kitakami-common: sepolicy: A few little changes.

Change-Id: I23d1c60712228b6d1f945c8b820ab0f952ef9b03

kitakami-common: sepolicy: A few little changes.
Change-Id: I23d1c60712228b6d1f945c8b820ab0f952ef9b03
8e9e444f · Bernhard Thoben · d21521d5 · 8e9e444f · 8e9e444f · 8e9e444f
Commit 8e9e444f authored Sep 30, 2021 by Bernhard Thoben
--- a/sepolicy/vendor/charger.te
+++ b/sepolicy/vendor/charger.te
 allow charger device:dir r_dir_perms;
 allow charger self:capability { dac_override dac_read_search };
 allow charger sysfs_battery_supply:file r_file_perms;
-allow charger sysfs:file { open read getattr };
+allow charger sysfs:file r_file_perms;
 allow charger sysfs_usb_supply:file r_file_perms;
--- a/sepolicy/vendor/hal_fingerprint_default.te
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -16,5 +16,4 @@ allow hal_fingerprint_default sysfs_battery_supply:dir search;
 allow hal_fingerprint_default sysfs_battery_supply:file r_file_perms;
 allow hal_fingerprint_default system_data_file:dir create_dir_perms;
 allow hal_fingerprint_default system_data_file:sock_file create_file_perms;
-allow hal_fingerprint_default tee_device:chr_file ioctl;
 allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
--- a/sepolicy/vendor/init-power-sh.te
+++ b/sepolicy/vendor/init-power-sh.te
+# init-power-sh service
 type init-power-sh, domain;
 type init-power-sh_exec, exec_type, file_type;


--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te
@@ -2,7 +2,7 @@ allow init block_device:blk_file setattr;
 allow init cameraserver:fd use;
 allow init debugfs:file w_file_perms;
 allow init diag_data_file:dir mounton;
-allow init diag_data_file:file { lock rename };
+allow init diag_data_file:file create_file_perms;
 allow init diag_data_file:sock_file write;
 allow init fingerprintd_data_file:file rename;
 allow init hal_drm_hwservice:hwservice_manager add;

--- a/sepolicy/vendor/loc_launcher.te
+++ b/sepolicy/vendor/loc_launcher.te
@@ -2,6 +2,7 @@
 type loc_launcher, domain;
 type loc_launcher_exec, exec_type, file_type;

+# Started by init
 init_daemon_domain(loc_launcher)

 allow loc_launcher location_data_file:dir rw_dir_perms;

--- a/sepolicy/vendor/mlog_qmi_service.te
+++ b/sepolicy/vendor/mlog_qmi_service.te
@@ -7,7 +7,6 @@ init_daemon_domain(mlog_qmi_service)

 # Allow mlog_qmi_service to create self:socket
 allow mlog_qmi_service self:socket create_socket_perms;
-allow mlog_qmi_service self:socket { create read write };
 allowxperm mlog_qmi_service self:socket ioctl msm_sock_ipc_ioctls;

 # Allow mlog_qmi_service to use net_raw capability

--- a/sepolicy/vendor/rild.te
+++ b/sepolicy/vendor/rild.te
@@ -15,6 +15,5 @@ allow rild servicemanager:binder call;
 allow rild socket_device:sock_file write;
 allow rild tad_socket:sock_file write;
 allow rild tad:unix_stream_socket connectto;
-allow rild tee_device:chr_file ioctl;
 allow rild tee_device:chr_file rw_file_perms;
 allow rild vendor_file:file ioctl;
--- a/sepolicy/vendor/sensors.te
+++ b/sepolicy/vendor/sensors.te
@@ -2,5 +2,5 @@ allow sensors device:dir w_dir_perms;
 allow sensors input_device:chr_file { relabelfrom getattr link };
 allow sensors input_device:dir search;
 allow sensors sysfs:file r_file_perms;
-allow sensors tad_socket:sock_file { write };
+allow sensors tad_socket:sock_file write;
 allow sensors tmpfs:file rw_file_perms;
--- a/sepolicy/vendor/timekeep.te
+++ b/sepolicy/vendor/timekeep.te
@@ -16,9 +16,9 @@ allow timekeep self:capability {
    dac_override
    dac_read_search
 };
-allow timekeep timekeep_data_file:file create_file_perms;
-allow timekeep timekeep_data_file:dir create_dir_perms;
-allow timekeep time_data_file:dir create_dir_perms;
-allow timekeep time_data_file:file create_file_perms;
 allow timekeep sysfs:file r_file_perms;
 allow timekeep sysfs_rtc:dir search;
+allow timekeep time_data_file:dir create_dir_perms;
+allow timekeep time_data_file:file create_file_perms;
+allow timekeep timekeep_data_file:dir create_dir_perms;
+allow timekeep timekeep_data_file:file create_file_perms;