1allow tee drm_block_device:blk_file rw_file_perms; 2 3# tee starts as root, and drops privileges 4allow tee self:capability { setuid setgid }; 5 6# Need to directly minipulate certain block devices 7# for anti-rollback protection 8allow tee block_device:dir search; 9allow tee self:capability sys_rawio; 10allow tee drm_block_device:blk_file rw_file_perms; 11 12allow tee persist_file:dir r_dir_perms; 13r_dir_file(tee, persist_data_file) 14# Write to drm related pieces of persist partition 15allow tee persist_drm_file:dir create_dir_perms; 16allow tee persist_drm_file:file create_file_perms; 17