msm8996-common: sepolicy: Address some denials

* Don't break any neverallows this time
* Still healthd missing to fix

Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
Change-Id: I861eb5dc1f91e7cdea2e7b55c617e55a24ec2e02

6 files changed, 14 insertions, 3 deletions

diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te
index 386b906..6aff479 100644
--- a/sepolicy/hal_audio_default.te
+++ b/sepolicy/hal_audio_default.te
@@ -5,4 +5,4 @@ allow hal_audio_default vendor_data_file:file create_file_perms;
 allow hal_audio_default vendor_data_file:dir rw_dir_perms;
 allow hal_audio_default thermal_socket:sock_file write;
 allow hal_audio_default thermal-engine:unix_stream_socket connectto;
-
+allow hal_audio_default sysfs:dir { open read };
diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te
index 23173fb..1ae17f4 100644
--- a/sepolicy/hal_power_default.te
+++ b/sepolicy/hal_power_default.te
@@ -1,3 +1,8 @@
 allow hal_power_default sysfs:file rw_file_perms;
 allow hal_power_default debugfs_wlan:dir search;
 allow hal_power_default debugfs_wlan:file r_file_perms;
+allow hal_power_default sysfs_kgsl:lnk_file { open read write };
+allow hal_power_default sysfs_devfreq:dir search;
+allow hal_power_default sysfs_devfreq:file { open write };
+allow hal_power_default sysfs_kgsl:file { open write };
+allow hal_power_default device_latency:chr_file { open write };
diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te
index 5fb8b43..02b08c8 100644
--- a/sepolicy/mm-qcamerad.te
+++ b/sepolicy/mm-qcamerad.te
@@ -4,3 +4,4 @@ allow mm-qcamerad camera_data_file:dir create_dir_perms;
 allow mm-qcamerad camera_data_file:file create_file_perms;
 allow mm-qcamerad { sysfs_camera sysfs_video }:dir search;
 allow mm-qcamerad { sysfs_camera sysfs_video }:file r_file_perms;
+allow mm-qcamerad vfat:dir search;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 51face6..52083c5 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -1,9 +1,8 @@
 allow system_server vendor_alarm_boot_prop:file r_file_perms;
 allow system_server sysfs_fingerprint:file rw_file_perms;
-
 allow system_server install_data_file:file getattr;
-
 allow system_server zygote:process getpgid;
+allow system_server sysfs_vibrator:file read;
 
 # /vendor/usr/keylayout
 r_dir_file(system_server, idc_file)
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
new file mode 100644
index 0000000..6360bab
--- /dev/null
+++ b/sepolicy/tee.te
@@ -0,0 +1,5 @@
+typeattribute tee data_between_core_and_vendor_violators;
+
+allow tee fingerprintd_data_file:file create_file_perms;
+allow tee fingerprintd_data_file:dir rw_dir_perms;
+allow tee system_data_file:dir r_dir_perms;
diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te
index 9755b16..eda47fb 100644
--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@@ -1,4 +1,5 @@
 typeattribute thermal-engine data_between_core_and_vendor_violators;
 
 allow thermal-engine { sysfs_batteryinfo sysfs_msm_core sysfs_msm_subsys sysfs_usb_supply }:file r_file_perms;
+allow thermal-engine sysfs_batteryinfo:file write;
 allow thermal-engine { sysfs_batteryinfo sysfs_soc sysfs_msm_core sysfs_rmtfs sysfs_msm_subsys sysfs_usb_supply }:dir search;