From f882d4f46b119d05ed02bfb35d03507abe65df94 Mon Sep 17 00:00:00 2001
From: Tad <tad@spotco.us>
Date: Sat, 28 Sep 2019 10:57:48 -0400
Subject: [PATCH] audit2allow sepolicy

Change-Id: Ia1e82d78c0f6a59216ce62274ec678258a807ed7
---
 sepolicy/hal-nfc_default.te       |  2 ++
 sepolicy/hal_bluetooth_default.te |  1 +
 sepolicy/hal_keymaster_default.te |  1 +
 sepolicy/healthd.te               |  1 +
 sepolicy/init-power-sh.te         |  5 +++++
 sepolicy/init.te                  | 13 +++++++++++++
 sepolicy/mm-qcamerad.te           |  4 ++++
 sepolicy/qtelephony.te            |  2 ++
 sepolicy/rild.te                  |  4 ++++
 sepolicy/rmt_storage.te           |  1 +
 sepolicy/sensors.te               |  1 +
 sepolicy/servicemanager.te        |  3 +++
 sepolicy/system_app.te            |  3 +++
 sepolicy/system_server.te         |  3 +++
 sepolicy/toolbox.te               |  1 +
 sepolicy/ueventd.te               |  1 +
 16 files changed, 46 insertions(+)
 create mode 100644 sepolicy/hal-nfc_default.te
 create mode 100644 sepolicy/hal_bluetooth_default.te
 create mode 100644 sepolicy/hal_keymaster_default.te
 create mode 100644 sepolicy/qtelephony.te
 create mode 100644 sepolicy/servicemanager.te

diff --git a/sepolicy/hal-nfc_default.te b/sepolicy/hal-nfc_default.te
new file mode 100644
index 0000000..f4d0b78
--- /dev/null
+++ b/sepolicy/hal-nfc_default.te
@@ -0,0 +1,2 @@
+allow hal_nfc_default nfc_data_file:dir { add_name write };
+allow hal_nfc_default nfc_data_file:file { create open read write };
diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te
new file mode 100644
index 0000000..ec949d1
--- /dev/null
+++ b/sepolicy/hal_bluetooth_default.te
@@ -0,0 +1 @@
+allow hal_bluetooth_default mnt_vendor_file:file { open read };
diff --git a/sepolicy/hal_keymaster_default.te b/sepolicy/hal_keymaster_default.te
new file mode 100644
index 0000000..3aad282
--- /dev/null
+++ b/sepolicy/hal_keymaster_default.te
@@ -0,0 +1 @@
+allow hal_keymaster_default unlabeled:file { getattr open read };
diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te
index 114e7b7..74a252e 100644
--- a/sepolicy/healthd.te
+++ b/sepolicy/healthd.te
@@ -1,3 +1,4 @@
 allow healthd sysfs_thermal:dir search;
 allow healthd sysfs_thermal:file { open read };
 allow healthd device:dir r_dir_perms;
+allow healthd sysfs:file { getattr open read };
diff --git a/sepolicy/init-power-sh.te b/sepolicy/init-power-sh.te
index c24dd3c..ba3cd05 100644
--- a/sepolicy/init-power-sh.te
+++ b/sepolicy/init-power-sh.te
@@ -31,3 +31,8 @@ allow init-power-sh rootfs:file { getattr open read };
 allow init-power-sh sysfs:dir { open read };
 allow init-power-sh sysfs:file getattr;
 allow init-power-sh sysfs:lnk_file getattr;
+
+allow init-power-sh file_contexts_file:file read;
+allow init-power-sh sysfs_cpu_boost:dir search;
+allow init-power-sh sysfs_cpu_boost:file { open write };
+allow init-power-sh sysfs_net:dir search;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 5ea8334..8424ed2 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -14,3 +14,16 @@ allow init sysfs_lowmemorykiller:file getattr;
 allow init sysfs_light:file setattr;
 allow init sysfs_power:file setattr;
 allow init system_data_file:file { rename append };
+allow init atfwd_service:service_manager find;
+allow init debugfs_rmt:dir relabelfrom;
+allow init debugfs_rmt:file relabelfrom;
+allow init hal_drm_hwservice:hwservice_manager add;
+allow init hal_light_hwservice:hwservice_manager add;
+allow init hidl_base_hwservice:hwservice_manager add;
+allow init mnt_vendor_file:dir mounton;
+allow init qmuxd:unix_stream_socket connectto;
+allow init qmuxd_socket:sock_file write;
+allow init servicemanager:binder call;
+allow init sysfs:file { open setattr write };
+allow init sysfs_devices_system_cpu:file write;
+allow init sysfs_graphics:file { open write };
diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te
index 79059bb..990fb2c 100644
--- a/sepolicy/mm-qcamerad.te
+++ b/sepolicy/mm-qcamerad.te
@@ -3,3 +3,7 @@ allow mm-qcamerad init:unix_stream_socket connectto;
 allow mm-qcamerad persist_file:dir { getattr open read search  };
 allow mm-qcamerad persist_file:file { read open getattr };
 allow mm-qcamerad property_socket:sock_file write;
+allow mm-qcamerad mnt_vendor_file:dir search;
+allow mm-qcamerad mnt_vendor_file:file { getattr open read };
+allow mm-qcamerad vendor_data_file:dir { add_name remove_name write };
+allow mm-qcamerad vendor_data_file:sock_file { create unlink };
diff --git a/sepolicy/qtelephony.te b/sepolicy/qtelephony.te
new file mode 100644
index 0000000..c9d5a74
--- /dev/null
+++ b/sepolicy/qtelephony.te
@@ -0,0 +1,2 @@
+allow qtelephony atfwd_service:service_manager add;
+allow qtelephony radio_service:service_manager find;
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index 732d94c..9970af5 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -10,3 +10,7 @@ allow rild rmt_storage_prop:file { getattr open read };
 allow rild sensors_device:chr_file { ioctl open read write };
 allow rild system_data_file:dir { write remove_name  add_name };
 allow rild system_data_file:sock_file { create setattr unlink };
+allow rild proc:file read;
+allow rild system_data_file:dir { open read };
+allow rild system_file:file execute_no_trans;
+allow rild unlabeled:dir getattr;
diff --git a/sepolicy/rmt_storage.te b/sepolicy/rmt_storage.te
index cf637ca..67cec68 100644
--- a/sepolicy/rmt_storage.te
+++ b/sepolicy/rmt_storage.te
@@ -10,3 +10,4 @@ allow rmt_storage fsg_file:file r_file_perms;
 allow rmt_storage init:unix_stream_socket connectto;
 allow rmt_storage property_socket:sock_file write;
 allow rmt_storage rmt_storage_prop:property_service set;
+allow rmt_storage unlabeled:file { open read };
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
index a07201b..196ed1a 100644
--- a/sepolicy/sensors.te
+++ b/sepolicy/sensors.te
@@ -1,3 +1,4 @@
 allow sensors init:unix_stream_socket connectto;
 allow sensors property_socket:sock_file write;
 allow sensors sensors_prop:property_service set;
+allow sensors firmware_file:file { getattr open read };
diff --git a/sepolicy/servicemanager.te b/sepolicy/servicemanager.te
new file mode 100644
index 0000000..8ef184e
--- /dev/null
+++ b/sepolicy/servicemanager.te
@@ -0,0 +1,3 @@
+allow servicemanager init:dir search;
+allow servicemanager init:file { open read };
+allow servicemanager init:process getattr;
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index d0dbdfa..92d225c 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -1 +1,4 @@
 allow system_app sensors_device:chr_file { read write open ioctl };
+allow system_app proc_pagetypeinfo:file { getattr open read };
+allow system_app sysfs_zram:dir search;
+allow system_app sysfs_zram:file { getattr open read };
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index c082b93..8f81c08 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -5,3 +5,6 @@ allow system_server sysfs_dt2w:file rw_file_perms;
 allow system_server sysfs_light:file rw_file_perms;
 allow system_server sysfs_power:file rw_file_perms;
 allow system_server user_profile_data_file:dir r_dir_perms;
+allow system_server block_device:blk_file { getattr ioctl open read write };
+allow system_server init:binder call;
+allow system_server sensors_device:chr_file ioctl;
diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te
index 0e64d66..7c57640 100644
--- a/sepolicy/toolbox.te
+++ b/sepolicy/toolbox.te
@@ -3,3 +3,4 @@ allow toolbox hwrev_data_file:file { write unlink getattr setattr };
 allow toolbox init:fifo_file { write read getattr };
 allow toolbox self:capability chown;
 allow toolbox sysfs:file setattr;
+allow toolbox sysfs:file { getattr open read };
diff --git a/sepolicy/ueventd.te b/sepolicy/ueventd.te
index d069fda..65a66b8 100644
--- a/sepolicy/ueventd.te
+++ b/sepolicy/ueventd.te
@@ -1 +1,2 @@
 allow ueventd radio_data_file:chr_file { create setattr };
+allow ueventd unlabeled:file { getattr open read };
-- 
2.21.0