From patchwork Tue May 19 06:55:18 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Wenjia Zhang X-Patchwork-Id: 88342 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 358C8CD4F3C for ; Tue, 19 May 2026 06:55:33 +0000 (UTC) Received: from mx0b-0031df01.pphosted.com (mx0b-0031df01.pphosted.com [205.220.180.131]) by mx.groups.io with SMTP id smtpd.msgproc02-g2.16067.1779173728190692564 for ; Mon, 18 May 2026 23:55:28 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@qualcomm.com header.s=qcppdkim1 header.b=ApSmaWbd; dkim=pass header.i=@oss.qualcomm.com header.s=google header.b=ikVr63XC; spf=permerror, err=parse error for token &{10 18 %{ir}.%{v}.%{d}.spf.has.pphosted.com}: invalid domain name (domain: oss.qualcomm.com, ip: 205.220.180.131, mailfrom: wenjia.zhang@oss.qualcomm.com) Received: from pps.filterd (m0279868.ppops.net [127.0.0.1]) by mx0a-0031df01.pphosted.com (8.18.1.11/8.18.1.11) with ESMTP id 64J5Ooj52482373 for ; Tue, 19 May 2026 06:55:27 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qualcomm.com; h= content-transfer-encoding:date:from:message-id:mime-version :subject:to; s=qcppdkim1; bh=V1VCe7PCY9cGzwO1VQHanx6UmrQk/Sp3o+U gAOo4knk=; b=ApSmaWbd2RVr8n7AbV0fcmFUmEhmMzk5+CeMBl7XulNS1zxziAY hqnfFT4N/Nr2l+5qXNyezfP0lhkkTKrSnmbhaMiVYPcIfHaOe97J8zn9mde2iSVA u2ezEI5wCNMR1zH8MLvjJRmRVd5p4vuwR4JZSGSD8d9js4mR9ZTIy5/C8sGAFJzf 6mkEm9R9WGTgSWiTquV3L595fooOyyzY5bsm6JkrQ0aLDHreZGnpgcdqJ480UZur JcxEuJKVeCEYrkBRCSFdjpRBph4/qHtCFvmzu1eyM6pZLfTn036I3ePTrErsL6S1 feDu1Kch2h2XPomMRBqA+L4Awn0Pxqaasew== Received: from mail-pj1-f69.google.com (mail-pj1-f69.google.com [209.85.216.69]) by mx0a-0031df01.pphosted.com (PPS) with ESMTPS id 4e81rvkv8q-1 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NOT) for ; Tue, 19 May 2026 06:55:26 +0000 (GMT) Received: by mail-pj1-f69.google.com with SMTP id 98e67ed59e1d1-369ef27fd09so1217622a91.3 for ; Mon, 18 May 2026 23:55:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oss.qualcomm.com; s=google; t=1779173726; x=1779778526; darn=lists.yoctoproject.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=V1VCe7PCY9cGzwO1VQHanx6UmrQk/Sp3o+UgAOo4knk=; b=ikVr63XCmT1tOACXYSnninrSd7jO57ZPGlzlMV7tumQZd5auEby1L6vgc/V2mBaJRa aucw2g2Fsax8lBfRJdt3OkKozhzVP8Sq41Gsc/3nxYpTewjBkDAmf6xd1uHWOoQuSNsF hhZ+o11gLaSl6QYr0NuOY+Gqcvgs8xofYHYhuDpuy3yh2fS7yeTWcccuCJwgxiZYnXoa QABKkcrojwrX+QB1zyv6vEjFvLhjRnvUvrG+lQMW89bK3mjXF6t26ZNsbfEgQXZqJ70D 3iqWRPuEDVzi7NpIUuIyFXIP4MrJKd1xsswpvQuR0RZUmfNNzrpPgV7/MCSTjfNvGuCn rMwA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1779173726; x=1779778526; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=V1VCe7PCY9cGzwO1VQHanx6UmrQk/Sp3o+UgAOo4knk=; b=PUc1jddCN6D/D/y6aFAtxXpcg7Dhf44sDgN7JH/khCwoT/kjZYjUo0861bHHCS8xkw qvpwvuwYmIy/XYXclqO74OphSthllD2izzI6AcSwPzYEdrYqMPGaGJ77O97J0f8fRBPu IbM3ZmpHuKDRt01UGld4vl9M6RM6j/7FUqJHs7Vu7kSskUowW+yT7yN4fYp2eyhKf0JM 2Kol1fjdfDM08+AmCNxCqorpzseEykgGpDL9HHjKDBXqx7Ea2u8XSFo3lrpvDdOM1Ssp Ji6vgtmkdNqU9Zz3n+Dvz7cMVe7W+Dvd4DYW5G81iTN3xfLA0iBp6Vph5B8cdd8Z50Kn HZmA== X-Gm-Message-State: AOJu0YwUdA5zFfS6AeqMiybR28dCTM5KnzkCGZ9BvkeZf/CuiXDlPitq I1zuJ+Q1hvRhvCvwnHANBld0bdCPCyfKuBey/IQdXoYGiQCzkll2ChNo+22YDOT+oiJV5saZdKy dOgHPj993/8FzbVxgNGheEhHM7nMSeb5TutmTI9D2yQ2lUME81ysKOeHOV2tS3VNeatdf6iVsHN 4g2xluUChHZUi4 X-Gm-Gg: Acq92OHTDQ4eJSDT56Qm1KnJRMp8ujPDxCTGW6oyYoSrz/xLJIrQC9Jnl7pPfkvF8/3 SvoPna3lSAPGYLaRReIogWATW3aiOSNrHg8x+PG1kHeARaBpjnsbrx1+eqfjpEXaGUNE2lipNx/ KkXesjOuvUTgh6rEKAMqv/odINUjpgBhFeMhqGhc3d72C+ZIuZ5slkqAP2KOOKqwmKTvxyin2+0 QiYsptc/ui/4She05qHoXXexDN4DY7nmVTwZ/l65jllsEsnjNSZkao5T9FqJKmOzaNbo6hfjX9i ZMb+c5kLcIa6nXDwMYwrG/Aq2z34Ge5yf6/U8WBGgIJEOOYsLqQcoQN9tFS4EIPvDM7ZIvsv8RK JImFr77ETdESYNWpSX3HZB6PxtXI5DdAEn2qS9+Ay1LXhoafT4r4= X-Received: by 2002:a17:90b:1d83:b0:366:10f1:3d91 with SMTP id 98e67ed59e1d1-36951889fe9mr16059470a91.1.1779173725650; Mon, 18 May 2026 23:55:25 -0700 (PDT) X-Received: by 2002:a17:90b:1d83:b0:366:10f1:3d91 with SMTP id 98e67ed59e1d1-36951889fe9mr16059450a91.1.1779173724828; Mon, 18 May 2026 23:55:24 -0700 (PDT) Received: from hu-jiaxli-hyd.qualcomm.com ([202.46.22.19]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-369517ede97sm14511880a91.16.2026.05.18.23.55.23 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 18 May 2026 23:55:24 -0700 (PDT) From: Wenjia Zhang To: yocto-patches@lists.yoctoproject.org Subject: [meta-selinux][PATCH] [meta-selinux][PATCH] Added the necessary policy for domain tee_supplicant_t. Date: Tue, 19 May 2026 12:25:18 +0530 Message-Id: <20260519065518.1865892-1-wenjia.zhang@oss.qualcomm.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-Proofpoint-Spam-Details-Enc: AW1haW4tMjYwNTE5MDA2NiBTYWx0ZWRfX8RBF9ZYNyivX e+PcizFNnkcj0uPrbUd/SHyv0pmyk1PTNG9E+dgvaeZFzmn0XmWrYZfKXzoxSEPXVwFPg05QeZq 9SxG17MFFLm1fskCRsZqFxAS6+4hBEht/+YrxH5kJmaNzbb6jix13kl+qibL3LLtKRfECYaucl2 YBC31GCPZ3qpcgj/iwlWNXi8AOcfkC7278tGUidVpioFAEuhkJs6j6/yj2uKdH63iW4HhHcXMWP baQCGPqgC+BE2xpgREo51D8A/Efc7oqbovHfSGx1uJU25Ou/NiXK2aLtFT/lByucLJ+RH50yFo9 DexdsZ+tr52rILNqkCDMV+lflBdHojagKpXYue3kC3eqWHPuoD0bRp/3fm7tBcYdJEnC5hFk/+L FQ+U4WshOPEfaZI5pKF3ch0V/+T4PVSj2ixKfvHZdGHPNvBjqe6BZVXTg9zWoPrijNNqXQb7jeI bJQOEGxYPA51lkESdQQ== X-Proofpoint-GUID: mqJ3ijOQBAe_0PCVif1CZ1gEfLG1Qdxm X-Proofpoint-ORIG-GUID: mqJ3ijOQBAe_0PCVif1CZ1gEfLG1Qdxm X-Authority-Analysis: v=2.4 cv=Lf0MLDfi c=1 sm=1 tr=0 ts=6a0c095e cx=c_pps a=vVfyC5vLCtgYJKYeQD43oA==:117 a=fChuTYTh2wq5r3m49p7fHw==:17 a=NGcC8JguVDcA:10 a=s4-Qcg_JpJYA:10 a=VkNPw1HP01LnGYTKEx00:22 a=u7WPNUs3qKkmUXheDGA7:22 a=ZpdpYltYx_vBUK5n70dp:22 a=NEAV23lmAAAA:8 a=EUspDBNiAAAA:8 a=wnEXS8_1iZlmcswqAMYA:9 a=rl5im9kqc5Lf4LNbBjHf:22 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1143,Hydra:6.1.51,FMLib:17.12.100.49 definitions=2026-05-19_02,2026-05-18_01,2025-10-01_01 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 phishscore=0 priorityscore=1501 lowpriorityscore=0 bulkscore=0 adultscore=0 clxscore=1015 impostorscore=0 malwarescore=0 spamscore=0 classifier=typeunknown authscore=0 authtc= authcc= route=outbound adjust=0 reason=mlx scancount=1 engine=8.22.0-2605130000 definitions=main-2605190066 List-Id: X-Webhook-Received: from 45-33-107-173.ip.linodeusercontent.com [45.33.107.173] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 19 May 2026 06:55:33 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/yocto-patches/message/4001 Signed-off-by: Wenjia Zhang --- ...dd-necessary-SELinux-policy-for-qtee.patch | 236 ++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 1 + 2 files changed, 237 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy/0059-tee_supplicant-Add-necessary-SELinux-policy-for-qtee.patch diff --git a/recipes-security/refpolicy/refpolicy/0059-tee_supplicant-Add-necessary-SELinux-policy-for-qtee.patch b/recipes-security/refpolicy/refpolicy/0059-tee_supplicant-Add-necessary-SELinux-policy-for-qtee.patch new file mode 100644 index 0000000..cf1f56f --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0059-tee_supplicant-Add-necessary-SELinux-policy-for-qtee.patch @@ -0,0 +1,236 @@ +From dbe6da2881241745b8cc6286e74cb801c3945ae3 Mon Sep 17 00:00:00 2001 +From: Wenjia Zhang +Date: Thu, 16 Apr 2026 11:38:59 +0800 +Subject: [PATCH] tee_supplicant: Add necessary SELinux policy for + qtee_supplicant + +This change is adding some interfaces for qtee_supplicant which requires +more permissions than OPTEE's tee_supplicant. + +Overall, some necessary permissions for qtee_supplicant to accessing +system resources have been added. + +Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/pull/1105] + +Signed-off-by: Wenjia Zhang +--- + policy/modules/kernel/storage.if | 60 +++++++++++++++++++++++ + policy/modules/services/tee_supplicant.fc | 2 + + policy/modules/services/tee_supplicant.if | 22 ++++++++- + policy/modules/services/tee_supplicant.te | 39 +++++++++++++++ + policy/modules/system/init.te | 4 ++ + testing/sechecker.ini | 1 + + 6 files changed, 127 insertions(+), 1 deletion(-) + +diff --git a/policy/modules/kernel/storage.if b/policy/modules/kernel/storage.if +index 81a4d1a61..19f0b2ab1 100644 +--- a/policy/modules/kernel/storage.if ++++ b/policy/modules/kernel/storage.if +@@ -547,6 +547,36 @@ interface(`storage_read_scsi_generic',` + typeattribute $1 scsi_generic_read; + ') + ++######################################## ++## ++## Allow the caller to directly read, in a ++## generic fashion, from any SCSI device ++## if a tunable is set. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Tunable to depend on ++## ++## ++# ++interface(`storage_read_scsi_generic_cond',` ++ gen_require(` ++ attribute scsi_generic_read; ++ type scsi_generic_device_t; ++ ') ++ ++ typeattribute $1 scsi_generic_read; ++ tunable_policy(`$2',` ++ dev_list_all_dev_nodes($1) ++ allow $1 scsi_generic_device_t:chr_file read_chr_file_perms; ++ ') ++') ++ + ######################################## + ## + ## Allow the caller to directly write, in a +@@ -572,6 +602,36 @@ interface(`storage_write_scsi_generic',` + typeattribute $1 scsi_generic_write; + ') + ++######################################## ++## ++## Allow the caller to directly write, in a ++## generic fashion, from any SCSI device ++## if a tunable is set. ++## ++## ++## ++## Domain allowed access. ++## ++## ++## ++## ++## Tunable to depend on ++## ++## ++# ++interface(`storage_write_scsi_generic_cond',` ++ gen_require(` ++ attribute scsi_generic_write; ++ type scsi_generic_device_t; ++ ') ++ ++ typeattribute $1 scsi_generic_write; ++ tunable_policy(`$2',` ++ dev_list_all_dev_nodes($1) ++ allow $1 scsi_generic_device_t:chr_file write_chr_file_perms; ++ ') ++') ++ + ######################################## + ## + ## Allow the caller to delete the generic +diff --git a/policy/modules/services/tee_supplicant.fc b/policy/modules/services/tee_supplicant.fc +index 41b654268..73c5022c4 100644 +--- a/policy/modules/services/tee_supplicant.fc ++++ b/policy/modules/services/tee_supplicant.fc +@@ -1,2 +1,4 @@ + /usr/bin/qtee_supplicant -- gen_context(system_u:object_r:tee_supplicant_exec_t,s0) + /usr/sbin/tee-supplicant -- gen_context(system_u:object_r:tee_supplicant_exec_t,s0) ++ ++/var/lib/tee(/.*)? gen_context(system_u:object_r:tee_supplicant_var_lib_t,s0) +diff --git a/policy/modules/services/tee_supplicant.if b/policy/modules/services/tee_supplicant.if +index e22a531f5..5274d1e2c 100644 +--- a/policy/modules/services/tee_supplicant.if ++++ b/policy/modules/services/tee_supplicant.if +@@ -1,5 +1,5 @@ + ## tee_supplicant +-# ++## + ## + ## qtee_supplicant is a userspace supplicant daemon that + ## services callback requests from QTEE via the Linux TEE subsystem. +@@ -8,3 +8,23 @@ + ## + ## https://github.com/qualcomm/minkipc/tree/main/qtee_supplicant + ## ++ ++##################### ++## ++## Allow the specified domain to create ++## objects in /var/lib with an automatic ++## transition to the tee_supplicant var lib type. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`tee_supplicant_var_lib_filetrans',` ++ gen_require(` ++ type tee_supplicant_var_lib_t; ++ ') ++ ++ files_var_lib_filetrans($1, tee_supplicant_var_lib_t, dir, "qtee_supplicant") ++') +diff --git a/policy/modules/services/tee_supplicant.te b/policy/modules/services/tee_supplicant.te +index 0e0b67bc2..ab0cc2e8c 100644 +--- a/policy/modules/services/tee_supplicant.te ++++ b/policy/modules/services/tee_supplicant.te +@@ -5,12 +5,20 @@ policy_module(tee_supplicant) + # Declarations + # + ++## ++##

++## Enable rules specific to qtee_supplicant. ++##

++## ++gen_tunable(tee_supplicant_qtee, false) ++ + type tee_supplicant_t; + type tee_supplicant_exec_t; + init_daemon_domain(tee_supplicant_t, tee_supplicant_exec_t) + + type tee_supplicant_var_lib_t; + files_type(tee_supplicant_var_lib_t) ++files_mountpoint(tee_supplicant_var_lib_t) + + ######################################### + # +@@ -25,3 +33,34 @@ dev_rw_tee(tee_supplicant_t) + dev_rw_tee_priv(tee_supplicant_t) + + kernel_read_vm_overcommit_sysctl(tee_supplicant_t) ++ ++# Access qtee_supplicant to access UFS BSG device ++storage_read_scsi_generic_cond(tee_supplicant_t,tee_supplicant_qtee) ++storage_write_scsi_generic_cond(tee_supplicant_t,tee_supplicant_qtee) ++ ++tunable_policy(`tee_supplicant_qtee',` ++ ++ # Access qtee_supplicant to request sys_rawio capability ++ allow tee_supplicant_t self:capability sys_rawio; ++ ++ # Allow qtee_supplicant to block system suspend by wake_lock ++ allow tee_supplicant_t self:capability2 block_suspend; ++ ++ # Access qtee_supplicant to open/read /sys/firmware/devicetree/base/compatible ++ dev_read_sysfs(tee_supplicant_t) ++ ++ # Access qtee_supplicant to write /sys/power/wake_lock ++ dev_write_sysfs(tee_supplicant_t) ++ ++ # Access tee_supplicant to read /var ++ files_list_var(tee_supplicant_t) ++ ++ # Access qtee_supplicant to visit /var/lib ++ files_list_var_lib(tee_supplicant_t) ++ ++ # Access qtee_supplicant to access /proc/cmdline ++ kernel_read_system_state(tee_supplicant_t) ++ ++ # Access qtee_supplicant to send logs to systemd journal ++ logging_send_syslog_msg(tee_supplicant_t) ++') +diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te +index cb9c3d97a..141095ac8 100644 +--- a/policy/modules/system/init.te ++++ b/policy/modules/system/init.te +@@ -1523,6 +1523,10 @@ optional_policy(` + sysnet_read_dhcpc_state(initrc_t) + ') + ++optional_policy(` ++ tee_supplicant_var_lib_filetrans(initrc_t) ++') ++ + optional_policy(` + udev_manage_runtime_files(initrc_t) + udev_manage_runtime_dirs(initrc_t) +diff --git a/testing/sechecker.ini b/testing/sechecker.ini +index 865a3cf8b..ab62696f2 100644 +--- a/testing/sechecker.ini ++++ b/testing/sechecker.ini +@@ -221,6 +221,7 @@ exempt_source = abrt_t # Conditional access (allow_raw_memory_acces + sosreport_t # Conditional access (allow_raw_memory_access) + spc_t + sysadm_t # System admin role ++ tee_supplicant_t # Access qtee_supplicant to request sys_rawio capability + udev_t + vbetool_t # Conditional access (allow_raw_memory_access) + vmware_t +-- +2.43.0 + diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 014714c..6154211 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -74,6 +74,7 @@ SRC_URI += " \ file://0056-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ file://0057-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ file://0058-policy-modules-system-logging-make-syslogd_runtime_t.patch \ + file://0059-tee_supplicant-Add-necessary-SELinux-policy-for-qtee.patch \ " S = "${UNPACKDIR}/refpolicy"