axolotl: sepolicy: Cleanup everything Change-Id: Icd5fbb95164ea10e82e277a215f51fe2feab41d2

commit: fef3a91f5ccb68b2f945b9cc66997b161f804f0a [log] [tgz]
author: Michael Bestas <mkbestas@lineageos.org> Tue May 30 03:01:11 2023 +0300
committer: Michael Bestas <mkbestas@lineageos.org> Wed May 31 15:42:32 2023 +0200
tree: 8cc5b2c3c0440707a2a4a8b2f3ca72f08c7ab643
parent: c59b300fd296e4f1417c797cf8ba7192e28ce797 [diff]
diff --git a/sepolicy/vendor/app_domain.te b/sepolicy/vendor/app_domain.te
deleted file mode 100644
index c95bf2b..0000000
--- a/sepolicy/vendor/app_domain.te
+++ /dev/null

@@ -1 +0,0 @@
-get_prop(appdomain, camera_prop)

diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te
deleted file mode 100644
index 85b1494..0000000
--- a/sepolicy/vendor/hal_audio_default.te
+++ /dev/null

@@ -1,5 +0,0 @@
-allow hal_audio_default init:unix_stream_socket connectto;
-allow hal_audio_default property_socket:sock_file write;
-allow hal_audio_default sysfs:dir { open read };
-
-get_prop(hal_audio_default, fm_prop)

diff --git a/sepolicy/vendor/hal_display_color.te b/sepolicy/vendor/hal_display_color.te
deleted file mode 100644
index fe9e899..0000000
--- a/sepolicy/vendor/hal_display_color.te
+++ /dev/null

@@ -1,3 +0,0 @@
-# Allow platform apps to talk with display color server
-binder_call(platform_app, hal_display_color_server)
-allow platform_app hal_display_color_hwservice:hwservice_manager find;

diff --git a/sepolicy/vendor/hal_nfc_default.te b/sepolicy/vendor/hal_nfc_default.te
index efc4efa..5317352 100644
--- a/sepolicy/vendor/hal_nfc_default.te
+++ b/sepolicy/vendor/hal_nfc_default.te

@@ -1,3 +1,2 @@
 dontaudit hal_nfc_default nxpese_hwservice:hwservice_manager find;
-dontaudit hal_nfc_default nxpnfc_hwservice:hwservice_manager add;
-dontaudit hal_nfc_default nxpnfc_hwservice:hwservice_manager find;
+dontaudit hal_nfc_default nxpnfc_hwservice:hwservice_manager { add find };

diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te
index 06c163f..b55db04 100644
--- a/sepolicy/vendor/hal_sensors_default.te
+++ b/sepolicy/vendor/hal_sensors_default.te

@@ -1,4 +1 @@
-allow hal_sensors_default sysfs:dir { open read };
-allow hal_sensors_default sysfs:file { open read };
-
 set_prop(hal_sensors_default, sensors_prop)

diff --git a/sepolicy/vendor/hwservice.te b/sepolicy/vendor/hwservice.te
index a77861c..37762d9 100644
--- a/sepolicy/vendor/hwservice.te
+++ b/sepolicy/vendor/hwservice.te

@@ -1,3 +1,2 @@
-type hal_goodix_hwservice, hwservice_manager_type;
 type nxpese_hwservice, hwservice_manager_type;
 type nxpnfc_hwservice, hwservice_manager_type;

diff --git a/sepolicy/vendor/hwservice_contexts b/sepolicy/vendor/hwservice_contexts
index ec00e13..e20cd48 100644
--- a/sepolicy/vendor/hwservice_contexts
+++ b/sepolicy/vendor/hwservice_contexts

@@ -1,11 +1,8 @@
-hardware.shift.light::ILight                         u:object_r:hal_light_hwservice:s0
-
 # Fingerprint
 vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon      u:object_r:hal_fingerprint_hwservice:s0
-vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonFido  u:object_r:hal_fingerprint_hwservice:s0
-vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonHbd   u:object_r:hal_fingerprint_hwservice:s0
 
-vendor.goodix.hardware.fingerprint::IGoodixBiometricsFingerprint             u:object_r:hal_goodix_hwservice:s0
+# Light
+hardware.shift.light::ILight                                                 u:object_r:hal_light_hwservice:s0
 
 # NFC
 vendor.nxp.nxpese::INxpEse                                                   u:object_r:nxpese_hwservice:s0

diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te
index dcfccda..5051c3a 100644
--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te

@@ -1,7 +1,6 @@
-allow init block_device:blk_file write;
+# DPM
+allow init socket_device:sock_file { create setattr };
+
+# Firmware
 allow init bt_firmware_file:filesystem getattr;
 allow init firmware_file:filesystem getattr;
-allow init hidl_base_hwservice:hwservice_manager add;
-allow init hwservicemanager:binder transfer;
-allow init socket_device:sock_file { create setattr };
-allow init sysfs_graphics:file { open read write };

diff --git a/sepolicy/vendor/init_shell.te b/sepolicy/vendor/init_shell.te
deleted file mode 100644
index 46d55b7..0000000
--- a/sepolicy/vendor/init_shell.te
+++ /dev/null

@@ -1,5 +0,0 @@
-allow qti_init_shell proc_sysctl_autogroup:file rw_file_perms;
-allow qti_init_shell proc_sysctl_schedboost:file rw_file_perms;
-
-allow qti_init_shell sysfs_msm_subsys:dir r_dir_perms;
-allow qti_init_shell sysfs_msm_subsys:file rw_file_perms;

diff --git a/sepolicy/vendor/lmkd.te b/sepolicy/vendor/lmkd.te
deleted file mode 100644
index d458304..0000000
--- a/sepolicy/vendor/lmkd.te
+++ /dev/null

@@ -1,2 +0,0 @@
-allow lmkd hal_iop_hwservice:hwservice_manager { find };
-allow lmkd hal_iop_default:binder { call };

diff --git a/sepolicy/vendor/mediaprovider.te b/sepolicy/vendor/mediaprovider.te
deleted file mode 100644
index 639f8b1..0000000
--- a/sepolicy/vendor/mediaprovider.te
+++ /dev/null

@@ -1 +0,0 @@
-allow mediaprovider gpuservice:binder call;

diff --git a/sepolicy/vendor/proc_net.te b/sepolicy/vendor/proc_net.te
deleted file mode 100644
index 0f22770..0000000
--- a/sepolicy/vendor/proc_net.te
+++ /dev/null

@@ -1 +0,0 @@
-allow proc_net proc:filesystem associate;

diff --git a/sepolicy/vendor/property.te b/sepolicy/vendor/property.te
index 848b07c..85b190c 100644
--- a/sepolicy/vendor/property.te
+++ b/sepolicy/vendor/property.te

@@ -1,5 +1,3 @@
 vendor_internal_prop(power_prop)
 
 vendor_internal_prop(vendor_camera_prop)
-
-vendor_public_prop(vendor_fm_prop)

diff --git a/sepolicy/vendor/property_contexts b/sepolicy/vendor/property_contexts
index 554d3b1..e235d74 100644
--- a/sepolicy/vendor/property_contexts
+++ b/sepolicy/vendor/property_contexts

@@ -1,17 +1,12 @@
-persist.camera.arcsoft.log          u:object_r:vendor_camera_prop:s0
-persist.camera.capture.hdr_enable   u:object_r:vendor_camera_prop:s0
-persist.camera.capture.auto.iso     u:object_r:vendor_camera_prop:s0
+# Camera
+persist.camera.arcsoft.    u:object_r:vendor_camera_prop:s0
+persist.camera.capture.    u:object_r:vendor_camera_prop:s0
+persist.vendor.camera.     u:object_r:camera_prop:s0
+vendor.debug.camera.       u:object_r:camera_prop:s0
 
+# Power
 vendor.powerhal.state      u:object_r:power_prop:s0
 vendor.powerhal.audio      u:object_r:power_prop:s0
 vendor.powerhal.lpm        u:object_r:power_prop:s0
 vendor.powerhal.init       u:object_r:power_prop:s0
 vendor.powerhal.rendering  u:object_r:power_prop:s0
-
-# Camera
-persist.camera.                                     u:object_r:camera_prop:s0
-persist.vendor.camera.                              u:object_r:camera_prop:s0
-vendor.debug.camera.                                u:object_r:camera_prop:s0
-
-# FM
-ro.vendor.fm.use_audio_session                      u:object_r:vendor_fm_prop:s0

diff --git a/sepolicy/vendor/qti_init_shell.te b/sepolicy/vendor/qti_init_shell.te
index d41b445..3dfe4ec 100644
--- a/sepolicy/vendor/qti_init_shell.te
+++ b/sepolicy/vendor/qti_init_shell.te

@@ -1,5 +1,8 @@
-allow qti_init_shell configfs:dir { add_name write };
-allow qti_init_shell configfs:file create;
+allow qti_init_shell proc_sysctl_autogroup:file rw_file_perms;
+allow qti_init_shell proc_sysctl_schedboost:file rw_file_perms;
 
 allow qti_init_shell sysfs_leds:dir setattr;
 allow qti_init_shell sysfs_leds:file setattr;
+
+allow qti_init_shell sysfs_msm_subsys:dir r_dir_perms;
+allow qti_init_shell sysfs_msm_subsys:file rw_file_perms;

diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te
index 21c8a8e..4e07238 100644
--- a/sepolicy/vendor/radio.te
+++ b/sepolicy/vendor/radio.te

@@ -1,5 +1,3 @@
-allow radio { cameraserver_service mediaextractor_service mediaserver_service mediametrics_service drmserver_service audioserver_service }:service_manager find;
-
 allow radio hal_datafactory_hwservice:hwservice_manager find;
 
 binder_call(radio, cnd)

diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te
index 325c39d..37f5ca5 100644
--- a/sepolicy/vendor/rild.te
+++ b/sepolicy/vendor/rild.te

@@ -1,4 +1,2 @@
-allow rild proc:file rw_file_perms;
-
 dontaudit rild tombstone_data_file:dir search;
 dontaudit rild vendor_file:file ioctl;

diff --git a/sepolicy/vendor/rs.te b/sepolicy/vendor/rs.te
deleted file mode 100644
index caa92b8..0000000
--- a/sepolicy/vendor/rs.te
+++ /dev/null

@@ -1,10 +0,0 @@
-allow rs hal_graphics_allocator_default:fd use;
-allow rs mediaswcodec:fd use;
-allow rs surfaceflinger:fd use;
-allow rs system_server:fd use;
-
-allow rs surfaceflinger:unix_stream_socket { read write };
-allow rs system_server:unix_stream_socket { read write };
-
-allow rs app_data_file:file r_file_perms;
-allow rs sdcardfs:file r_file_perms;

diff --git a/sepolicy/vendor/service.te b/sepolicy/vendor/service.te
index 05e4176..beacc7c 100644
--- a/sepolicy/vendor/service.te
+++ b/sepolicy/vendor/service.te

@@ -1 +1 @@
-type goodixfingerprintd_service,  service_manager_type;
+type goodixfingerprintd_service, service_manager_type;

diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te
deleted file mode 100644
index db2524c..0000000
--- a/sepolicy/vendor/surfaceflinger.te
+++ /dev/null

@@ -1 +0,0 @@
-allow surfaceflinger firmware_file:dir search;

diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
deleted file mode 100644
index 6d09b98..0000000
--- a/sepolicy/vendor/system_app.te
+++ /dev/null

@@ -1 +0,0 @@
-get_prop(system_app, vendor_fm_prop)

diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te
index a9a132c..096b924 100644
--- a/sepolicy/vendor/thermal-engine.te
+++ b/sepolicy/vendor/thermal-engine.te

@@ -1,9 +1,7 @@
 dontaudit thermal-engine self:capability dac_override;
 
-allow thermal-engine init:unix_stream_socket connectto;
-allow thermal-engine proc:file { open read write };
-allow thermal-engine property_socket:sock_file write;
-allow thermal-engine sysfs:dir { open read };
+# /sys/class/kgsl
+allow thermal-engine sysfs:dir r_dir_perms;
 
 allow thermal-engine sysfs_devfreq:dir r_dir_perms;
 allow thermal-engine sysfs_devfreq:file rw_file_perms;

diff --git a/sepolicy/vendor/vndservice.te b/sepolicy/vendor/vndservice.te
deleted file mode 100644
index 2de2510..0000000
--- a/sepolicy/vendor/vndservice.te
+++ /dev/null

@@ -1 +0,0 @@
-type goodix_fingerprint_vndservice,      vndservice_manager_type;

diff --git a/sepolicy/vendor/vndservice_contexts b/sepolicy/vendor/vndservice_contexts
deleted file mode 100644
index 70a1aec..0000000
--- a/sepolicy/vendor/vndservice_contexts
+++ /dev/null

@@ -1,3 +0,0 @@
-vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon       u:object_r:goodix_fingerprint_vndservice:s0
-vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonHbd    u:object_r:goodix_fingerprint_vndservice:s0
-vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemonFido   u:object_r:goodix_fingerprint_vndservice:s0
commit	fef3a91f5ccb68b2f945b9cc66997b161f804f0a	[log] [tgz]
author	Michael Bestas <mkbestas@lineageos.org>	Tue May 30 03:01:11 2023 +0300
committer	Michael Bestas <mkbestas@lineageos.org>	Wed May 31 15:42:32 2023 +0200
tree	8cc5b2c3c0440707a2a4a8b2f3ca72f08c7ab643
parent	c59b300fd296e4f1417c797cf8ba7192e28ce797 [diff]