0800
4+
Subject: [PATCH] tee_supplicant: Introduce SELinux domain for tee_supplicant
5+
6+
Define a dedicated domain (`tee_supplicant_t`)
7+
to confine tee_supplicant service, ensuring it operates in
8+
a restricted environment isolated from other init processes.
9+
10+
Define a inferface of /dev/tee[0-9].
11+
12+
Grant the read and write permission to tee_supplicant for resolving
13+
AVC denials in enforcing mode.
14+
15+
Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1082]
16+
17+
Signed-off-by: wenjia Zhang <wenjia.zhang@oss.qualcomm.com>
18+
---
19+
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
20+
policy/modules/services/tee_supplicant.fc | 1 +
21+
policy/modules/services/tee_supplicant.if | 10 ++++++++++
22+
policy/modules/services/tee_supplicant.te | 17 +++++++++++++++++
23+
4 files changed, 46 insertions(+)
24+
create mode 100644 policy/modules/services/tee_supplicant.fc
25+
create mode 100644 policy/modules/services/tee_supplicant.if
26+
create mode 100644 policy/modules/services/tee_supplicant.te
27+
28+
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
29+
index dd8072f37..bbdb45b98 100644
30+
--- a/policy/modules/kernel/devices.if
31+
+++ b/policy/modules/kernel/devices.if
32+
@@ -5032,6 +5032,24 @@ interface(`dev_setattr_all_sysfs',`
33+
allow $1 sysfs_types:lnk_file { read_lnk_file_perms setattr };
34+
')
35+
36+
+##########################################
37+
+## <summary>
38+
+## Read and write the tee device.
39+
+## </summary>
40+
+## <param name="domain">
41+
+## <summary>
42+
+## Domain allowed access.
43+
+## </summary>
44+
+## </param>
45+
+#
46+
+interface(`dev_rw_tee',`
47+
+ gen_require(`
48+
+ type device_t, tee_device_t;
49+
+ ')
50+
+
51+
+ rw_chr_files_pattern($1, device_t, tee_device_t)
52+
+')
53+
+
54+
########################################
55+
## <summary>
56+
## Read and write the TPM device.
57+
diff --git a/policy/modules/services/tee_supplicant.fc b/policy/modules/services/tee_supplicant.fc
58+
new file mode 100644
59+
index 000000000..9c6e77836
60+
--- /dev/null
61+
+++ b/policy/modules/services/tee_supplicant.fc
62+
@@ -0,0 +1 @@
63+
+/usr/bin/qtee_supplicant -- gen_context(system_u:object_r:tee_supplicant_exec_t,s0)
64+
diff --git a/policy/modules/services/tee_supplicant.if b/policy/modules/services/tee_supplicant.if
65+
new file mode 100644
66+
index 000000000..e22a531f5
67+
--- /dev/null
68+
+++ b/policy/modules/services/tee_supplicant.if
69+
@@ -0,0 +1,10 @@
70+
+## <summary>tee_supplicant</summary>
71+
+#
72+
+## <desc>
73+
+## qtee_supplicant is a userspace supplicant daemon that
74+
+## services callback requests from QTEE via the Linux TEE subsystem.
75+
+## It communicates with QTEE through /dev/tee0 and provides normal-world
76+
+## services required by trusted applications running in QTEE.
77+
+##
78+
+## https://github.com/qualcomm/minkipc/tree/main/qtee_supplicant
79+
+## </desc>
80+
diff --git a/policy/modules/services/tee_supplicant.te b/policy/modules/services/tee_supplicant.te
81+
new file mode 100644
82+
index 000000000..2d5905318
83+
--- /dev/null
84+
+++ b/policy/modules/services/tee_supplicant.te
85+
@@ -0,0 +1,17 @@
86+
+policy_module(tee_supplicant)
87+
+
88+
+########################################
89+
+#
90+
+# Declarations
91+
+#
92+
+
93+
+type tee_supplicant_t;
94+
+type tee_supplicant_exec_t;
95+
+init_daemon_domain(tee_supplicant_t, tee_supplicant_exec_t)
96+
+
97+
+########################################
98+
+#
99+
+# Local policy
100+
+#
101+
+
102+
+dev_rw_tee(tee_supplicant_t)
103+
--
104+
2.43.0
105+

dynamic-layers/selinux/recipes-security/refpolicy/refpolicy-targeted_git.bbappend

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
FILESEXTRAPATHS:append := "${THISDIR}/${PN}:"
2+
3+
SRC_URI:append:qcom = " \
4+
file://0059-tee_supplicant-Introduce-SELinux-domain-for-tee_supp.patch \
5+
"

0 commit comments

Comments
 (0)