msm8996-common: sepolicy: Nuke the neverallows

* Also fix other general sepolicy errors after stopping to ignore the neverallows

Change-Id: I1af3d9f57a0ca6e37420094a53f1c52127f3e187
Signed-off-by: Davide Garberi <dade.garberi@gmail.com>

10 files changed, 3 insertions, 27 deletions

diff --git a/rootdir/etc/init.qcom.rc b/rootdir/etc/init.qcom.rc
index f2168e8..5e8dd1e 100644
--- a/rootdir/etc/init.qcom.rc
+++ b/rootdir/etc/init.qcom.rc
@@ -91,12 +91,6 @@ on post-fs-data
     # Create directory used by media clients
     mkdir /data/vendor/media 0770 mediacodec media
 
-    # Create directories for fingerprint
-    mkdir /data/misc/stargate 0770 system system
-    mkdir /data/misc/stargate/bg_estimation 0770 system system
-    mkdir /data/misc/stargate/calib_test 0770 system system
-    mkdir /data/misc/stargate/database 0770 system system
-
     # Create directories for tombstones
     mkdir /data/tombstones/modem 0771 system system
     mkdir /data/tombstones/lpass 0771 system system
diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te
index 78d0e78..158a941 100644
--- a/sepolicy/bluetooth.te
+++ b/sepolicy/bluetooth.te
@@ -1,3 +1,3 @@
 # Bluetooth app depend on /vendor/lib64/libaptX_encoder.so
 
-allow bluetooth vendor_file:file rx_file_perms;
+allow bluetooth vendor_file:file r_file_perms;
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
index e52c40b..6e24fc6 100644
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -1,6 +1,5 @@
 allow cnd { sysfs_msm_subsys sysfs_soc }:dir search;
 allow cnd sysfs_msm_subsys:file { getattr open read setattr };
-allow cnd system_data_file:dir read;
-allow cnd system_data_file:file { getattr ioctl open read };
+allow cnd system_data_file:file { getattr ioctl read };
 
 add_hwservice(cnd, hal_cne_hwservice)
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index 9d75a23..215c5f1 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,9 +1,6 @@
 # Partitions
 /dev/block/platform/soc/(624000\.ufshc|7464900\.sdhci)/by-name/persist       u:object_r:persist_block_device:s0
 
-# CNE
-/data/connectivity(/.*)?                                      u:object_r:cnd_data_file:s0
-
 # Devices
 /dev/fpc1020                          u:object_r:fpc1020_device:s0
 /dev/tfa9890                          u:object_r:audio_device:s0
@@ -12,7 +9,6 @@
 # Data files
 /data/fpc(/.*)?                       u:object_r:fpc_data_file:s0
 /data/decrypt\.txt                    u:object_r:thermal_data_file:s0
-/data/misc/stargate(/.*)?             u:object_r:qfp-daemon_data_file:s0
 
 # Binaries
 /vendor/bin/readmac   u:object_r:readmac_exec:s0
diff --git a/sepolicy/healthd.te b/sepolicy/healthd.te
deleted file mode 100644
index 93d2673..0000000
--- a/sepolicy/healthd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow healthd sysfs:file { getattr open read };
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 06725f7..eee43ed 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -4,7 +4,6 @@ allow init adsprpcd_file:filesystem { mount relabelfrom relabelto };
 allow init debugfs_ipc:dir relabelfrom;
 allow init debugfs_ipc:file relabelfrom;
 allow init proc_kernel_sched:file write;
-allow init proc:file { getattr open read setattr };
 allow init { ion_device tee_device }:chr_file ioctl;
 allow init hidl_base_hwservice:hwservice_manager add;
 allow init sysfs_fingerprint:file { open read setattr write };
diff --git a/sepolicy/neverallows.te b/sepolicy/neverallows.te
deleted file mode 100644
index 9687789..0000000
--- a/sepolicy/neverallows.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# Healthd
-allow healthd healthd:capability dac_override;
-
-# ReadMac
-allow readmac self:capability dac_override;
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
index 9439899..cc763ca 100644
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -1,10 +1,9 @@
 allow priv_app adsprpcd_file:filesystem getattr;
 allow priv_app { asec_apk_file bt_firmware_file cache_private_backup_file cgroup configfs mnt_media_rw_file radio_data_file }:dir r_dir_perms;
-allow priv_app { configfs  file_contexts_file firmware_file hwservice_contexts_file keylayout_file mac_perms_file nonplat_service_contexts_file proc proc_interrupts proc_modules proc_stat seapp_contexts_file sepolicy_file service_contexts_file vendor_file vndservice_contexts_file }:file r_file_perms;
+allow priv_app { file_contexts_file firmware_file hwservice_contexts_file keylayout_file mac_perms_file nonplat_service_contexts_file proc_interrupts proc_modules proc_stat seapp_contexts_file sepolicy_file service_contexts_file vendor_file vndservice_contexts_file }:file r_file_perms;
 allow priv_app hal_memtrack_hwservice:hwservice_manager find;
 allow priv_app device:dir open;
 
-r_dir_file(priv_app, sysfs_type);
 binder_call(priv_app, hal_memtrack_default);
 
 # Clean up logspam
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
deleted file mode 100644
index 7664bc4..0000000
--- a/sepolicy/tee.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow tee fingerprintd_data_file:file create_file_perms;
-allow tee fingerprintd_data_file:dir rw_dir_perms;
-allow tee system_data_file:dir r_dir_perms;
diff --git a/sepolicy/time_daemon.te b/sepolicy/time_daemon.te
index d8a8394..ea3cdec 100644
--- a/sepolicy/time_daemon.te
+++ b/sepolicy/time_daemon.te
@@ -1,5 +1,3 @@
 allow time_daemon sysfs_msm_subsys:dir search;
 allow time_daemon sysfs_msm_subsys:file { getattr open read setattr };
 allow time_daemon sysfs_soc:dir search;
-allow time_daemon time_data_file:file create_file_perms;
-allow time_daemon time_data_file:dir rw_dir_perms;