From 5514002beff693a696574ff056ba9b52d4401b72 Mon Sep 17 00:00:00 2001
From: clarencelol <clarencekuiek@icloud.com>
Date: Sat, 24 Jul 2021 08:08:47 +0000
Subject: [PATCH] sdm660-common: Cleanup sepolicy

* Fix neverallows

Signed-off-by: clarencelol <clarencekuiek@icloud.com>
Signed-off-by: pix106 <sbordenave@gmail.com>
---
 sepolicy/vendor/hal_power_stats_default.te | 16 +---------------
 sepolicy/vendor/netutils_wrapper.te        |  3 ++-
 sepolicy/vendor/zygote.te                  |  2 --
 3 files changed, 3 insertions(+), 18 deletions(-)

diff --git a/sepolicy/vendor/hal_power_stats_default.te b/sepolicy/vendor/hal_power_stats_default.te
index 2f45c6a8..1080e249 100644
--- a/sepolicy/vendor/hal_power_stats_default.te
+++ b/sepolicy/vendor/hal_power_stats_default.te
@@ -1,17 +1,3 @@
 allow hal_power_stats_default sysfs:dir { open read };
-allow hal_power_stats_default sysfs:file open;
+allow hal_power_stats_default sysfs:file { open read };
 allow hal_power_stats_default sysfs_kgsl:file { r_file_perms getattr };
-
-# Needed to traverse odpm files
-r_dir_file(hal_power_stats_default, sysfs_iio_devices)
-
-# Needed to traverse platform low power stats
-r_dir_file(hal_power_stats_default, sysfs_power_stats)
-
-# The following folders are incidentally accessed by hal_power_stats_default and are not needed.
-dontaudit hal_power_stats_default sysfs_power_stats_ignore:dir r_dir_perms;
-dontaudit hal_power_stats_default sysfs_power_stats_ignore:file r_file_perms;
-dontaudit hal_power_stats_default sysfs:file { open read };
-
-vndbinder_use(hal_power_stats)
-add_service(hal_power_stats_server, power_stats_service)
diff --git a/sepolicy/vendor/netutils_wrapper.te b/sepolicy/vendor/netutils_wrapper.te
index 439eec2e..8d798c20 100644
--- a/sepolicy/vendor/netutils_wrapper.te
+++ b/sepolicy/vendor/netutils_wrapper.te
@@ -1 +1,2 @@
-allow netutils_wrapper netutils_wrapper:capability { kill };
+dontaudit netutils_wrapper kernel:system module_request;
+dontaudit netutils_wrapper self:capability { sys_module sys_admin };
diff --git a/sepolicy/vendor/zygote.te b/sepolicy/vendor/zygote.te
index ad4286d3..75678453 100644
--- a/sepolicy/vendor/zygote.te
+++ b/sepolicy/vendor/zygote.te
@@ -1,4 +1,2 @@
-allow zygote exported_camera_prop:file { open read getattr write };
-
 get_prop(zygote, exported_camera_prop)
 allow zygote unlabeled:dir { search };