kitakami-common: sepolicy: Labeled some more HALs and addressed them. General clean up.

Change-Id: I2bc5d3a4e90fcb4be3ae6374663be296368b3dfc

kitakami-common: sepolicy: Labeled some more HALs and addressed them. General clean up.
Change-Id: I2bc5d3a4e90fcb4be3ae6374663be296368b3dfc
973e9db1 · Bernhard Thoben · e14474c4 · 973e9db1 · 973e9db1 · 973e9db1
Commit 973e9db1 authored Nov 21, 2020 by Bernhard Thoben
--- a/sepolicy/vendor/system_app.te
+++ b/sepolicy/vendor/system_app.te
-allow system_app time_data_file:dir search;
-allow system_app timekeep_data_file:file { getattr open write };
-allow system_app timekeep_prop:file { getattr open };
-allow system_app timekeep_prop:property_service set;
-allow system_app timekeep_prop:file read;
-allow system_app sysfs_rtc:dir search;
-allow system_app time_data_file:file { getattr open write };
-allow system_app vendor_default_prop:property_service set;
 allow system_app apex_service:service_manager find;
 allow system_app proc_pagetypeinfo:file read;
+allow system_app sysfs_rtc:dir search;
 allow system_app sysfs_zram:dir search;
 allow system_app system_suspend_control_service:service_manager find;
+allow system_app time_data_file:dir search;
+allow system_app time_data_file:file rw_file_perms;
+allow system_app timekeep_data_file:file rw_file_perms;
+allow system_app timekeep_prop:file r_file_perms;
+allow system_app timekeep_prop:property_service set;
+allow system_app vendor_default_prop:property_service set;
--- a/sepolicy/vendor/system_server.te
+++ b/sepolicy/vendor/system_server.te
+allow system_server default_android_service:service_manager find;
+allow system_server exfat:dir rw_dir_perms;
+allow system_server init:binder { call transfer };
+allow system_server perfd:unix_stream_socket connectto;
+allow system_server persist_file:dir rw_file_perms;
 allow system_server ppd:unix_stream_socket connectto;
 allow system_server pps_socket:sock_file write;
 allow system_server self:capability sys_module;
+allow system_server sensors_device:chr_file getattr;
+allow system_server sensors_socket:sock_file write;
+allow system_server sensors:unix_stream_socket connectto;
+allow system_server socket_device:sock_file write;
 allow system_server system_app_data_file:dir r_dir_perms;
 allow system_server ta_data_file:dir search;
 allow system_server ta_data_file:file r_file_perms;
-allow system_server persist_file:dir rw_file_perms;
-allow system_server perfd:unix_stream_socket connectto;
-allow system_server socket_device:sock_file write;
-allow system_server sensors:unix_stream_socket connectto;
-allow system_server sensors_device:chr_file getattr;
-allow system_server sensors_socket:sock_file write;
 allow system_server unlabeled:file unlink;
-allow system_server default_android_service:service_manager find;
-allow system_server init:binder { call transfer };
-allow system_server exfat:dir rw_dir_perms;
--- a/sepolicy/vendor/ta_qmi_service.te
+++ b/sepolicy/vendor/ta_qmi_service.te
@@ -13,12 +13,10 @@ allow ta_qmi_service self:capability { net_raw setgid setuid };

 # Allow ta_qmi_service to create self:socket
 allow ta_qmi_service self:socket create_socket_perms;
-allow ta_qmi_service self:socket { create read write };
 allowxperm ta_qmi_service self:socket ioctl msm_sock_ipc_ioctls;

 allow ta_qmi_service self:capability2 block_suspend;
 allow ta_qmi_service socket_device:sock_file write;
-allow ta_qmi_service sysfs_wake_lock:file { append open };
+allow ta_qmi_service sysfs_wake_lock:file w_file_perms;
 allow ta_qmi_service tad:unix_stream_socket connectto;
 allow ta_qmi_service tad_socket:sock_file write;
-allow ta_qmi_service secd_exec:file { getattr read };
--- a/sepolicy/vendor/tad.te
+++ b/sepolicy/vendor/tad.te
@@ -9,6 +9,6 @@ init_daemon_domain(tad)
 allow tad proc:file r_file_perms;

 # Allow tad to work it's magic
-allow tad trim_area_partition_device:blk_file { ioctl rw_file_perms };
 allow tad block_device:dir search;
 allow tad tmpfs:file rw_file_perms;
+allow tad trim_area_partition_device:blk_file rw_file_perms;
--- a/sepolicy/vendor/taimport.te
+++ b/sepolicy/vendor/taimport.te
@@ -5,11 +5,10 @@ type taimport_exec, exec_type, file_type;
 # Started by init
 init_daemon_domain(taimport)

-allow taimport tad_socket:sock_file { write };
-allow taimport ta_data_file:dir { read search write add_name create remove_name };
-allow taimport ta_data_file:file { read write create getattr open unlink};
+allow taimport init:unix_stream_socket connectto;
 allow taimport self:capability { dac_override setgid };
 allow taimport socket_device:sock_file write;
-allow taimport system_data_file:dir { add_name remove_name write };
-allow taimport init:unix_stream_socket connectto;
-allow taimport secd_exec:file { getattr read };
+allow taimport system_data_file:dir w_dir_perms;
+allow taimport ta_data_file:dir create_dir_perms;
+allow taimport ta_data_file:file create_file_perms;
+allow taimport tad_socket:sock_file write;
--- a/sepolicy/vendor/tee.te
+++ b/sepolicy/vendor/tee.te
@@ -23,6 +23,5 @@ allow tee rpmb_device:blk_file rw_file_perms;
 allow tee ssd_device:blk_file rw_file_perms;

 allow tee system_data_file:dir r_dir_perms;
-allow tee vfat:file { getattr open read };
 allow tee vfat:dir search;
-allow tee secd_exec:file { getattr read };
+allow tee vfat:file r_file_perms;
--- a/sepolicy/vendor/thermal-engine.te
+++ b/sepolicy/vendor/thermal-engine.te
-allow thermal-engine ta_data_file:dir search;
-allow thermal-engine ta_data_file:file r_file_perms;
-allow thermal-engine diag_partition_device:dir search;
 allow thermal-engine diag_data_file:dir search;
 allow thermal-engine diag_data_file:sock_file write;
-allow thermal-engine socket_device:sock_file { create setattr };
-allow thermal-engine init:unix_dgram_socket sendto;
+allow thermal-engine diag_partition_device:dir search;
 allow thermal-engine iddd:unix_dgram_socket sendto;
-allow thermal-engine secd_exec:file { getattr read };
+allow thermal-engine init:unix_dgram_socket sendto;
+allow thermal-engine socket_device:sock_file create_file_perms;
+allow thermal-engine ta_data_file:dir search;
+allow thermal-engine ta_data_file:file r_file_perms;
--- a/sepolicy/vendor/timekeep.te
+++ b/sepolicy/vendor/timekeep.te
@@ -17,9 +17,8 @@ allow timekeep self:capability {
    dac_read_search
 };
 allow timekeep timekeep_data_file:file create_file_perms;
-allow timekeep timekeep_data_file:dir { create_dir_perms search };
-allow timekeep time_data_file:dir { create_dir_perms search };
-allow timekeep time_data_file:file { write open getattr setattr };
-allow timekeep sysfs:file {read open };
+allow timekeep timekeep_data_file:dir create_dir_perms;
+allow timekeep time_data_file:dir create_dir_perms;
+allow timekeep time_data_file:file create_file_perms;
+allow timekeep sysfs:file r_file_perms;
 allow timekeep sysfs_rtc:dir search;
-allow timekeep secd_exec:file { getattr read };
--- a/sepolicy/vendor/tombstoned.te
+++ b/sepolicy/vendor/tombstoned.te
-allow tombstoned secd_exec:file { getattr read };
--- a/sepolicy/vendor/toolbox.te
+++ b/sepolicy/vendor/toolbox.te
-allow toolbox diag_data_file:dir { getattr open read remove_name rmdir write };
+allow toolbox diag_data_file:dir create_dir_perms;
+allow toolbox firmware_file:dir create_dir_perms;
 allow toolbox self:capability dac_override;
-allow toolbox diag_data_file:dir search;
-allow toolbox firmware_file:dir { open read rmdir write };
-allow toolbox firmware_file:dir search;
-allow toolbox secd_exec:file { getattr read };
--- a/sepolicy/vendor/tzdatacheck.te
+++ b/sepolicy/vendor/tzdatacheck.te
-allow tzdatacheck secd_exec:file { getattr read };
--- a/sepolicy/vendor/ueventd.te
+++ b/sepolicy/vendor/ueventd.te
@@ -2,8 +2,7 @@
 r_dir_file(ueventd, firmware_file)

 allow ueventd device:file relabelfrom;
-allow ueventd sysfs_camera_torch:file { open write };
-allow ueventd vfat:dir search;
-allow ueventd vfat:file { getattr open read };
 allow ueventd self:capability sys_nice;
-allow ueventd secd_exec:file { getattr read };
+allow ueventd sysfs_camera_torch:file rw_file_perms;
+allow ueventd vfat:dir search;
+allow ueventd vfat:file r_file_perms;
--- a/sepolicy/vendor/updatemiscta.te
+++ b/sepolicy/vendor/updatemiscta.te
@@ -9,6 +9,5 @@ unix_socket_connect(taimport, tad, tad)

 allow updatemiscta socket_device:sock_file write;
 allow updatemiscta tad:unix_stream_socket connectto;
-allow updatemiscta ta_prop:file { getattr open read };
 allow updatemiscta tad_socket:sock_file write;
-allow updatemiscta secd_exec:file { getattr read };
+allow updatemiscta ta_prop:file r_file_perms;
--- a/sepolicy/vendor/usbd.te
+++ b/sepolicy/vendor/usbd.te
-allow usbd secd_exec:file { getattr read };
--- a/sepolicy/vendor/vdc.te
+++ b/sepolicy/vendor/vdc.te
-allow vdc secd_exec:file { getattr read };
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
-allow vendor_init secd_exec:file { getattr read };
--- a/sepolicy/vendor/vndservicemanager.te
+++ b/sepolicy/vendor/vndservicemanager.te
-allow vndservicemanager secd_exec:file { getattr read };
--- a/sepolicy/vendor/vold.te
+++ b/sepolicy/vendor/vold.te
-allow vold diag_data_file:dir { read open ioctl };
+allow vold diag_data_file:dir r_dir_perms;
 allow vold firmware_file:dir search;
-allow vold firmware_file:file { getattr open read };
-allow vold secd_exec:file { getattr read };
-allow vold tee_prop:file { r_file_perms };
+allow vold firmware_file:file r_file_perms;
+allow vold tee_prop:file r_file_perms;
--- a/sepolicy/vendor/vold_prepare_subdirs.te
+++ b/sepolicy/vendor/vold_prepare_subdirs.te
-allow vold_prepare_subdirs secd_exec:file { getattr read };
--- a/sepolicy/vendor/wificond.te
+++ b/sepolicy/vendor/wificond.te
-allow wificond secd_exec:file { getattr read };