sdm660-common: sepolicy: address bunch of denials

* suppress bunch of capability denials, they are harmless and managed by aosp, if it should be fixed, aosp will do
* correct some typo

Signed-off-by: pix106 <sbordenave@gmail.com>

sepolicy/private/odrefresh.te

@@ -0,0 +1 @@
+dontaudit odrefresh self:capability { kill sys_admin };

sepolicy/private/profcollectd.te

@@ -0,0 +1 @@
+dontaudit profcollectd self:capability sys_admin;

sepolicy/vendor/dontaudit.te

@@ -3,10 +3,12 @@
 dontaudit untrusted_app ashmem_device:chr_file open;
 
 dontaudit adbd self:capability sys_admin;
+dontaudit blkid self:capability sys_admin;
 dontaudit blkid_untrusted self:capability sys_admin;
 dontaudit crash_dump self:capability sys_admin;
 dontaudit extra_free_kbytes self:capability sys_admin;
 dontaudit fsck self:capability sys_admin;
+dontaudit hal_usb_default self:capability sys_admin;
 dontaudit hal_wifi_supplicant_default self:capability sys_admin;
 dontaudit installd self:capability kill;
 dontaudit irsc_util self:capability sys_admin;
@@ -18,7 +20,8 @@ dontaudit thermal-engine self:capability sys_admin;
 dontaudit toolbox self:capability { kill sys_admin };
 dontaudit ueventd self:capability sys_admin;
 dontaudit usbd self:capability sys_admin;
-dontaudit vdc self:capability sys_admin;
+dontaudit vdc self:capability { kill sys_admin };
+dontaudit vendor_dpmd self:capability sys_admin;
 dontaudit vendor_init-qti-dcvs-sh self:capability sys_admin;
 dontaudit vendor_modprobe self:capability sys_admin;
 dontaudit vendor_msm_irqbalanced self:capability sys_admin;

sepolicy/vendor/file.te

@@ -2,6 +2,7 @@ type ir_dev_file, file_type;
 type public_adsprpcd_file, file_type;
 type sysfs_fingerprint, fs_type, sysfs_type;
 type sysfs_touchpanel, fs_type, sysfs_type;
+type sysfs_emmc_host, fs_type, sysfs_type;
 type thermal_data_file, file_type, data_file_type;
 type sysfs_info, fs_type, sysfs_type;
 

sepolicy/vendor/file_contexts

@@ -5,6 +5,9 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.3-service\.xiaomi_sdm660                             u:object_r:hal_fingerprint_sdm660_exec:s0
 /(vendor|system/vendor)/bin/init\.goodix\.sh                                                                                      u:object_r:hal_fingerprint_sdm660_exec:s0
 
+# Block
+/sys/devices/platform/soc/c0c4000.sdhci/mmc_host/mmc0/mmc0:0001/block/mmcblk0/mq/0/nr_tags(/.*)?                                  u:object_r:sysfs_emmc_host:s0
+
 # Camera
 /data/misc/camera                                                                                                                 u:object_r:camera_data_file:s0
 

sepolicy/vendor/hal_dpmQmiMgr.te

@@ -1 +1 @@
-allow hal_dpmQmiMgr sysfs:file { open  read };
+allow hal_dpmQmiMgr sysfs:file { open read };

sepolicy/vendor/hvdcp.te

@@ -1,2 +1,2 @@
 allow hvdcp vendor_sysfs_hvdcp:file r_file_perms;
-allow hvdcp sysfs:file { open  read getattr };
+allow hvdcp sysfs:file { open read getattr };

sepolicy/vendor/init.te

@@ -18,10 +18,11 @@ allow init bt_firmware_file:filesystem { getattr };
 allow init apex_metadata_file:lnk_file { read };
 
 # Vibrator
-allow init sysfs_leds: file { rw_file_perms };
+allow init sysfs_leds:file { rw_file_perms };
 
 allow init sysfs:file { setattr };
 allow init debugfs_tracing_debug:dir { mounton };
+allow init sysfs_emmc_host:file rw_file_perms;
 
 allow init system_file:file mounton;
 allow init {

sepolicy/vendor/system_app.te

@@ -19,6 +19,10 @@ allow system_app sysfs_zram:dir search;
 allow system_app sysfs_zram:file r_file_perms;
 allow system_app zygote:unix_stream_socket { getopt };
 
+# neverallow and harmless
+dontaudit system_app time_daemon:unix_stream_socket { connectto };
+
 get_prop(system_app, system_prop);
 set_prop(system_app, system_prop);
+get_prop(system_app, qemu_hw_prop);
 hal_client_domain(system_app, hal_mlipay);

sepolicy/vendor/vold.te

@@ -1,3 +1,5 @@
 allow vold sysfs_mmc_host:file write;
 allow vold sysfs_mmc_host:file create_file_perms;
 allow vold vendor_apex_file:file { getattr };
+allow vold mnt_vendor_file:dir { ioctl open read };
+allow vold cache_block_device:blk_file { getattr };