22 files changed, 41 insertions, 18 deletions

diff --git a/sepolicy/atfwd.te b/sepolicy/atfwd.te
index d0eed5e..a48a7db 100644
--- a/sepolicy/atfwd.te
+++ b/sepolicy/atfwd.te
@@ -1,2 +1,2 @@
 allow atfwd sysfs_msm_subsys:dir search;
-allow atfwd sysfs_msm_subsys:file { open read };
+allow atfwd sysfs_msm_subsys:file { getattr open read setattr };
diff --git a/sepolicy/cnd.te b/sepolicy/cnd.te
index 09f270c..5b6938b 100644
--- a/sepolicy/cnd.te
+++ b/sepolicy/cnd.te
@@ -1,5 +1,5 @@
 allow cnd sysfs_msm_subsys:dir search;
-allow cnd sysfs_msm_subsys:file { open read };
+allow cnd sysfs_msm_subsys:file { getattr open read setattr };
 allow cnd sysfs_soc:dir search;
 allow cnd system_data_file:dir read;
 allow cnd system_data_file:file { getattr ioctl open read };
diff --git a/sepolicy/hal_dpmQmiMgr.te b/sepolicy/hal_dpmQmiMgr.te
index ec5358c..7dec426 100644
--- a/sepolicy/hal_dpmQmiMgr.te
+++ b/sepolicy/hal_dpmQmiMgr.te
@@ -1 +1,2 @@
 allow hal_dpmQmiMgr sysfs_msm_subsys:dir search;
+allow hal_dpmQmiMgr sysfs_msm_subsys:file { getattr open read setattr };
diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te
index fee691f..3c7d5e6 100644
--- a/sepolicy/hal_fingerprint_default.te
+++ b/sepolicy/hal_fingerprint_default.te
@@ -11,3 +11,7 @@ allow hal_fingerprint_default firmware_file:file r_file_perms;
 
 allow hal_fingerprint_default fpc_data_file:dir create_dir_perms;
 allow hal_fingerprint_default fpc_data_file:sock_file { create setattr unlink };
+allow hal_fingerprint_default fingerprintd_data_file:dir rw_dir_perms;
+allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
+allow hal_fingerprint_default vfat:dir { read search };
+allow hal_fingerprint_default vfat:file { getattr open read setattr };
diff --git a/sepolicy/hal_gnss_qti.te b/sepolicy/hal_gnss_qti.te
index 37a4083..49ab1ff 100644
--- a/sepolicy/hal_gnss_qti.te
+++ b/sepolicy/hal_gnss_qti.te
@@ -1,3 +1,3 @@
 allow hal_gnss_qti sysfs_msm_subsys:dir search;
 allow hal_gnss_qti sysfs_soc:dir search;
-allow hal_gnss_qti sysfs_msm_subsys:file { open read };
+allow hal_gnss_qti sysfs_msm_subsys:file { getattr open read setattr };
diff --git a/sepolicy/hal_imsrtp.te b/sepolicy/hal_imsrtp.te
index 1787976..f583686 100644
--- a/sepolicy/hal_imsrtp.te
+++ b/sepolicy/hal_imsrtp.te
@@ -1,2 +1,2 @@
 allow hal_imsrtp sysfs_msm_subsys:dir search;
-allow hal_imsrtp sysfs_msm_subsys:file { open read };
+allow hal_imsrtp sysfs_msm_subsys:file { getattr open read setattr };
diff --git a/sepolicy/hal_perf_default.te b/sepolicy/hal_perf_default.te
index 47b30f4..e185a2c 100644
--- a/sepolicy/hal_perf_default.te
+++ b/sepolicy/hal_perf_default.te
@@ -1,4 +1,5 @@
 set_prop(hal_perf_default, freq_prop)
+typeattribute hal_perf_default data_between_core_and_vendor_violators;
 allow hal_perf_default hal_graphics_composer_default:process signull;
 allow hal_perf_default proc_kernel_sched:file rw_file_perms;
 allow hal_perf_default sysfs_msm_subsys:dir search;
diff --git a/sepolicy/hal_rcsservice.te b/sepolicy/hal_rcsservice.te
index 9719d47..333b19d 100644
--- a/sepolicy/hal_rcsservice.te
+++ b/sepolicy/hal_rcsservice.te
@@ -1,2 +1,2 @@
 allow hal_rcsservice sysfs_msm_subsys:dir search;
-allow hal_rcsservice sysfs_msm_subsys:file { open read };
+allow hal_rcsservice sysfs_msm_subsys:file { getattr open read setattr };
diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te
index 9e01c6d..491a38c 100644
--- a/sepolicy/hal_sensors_default.te
+++ b/sepolicy/hal_sensors_default.te
@@ -1 +1,2 @@
 allow hal_sensors_default sysfs_msm_subsys:dir search;
+allow hal_sensors_default sysfs_msm_subsys:file  { getattr open read setattr };
diff --git a/sepolicy/ims.te b/sepolicy/ims.te
index c1848e6..a46b104 100644
--- a/sepolicy/ims.te
+++ b/sepolicy/ims.te
@@ -1,4 +1,4 @@
 allow ims sysfs_msm_subsys:dir search;
-allow ims sysfs_msm_subsys:file { open read };
+allow ims sysfs_msm_subsys:file { getattr open read setattr };
 allow ims sysfs_soc:dir search;
 allow ims ctl_default_prop:property_service set;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 55f9fac..5d8c97e 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,12 +1,13 @@
+typeattribute init data_between_core_and_vendor_violators;
 allow init adsprpcd_file:filesystem { mount relabelfrom relabelto };
 allow init debugfs_ipc:dir relabelfrom;
 allow init debugfs_ipc:file relabelfrom;
 allow init proc_kernel_sched:file write;
-allow init sysfs_scsi_devices_0000:dir write;
+allow init proc:file { getattr open read setattr };
 allow init { ion_device tee_device }:chr_file ioctl;
 allow init hidl_base_hwservice:hwservice_manager add;
-allow init sysfs_fingerprint:file { open read write };
+allow init sysfs_fingerprint:file { open read setattr write };
+allow init sysfs:file setattr;
 allow init tee_device:chr_file write;
 allow init hidl_base_hwservice:hwservice_manager add;
-allow init sysfs_fingerprint:file { open read write };
 allow init system_server:binder call;
diff --git a/sepolicy/location.te b/sepolicy/location.te
index ab3ba1f..e6dacad 100644
--- a/sepolicy/location.te
+++ b/sepolicy/location.te
@@ -1,4 +1,5 @@
 allow location sysfs_msm_subsys:dir search;
 allow location sysfs_soc:dir search;
 allow location wcnss_prop:file r_file_perms;
-allow location sysfs_msm_subsys:file { open read };
+allow location sysfs_msm_subsys:file { getattr open read setattr };
+allow location location_data_file:sock_file unlink;
diff --git a/sepolicy/mm-qcamerad.te b/sepolicy/mm-qcamerad.te
index 512b271..4ae3bd5 100644
--- a/sepolicy/mm-qcamerad.te
+++ b/sepolicy/mm-qcamerad.te
@@ -1,3 +1,8 @@
+typeattribute  mm-qcamerad data_between_core_and_vendor_violators;
+
+allow mm-qcamerad camera_data_file:dir create_dir_perms;
+allow mm-qcamerad camera_data_file:file create_file_perms;
+
 allow mm-qcamerad sysfs_camera:dir search;
 allow mm-qcamerad sysfs_camera:file r_file_perms;
 allow mm-qcamerad sysfs_video:dir search;
diff --git a/sepolicy/netmgrd.te b/sepolicy/netmgrd.te
index f7f0051..06bbe17 100644
--- a/sepolicy/netmgrd.te
+++ b/sepolicy/netmgrd.te
@@ -1,5 +1,5 @@
 allow netmgrd sysfs_msm_subsys:dir search;
-allow netmgrd sysfs_msm_subsys:file { open read };
+allow netmgrd sysfs_msm_subsys:file { getattr open read setattr };
 allow netmgrd sysfs_net:dir search;
 allow netmgrd sysfs_net:file rw_file_perms;
 allow netmgrd sysfs_soc:dir search;
diff --git a/sepolicy/peripheral_manager.te b/sepolicy/peripheral_manager.te
index b32c70d..709affa 100644
--- a/sepolicy/peripheral_manager.te
+++ b/sepolicy/peripheral_manager.te
@@ -1 +1,2 @@
 allow vendor_per_mgr sysfs_msm_subsys:dir search;
+allow vendor_per_mgr sysfs_msm_subsys:file { getattr open read setattr };
diff --git a/sepolicy/qti.te b/sepolicy/qti.te
index dac3966..df3942a 100644
--- a/sepolicy/qti.te
+++ b/sepolicy/qti.te
@@ -1,2 +1,3 @@
 allow qti sysfs_msm_subsys:dir search;
+allow qti sysfs_msm_subsys:file { getattr open read setattr };
 allow qti sysfs_soc:dir search;
diff --git a/sepolicy/qti_init_shell.te b/sepolicy/qti_init_shell.te
index a32d8ee..a5ec8a4 100644
--- a/sepolicy/qti_init_shell.te
+++ b/sepolicy/qti_init_shell.te
@@ -1,4 +1,4 @@
 allow qti_init_shell sysfs:file write;
-allow qti_init_shell vendor_radio_data_file:file { open read write };
-allow qti_init_shell vendor_radio_data_file:dir getattr;
-allow qti_init_shell vfat:file getattr;
+allow qti_init_shell vendor_radio_data_file:dir { getattr open read search setattr };
+allow qti_init_shell vfat:file { getattr open read setattr };
+allow qti_init_shell vfat:dir { open read search };
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
index eaeed4d..740e938 100644
--- a/sepolicy/sensors.te
+++ b/sepolicy/sensors.te
@@ -1 +1,2 @@
 allow sensors sysfs_msm_subsys:dir search;
+allow sensors sysfs_msm_subsys:file { getattr open read setattr };
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
index 2b4d499..7664bc4 100644
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@@ -1,5 +1,3 @@
-typeattribute tee data_between_core_and_vendor_violators;
-
-allow tee fingerprintd_data_file:file { open read };
-
+allow tee fingerprintd_data_file:file create_file_perms;
+allow tee fingerprintd_data_file:dir rw_dir_perms;
 allow tee system_data_file:dir r_dir_perms;
diff --git a/sepolicy/thermal-engine.te b/sepolicy/thermal-engine.te
index 59626eb..ffd8a30 100644
--- a/sepolicy/thermal-engine.te
+++ b/sepolicy/thermal-engine.te
@@ -1,5 +1,6 @@
 typeattribute thermal-engine data_between_core_and_vendor_violators;
 allow thermal-engine sysfs_msm_subsys:dir search;
+allow thermal-engine sysfs_msm_subsys:file { getattr open read setattr };
 
 allow thermal-engine sysfs_usb_supply:dir search;
 allow thermal-engine sysfs_usb_supply:file r_file_perms;
diff --git a/sepolicy/time_daemon.te b/sepolicy/time_daemon.te
index d586681..3896a0a 100644
--- a/sepolicy/time_daemon.te
+++ b/sepolicy/time_daemon.te
@@ -1,3 +1,5 @@
 allow time_daemon sysfs_msm_subsys:dir search;
+allow time_daemon sysfs_msm_subsys:file { getattr open read setattr };
 allow time_daemon sysfs_soc:dir search;
 allow time_daemon time_data_file:file { open read write };
+allow time_daemon time_data_file:dir search;
diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te
index f4404cf..caecc32 100644
--- a/sepolicy/vendor_init.te
+++ b/sepolicy/vendor_init.te
@@ -6,6 +6,11 @@ allow vendor_init {
     cnd_data_file
 #   dpmd_data_file
     fpc_data_file
+    media_rw_data_file
+    nfc_data_file
+    rootfs
+    time_data_file
     thermal_data_file
     tombstone_data_file
 }:dir create_dir_perms;
+allow vendor_init media_rw_data_file:dir getattr;