new file mode 100644
@@ -0,0 +1,236 @@
+From dbe6da2881241745b8cc6286e74cb801c3945ae3 Mon Sep 17 00:00:00 2001
+From: Wenjia Zhang <wenjz@qti.qualcomm.com>
+Date: Thu, 16 Apr 2026 11:38:59 +0800
+Subject: [PATCH] tee_supplicant: Add necessary SELinux policy for
+ qtee_supplicant
+
+This change is adding some interfaces for qtee_supplicant which requires
+more permissions than OPTEE's tee_supplicant.
+
+Overall, some necessary permissions for qtee_supplicant to accessing
+system resources have been added.
+
+Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1105]
+
+Signed-off-by: Wenjia Zhang <wenjia.zhang@oss.qualcomm.com>
+---
+ policy/modules/kernel/storage.if | 60 +++++++++++++++++++++++
+ policy/modules/services/tee_supplicant.fc | 2 +
+ policy/modules/services/tee_supplicant.if | 22 ++++++++-
+ policy/modules/services/tee_supplicant.te | 39 +++++++++++++++
+ policy/modules/system/init.te | 4 ++
+ testing/sechecker.ini | 1 +
+ 6 files changed, 127 insertions(+), 1 deletion(-)
+
+diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if
+index 81a4d1a61..19f0b2ab1 100644
+--- a/policy/modules/kernel/storage.if
++++ b/policy/modules/kernel/storage.if
+@@ -547,6 +547,36 @@ interface(`storage_read_scsi_generic',`
+ typeattribute $1 scsi_generic_read;
+ ')
+
++########################################
++## <summary>
++## Allow the caller to directly read, in a
++## generic fashion, from any SCSI device
++## if a tunable is set.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="tunable">
++## <summary>
++## Tunable to depend on
++## </summary>
++## </param>
++#
++interface(`storage_read_scsi_generic_cond',`
++ gen_require(`
++ attribute scsi_generic_read;
++ type scsi_generic_device_t;
++ ')
++
++ typeattribute $1 scsi_generic_read;
++ tunable_policy(`$2',`
++ dev_list_all_dev_nodes($1)
++ allow $1 scsi_generic_device_t:chr_file read_chr_file_perms;
++ ')
++')
++
+ ########################################
+ ## <summary>
+ ## Allow the caller to directly write, in a
+@@ -572,6 +602,36 @@ interface(`storage_write_scsi_generic',`
+ typeattribute $1 scsi_generic_write;
+ ')
+
++########################################
++## <summary>
++## Allow the caller to directly write, in a
++## generic fashion, from any SCSI device
++## if a tunable is set.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++## <param name="tunable">
++## <summary>
++## Tunable to depend on
++## </summary>
++## </param>
++#
++interface(`storage_write_scsi_generic_cond',`
++ gen_require(`
++ attribute scsi_generic_write;
++ type scsi_generic_device_t;
++ ')
++
++ typeattribute $1 scsi_generic_write;
++ tunable_policy(`$2',`
++ dev_list_all_dev_nodes($1)
++ allow $1 scsi_generic_device_t:chr_file write_chr_file_perms;
++ ')
++')
++
+ ########################################
+ ## <summary>
+ ## Allow the caller to delete the generic
+diff --git a/policy/modules/services/tee_supplicant.fc b/policy/modules/services/tee_supplicant.fc
+index 41b654268..73c5022c4 100644
+--- a/policy/modules/services/tee_supplicant.fc
++++ b/policy/modules/services/tee_supplicant.fc
+@@ -1,2 +1,4 @@
+ /usr/bin/qtee_supplicant -- gen_context(system_u:object_r:tee_supplicant_exec_t,s0)
+ /usr/sbin/tee-supplicant -- gen_context(system_u:object_r:tee_supplicant_exec_t,s0)
++
++/var/lib/tee(/.*)? gen_context(system_u:object_r:tee_supplicant_var_lib_t,s0)
+diff --git a/policy/modules/services/tee_supplicant.if b/policy/modules/services/tee_supplicant.if
+index e22a531f5..5274d1e2c 100644
+--- a/policy/modules/services/tee_supplicant.if
++++ b/policy/modules/services/tee_supplicant.if
+@@ -1,5 +1,5 @@
+ ## <summary>tee_supplicant</summary>
+-#
++##
+ ## <desc>
+ ## qtee_supplicant is a userspace supplicant daemon that
+ ## services callback requests from QTEE via the Linux TEE subsystem.
+@@ -8,3 +8,23 @@
+ ##
+ ## https://github.com/qualcomm/minkipc/tree/main/qtee_supplicant
+ ## </desc>
++
++#####################
++## <summary>
++## Allow the specified domain to create
++## objects in /var/lib with an automatic
++## transition to the tee_supplicant var lib type.
++## </summary>
++## <param name="domain">
++## <summary>
++## Domain allowed access.
++## </summary>
++## </param>
++#
++interface(`tee_supplicant_var_lib_filetrans',`
++ gen_require(`
++ type tee_supplicant_var_lib_t;
++ ')
++
++ files_var_lib_filetrans($1, tee_supplicant_var_lib_t, dir, "qtee_supplicant")
++')
+diff --git a/policy/modules/services/tee_supplicant.te b/policy/modules/services/tee_supplicant.te
+index 0e0b67bc2..ab0cc2e8c 100644
+--- a/policy/modules/services/tee_supplicant.te
++++ b/policy/modules/services/tee_supplicant.te
+@@ -5,12 +5,20 @@ policy_module(tee_supplicant)
+ # Declarations
+ #
+
++## <desc>
++## <p>
++## Enable rules specific to qtee_supplicant.
++## </p>
++## </desc>
++gen_tunable(tee_supplicant_qtee, false)
++
+ type tee_supplicant_t;
+ type tee_supplicant_exec_t;
+ init_daemon_domain(tee_supplicant_t, tee_supplicant_exec_t)
+
+ type tee_supplicant_var_lib_t;
+ files_type(tee_supplicant_var_lib_t)
++files_mountpoint(tee_supplicant_var_lib_t)
+
+ #########################################
+ #
+@@ -25,3 +33,34 @@ dev_rw_tee(tee_supplicant_t)
+ dev_rw_tee_priv(tee_supplicant_t)
+
+ kernel_read_vm_overcommit_sysctl(tee_supplicant_t)
++
++# Access qtee_supplicant to access UFS BSG device
++storage_read_scsi_generic_cond(tee_supplicant_t,tee_supplicant_qtee)
++storage_write_scsi_generic_cond(tee_supplicant_t,tee_supplicant_qtee)
++
++tunable_policy(`tee_supplicant_qtee',`
++
++ # Access qtee_supplicant to request sys_rawio capability
++ allow tee_supplicant_t self:capability sys_rawio;
++
++ # Allow qtee_supplicant to block system suspend by wake_lock
++ allow tee_supplicant_t self:capability2 block_suspend;
++
++ # Access qtee_supplicant to open/read /sys/firmware/devicetree/base/compatible
++ dev_read_sysfs(tee_supplicant_t)
++
++ # Access qtee_supplicant to write /sys/power/wake_lock
++ dev_write_sysfs(tee_supplicant_t)
++
++ # Access tee_supplicant to read /var
++ files_list_var(tee_supplicant_t)
++
++ # Access qtee_supplicant to visit /var/lib
++ files_list_var_lib(tee_supplicant_t)
++
++ # Access qtee_supplicant to access /proc/cmdline
++ kernel_read_system_state(tee_supplicant_t)
++
++ # Access qtee_supplicant to send logs to systemd journal
++ logging_send_syslog_msg(tee_supplicant_t)
++')
+diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
+index cb9c3d97a..141095ac8 100644
+--- a/policy/modules/system/init.te
++++ b/policy/modules/system/init.te
+@@ -1523,6 +1523,10 @@ optional_policy(`
+ sysnet_read_dhcpc_state(initrc_t)
+ ')
+
++optional_policy(`
++ tee_supplicant_var_lib_filetrans(initrc_t)
++')
++
+ optional_policy(`
+ udev_manage_runtime_files(initrc_t)
+ udev_manage_runtime_dirs(initrc_t)
+diff --git a/testing/sechecker.ini b/testing/sechecker.ini
+index 865a3cf8b..ab62696f2 100644
+--- a/testing/sechecker.ini
++++ b/testing/sechecker.ini
+@@ -221,6 +221,7 @@ exempt_source = abrt_t # Conditional access (allow_raw_memory_acces
+ sosreport_t # Conditional access (allow_raw_memory_access)
+ spc_t
+ sysadm_t # System admin role
++ tee_supplicant_t # Access qtee_supplicant to request sys_rawio capability
+ udev_t
+ vbetool_t # Conditional access (allow_raw_memory_access)
+ vmware_t
+--
+2.43.0
+
@@ -74,6 +74,7 @@ SRC_URI += " \
file://0056-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
file://0057-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
file://0058-policy-modules-system-logging-make-syslogd_runtime_t.patch \
+ file://0059-tee_supplicant-Add-necessary-SELinux-policy-for-qtee.patch \
"
S = "${UNPACKDIR}/refpolicy"
Signed-off-by: Wenjia Zhang <wenjia.zhang@oss.qualcomm.com> --- ...dd-necessary-SELinux-policy-for-qtee.patch | 236 ++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 1 + 2 files changed, 237 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0059-tee_supplicant-Add-necessary-SELinux-policy-for-qtee.patch