From b0fa4e9f5193715deca1c7dd70de9b402857d60b Mon Sep 17 00:00:00 2001
From: Max Weffers <rcstar6696@gmail.com>
Date: Wed, 15 Apr 2020 17:51:04 +0200
Subject: [PATCH] sdm660-common: sepolicy: Adress few denials

Change-Id: I45c7af8087a8495e4e7902d74f7811c2d40f5197
---
 sepolicy/vendor/device.te                 |  1 +
 sepolicy/vendor/file_contexts             |  3 +++
 sepolicy/vendor/hal_camera_default.te     |  1 +
 sepolicy/vendor/hal_fingerprint_sdm660.te | 14 ++++++++++++++
 sepolicy/vendor/init.te                   |  1 +
 sepolicy/vendor/system_app.te             |  1 +
 sepolicy/vendor/ueventd.te                |  1 +
 sepolicy/vendor/vendor_init.te            |  8 ++++++--
 sepolicy/vendor/vendor_toolbox.te         | 14 ++++++++++++++
 9 files changed, 42 insertions(+), 2 deletions(-)

diff --git a/sepolicy/vendor/device.te b/sepolicy/vendor/device.te
index b84e726e..441f7134 100644
--- a/sepolicy/vendor/device.te
+++ b/sepolicy/vendor/device.te
@@ -1,2 +1,3 @@
 type fingerprint_device, dev_type;
 type spidev_device, dev_type;
+type blkio_dev, dev_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index c290c128..652c0d0c 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -1,6 +1,9 @@
 # Biometric
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.xiaomi_sdm660   u:object_r:hal_fingerprint_sdm660_exec:s0
 
+# blkio
+/dev/blkio(/.*)?         u:object_r:blkio_dev:s0
+
 # Goodix Fingerprint
 /data/misc/gf_data(/.*)?                        u:object_r:fingerprint_data_file:s0
 /data/misc/goodix(/.*)?                         u:object_r:fingerprint_data_file:s0
diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
index 8d1d20fa..81c72a75 100644
--- a/sepolicy/vendor/hal_camera_default.te
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -11,3 +11,4 @@ allow hal_camera_default camera_data_file:dir w_dir_perms;
 allow hal_camera_default camera_data_file:file create_file_perms;
 
 set_prop(hal_camera_default, vendor_camera_prop)
+allow hal_camera_default persist_camera_prop:file read;
diff --git a/sepolicy/vendor/hal_fingerprint_sdm660.te b/sepolicy/vendor/hal_fingerprint_sdm660.te
index 3e0fc21c..88ed9f97 100644
--- a/sepolicy/vendor/hal_fingerprint_sdm660.te
+++ b/sepolicy/vendor/hal_fingerprint_sdm660.te
@@ -21,6 +21,20 @@ allow hal_fingerprint_sdm660 fingerprint_data_file:file rw_file_perms;
 
 allow hal_fingerprint_sdm660 fingerprint_sysfs:file rw_file_perms;
 allow hal_fingerprint_sdm660 fingerprint_sysfs:dir r_dir_perms;
+allow hal_fingerprint_sdm660 fingerprint_sysfs:lnk_file read;
+allow hal_fingerprint_sdm660 sysfs_devfreq:file r_file_perms;
+allow hal_fingerprint_sdm660 system_data_file:file r_file_perms;
+allow hal_fingerprint_sdm660 sysfs_devfreq:dir search;
+allow hal_fingerprint_sdm660 sysfs_sectouch:dir search;
+
+allow hal_fingerprint_sdm660 persist_file:dir r_dir_perms;
+allow hal_fingerprint_sdm660 persist_fingerprint_file:file r_file_perms;
+
+allow hal_fingerprint_sdm660 mnt_user_file:dir search;
+allow hal_fingerprint_sdm660 mnt_user_file:lnk_file r_file_perms;
+allow hal_fingerprint_sdm660 sdcardfs:dir search;
+allow hal_fingerprint_sdm660 storage_file:dir search;
+allow hal_fingerprint_sdm660 storage_file:lnk_file read;
 
 allow hal_fingerprint_sdm660 hal_perf_hwservice:hwservice_manager find;
 allow hal_fingerprint_sdm660 rootfs:dir read;
diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te
index 4ad9f714..c91ef7c8 100644
--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te
@@ -7,3 +7,4 @@ allow init vendor_default_prop:property_service set;
 allow init sysfs_info:file { open read };
 allow init sysfs:file setattr;
 allow init persist_block_device:lnk_file relabelto;
+allow init sysfs_graphics:file { open write };
diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
index e014d02e..25ae0677 100644
--- a/sepolicy/vendor/system_app.te
+++ b/sepolicy/vendor/system_app.te
@@ -9,5 +9,6 @@ allow system_app sysfs_thermal:file rw_file_perms;
 allow system_app sysfs_thermal:dir search;
 allow system_app sysfs_vibrator:file rw_file_perms;
 allow system_app sysfs_vibrator:dir search;
+allow system_app sysfs_leds:dir search;
 
 set_prop(system_app, system_prop);
diff --git a/sepolicy/vendor/ueventd.te b/sepolicy/vendor/ueventd.te
index 77132cb6..af24dc13 100644
--- a/sepolicy/vendor/ueventd.te
+++ b/sepolicy/vendor/ueventd.te
@@ -4,3 +4,4 @@ allow ueventd kcal_dev:lnk_file r_file_perms;
 allow ueventd hall_dev:dir r_dir_perms;
 allow ueventd hall_dev:file rw_file_perms;
 allow ueventd hall_dev:lnk_file r_file_perms;
+allow ueventd metadata_file:dir search;
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
index 7765ffa9..b996b03d 100644
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@@ -14,19 +14,23 @@ allow vendor_init media_rw_data_file:file { getattr relabelfrom };
 
 allow vendor_init rootfs:dir { add_name create setattr write };
 allow vendor_init persist_debug_prop:property_service set;
+allow vendor_init persist_debug_prop:file read;
 allow vendor_init persist_dpm_prop:property_service set;
 allow vendor_init qcom_ims_prop:property_service set;
 allow vendor_init thermal_engine_prop:property_service set;
 allow vendor_init vendor_ssr_prop:property_service set;
 allow vendor_init audio_prop:property_service set;
 allow vendor_init vendor_fp_prop:property_service set;
-allow vendor_init power_prop:property_service set;
 allow vendor_init reschedule_service_prop:property_service set;
 allow vendor_init bservice_prop:property_service set;
 
 allow vendor_init rootfs:dir { add_name write };
 allow vendor_init rootfs:lnk_file setattr;
-allow vendor_init fingerprint_data_file:dir setattr;
+allow vendor_init fingerprint_data_file:dir {setattr create};
+
+allow vendor_init blkio_dev:file write;
+allow vendor_init proc_dirty:file write;
+
 set_prop(vendor_init, camera_prop)
 set_prop(vendor_init, vendor_camera_prop)
 set_prop(vendor_init, freq_prop)
diff --git a/sepolicy/vendor/vendor_toolbox.te b/sepolicy/vendor/vendor_toolbox.te
index c210b4df..94e5ceb5 100644
--- a/sepolicy/vendor/vendor_toolbox.te
+++ b/sepolicy/vendor/vendor_toolbox.te
@@ -15,6 +15,7 @@ allow vendor_toolbox rootfs:dir r_dir_perms;
 allow vendor_toolbox {
     mnt_vendor_file
     persist_alarm_file
+    persist_audio_file
     persist_block_device
     persist_bluetooth_file
     persist_bms_file
@@ -37,3 +38,16 @@ allow vendor_toolbox {
     unlabeled
     vendor_persist_mmi_file
 }:dir { r_dir_perms setattr getattr};
+
+allow vendor_toolbox {
+    mnt_vendor_file
+    persist_alarm_file
+    persist_audio_file
+    persist_block_device
+    persist_bluetooth_file
+    persist_bms_file
+    persist_hvdcp_file
+    persist_time_file
+    regionalization_file
+    sensors_persist_file
+}:file { getattr};