sdm660-common: sepolicy: Address many denials

sdm660-common: sepolicy: Address vendor_init persist_file read denial
avc: denied { read } for comm="init" name="persist" dev="mmcblk0p63" ino=47 scontext=u:r:vendor_init:s0 tcontext=u:object_r:persist_file:s0 tclass=lnk_file permissive=0

sdm660-common: sepolicy: Address tee persist_file read denial
avc: denied { read } for comm="qseecomd" name="persist" dev="mmcblk0p63" ino=47 scontext=u:r:tee:s0 tcontext=u:object_r:persist_file:s0 tclass=lnk_file permissive=0

sdm660-common: sepolicy: Address installd mnt_user_file denial
avc: denied { search } for comm="Binder:1018_6" name="0" dev="tmpfs" ino=5541 scontext=u:r:installd:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir permissive=0

sdm660-common: sepolicy: Address ssgtzd qipcrtr_socket denial

sdm660-common: sepolicy: Address platform_app denials
avc: denied { read } for comm="emui:screenshot" name="u:object_r:exported_audio_prop:s0" dev="tmpfs" ino=4254 scontext=u:r:platform_app:s0:c512,c768 tcontext=u:object_r:exported_audio_prop:s0 tclass=file permissive=0 app=com.android.systemui

sdm660-common: sepolicy: Address init sysfs_graphics denial
avc: denied { read } for comm="init" name="device" dev="sysfs" ino=44569 scontext=u:r:init:s0 tcontext=u:object_r:sysfs_graphics:s0 tclass=lnk_file permissive=0

sdm660-common: sepolicy: Address system_app sysfs_graphics denials
avc: denied { write } for comm="settings.device" name="max_brightness" dev="sysfs" ino=44572 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_graphics:s0 tclass=file permissive=0
avc: denied { open } for comm="settings.device" path="/sys/devices/platform/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/red/max_brightness" dev="sysfs" ino=44572 scontext=u:r:system_app:s0 tcontext=u:object_r:sysfs_graphics:s0 tclass=file permissive=0

sdm660-common: sepolicy: Address system_server sysfs_rtc denial
avc: denied { read } for comm="system_server" name="hctosys" dev="sysfs" ino=41512 scontext=u:r:system_server:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0

sdm660-common: sepolicy: Address gmscore_app getattr denials
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/linkerconfig" dev="tmpfs" ino=3474 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:linkerconfig_file:s0 tclass=dir permissive=0 app=com.google.android.gms
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/persist" dev="mmcblk0p63" ino=47 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:persist_file:s0 tclass=lnk_file permissive=0 app=com.google.android.gms
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/init" dev="mmcblk0p63" ino=28 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:init_exec:s0 tclass=lnk_file permissive=0 app=com.google.android.gms
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/metadata" dev="mmcblk0p63" ino=32 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:metadata_file:s0 tclass=dir permissive=0 app=com.google.android.gms
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/postinstall" dev="mmcblk0p63" ino=48 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:postinstall_mnt_dir:s0 tclass=dir permissive=0 app=com.google.android.gms
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/vendor/firmware_mnt" dev="mmcblk0p58" ino=1 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:firmware_file:s0 tclass=dir permissive=0 app=com.google.android.gms
avc: denied { getattr } for comm="CTION_IDLE_MODE" path="/vendor/firmware" dev="mmcblk0p64" ino=1216 scontext=u:r:gmscore_app:s0:c512,c768 tcontext=u:object_r:vendor_firmware_file:s0 tclass=dir permissive=0 app=com.google.android.gms

sdm660-common: sepolicy: Address vendor_mutualex create denial
avc: denied { create } for comm="mutualex" scontext=u:r:vendor_mutualex:s0 tcontext=u:r:vendor_mutualex:s0 tclass=qipcrtr_socket permissive=0

Signed-off-by: pix106 <sbordenave@gmail.com>

sepolicy/public/installd.te

@@ -0,0 +1 @@
+allow installd mnt_user_file:dir search;

sepolicy/public/platform_app.te

@@ -0,0 +1 @@
+get_prop(platform_app, exported_audio_prop)

sepolicy/vendor/gmscore_app.te

@@ -1,2 +1,6 @@
 binder_call(gmscore_app, hal_memtrack_default);
+
+allow gmscore_app { firmware_file linkerconfig_file metadata_file postinstall_mnt_dir vendor_firmware_file }:dir getattr;
+allow gmscore_app { init_exec persist_file }:lnk_file getattr;
+
 dontaudit gmscore_app { bt_firmware_file firmware_file }:filesystem getattr;

sepolicy/vendor/init.te

@@ -2,6 +2,7 @@ allow init adsprpcd_file:file mounton;
 allow init apex_metadata_file:lnk_file read;
 allow init socket_device:sock_file { unlink setattr create };
 allow init sysfs_graphics:file { read open };
+allow init sysfs_graphics:lnk_file read;
 allow init sysfs_battery_supply:file setattr;
 allow init vendor_default_prop:property_service set;
 

sepolicy/vendor/mutalex.te

@@ -4,3 +4,4 @@ type vendor_mutualex_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(vendor_mutualex)
 
 allow vendor_mutualex self:socket create_socket_perms_no_ioctl;
+allow vendor_mutualex self:qipcrtr_socket create;

sepolicy/vendor/ssgtzd.te

@@ -1 +1,2 @@
 allow ssgtzd self:socket create_socket_perms_no_ioctl;
+allow ssgtzd self:qipcrtr_socket create;

sepolicy/vendor/system_app.te

@@ -5,6 +5,7 @@ allow system_app proc_vmallocinfo:file read;
 allow system_app sysfs_vibrator:dir search;
 allow system_app sysfs_vibrator:file rw_file_perms;
 allow system_app sysfs_graphics:dir search;
+allow system_app sysfs_graphics:file rw_file_perms;
 allow system_app sysfs_leds:dir search;
 allow system_app sysfs_fpsinfo:file rw_file_perms;
 allow system_app sysfs_headphonegain:file rw_file_perms;

sepolicy/vendor/system_server.te

@@ -4,5 +4,6 @@ get_prop(system_server, vendor_video_prop)
 allow system_server app_zygote:process getpgid;
 allow system_server blkio_dev:dir search;
 allow system_server sysfs_battery_supply:file rw_file_perms;
+allow system_server sysfs_rtc:file read;
 
 dontaudit system_server sysfs:file { read open getattr };

sepolicy/vendor/tee.te

@@ -4,3 +4,4 @@ typeattribute tee data_between_core_and_vendor_violators;
 allow tee system_data_file:dir r_dir_perms;
 allow tee fingerprintd_data_file:dir rw_dir_perms;
 allow tee fingerprintd_data_file:file create_file_perms;
+allow tee persist_file:lnk_file r_file_perms;

sepolicy/vendor/vendor_init.te

@@ -7,6 +7,7 @@ allow vendor_init {
 }:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
 
 allow vendor_init tee_device:chr_file getattr;
+allow vendor_init persist_file:lnk_file read;
 
 set_prop(vendor_init, camera_prop)
 set_prop(vendor_init, vendor_freq_prop)