msm8226-common: update and cleanup sepolicy

sepolicy/common/bluetooth.te

@@ -5,6 +5,11 @@ allow bluetooth firmware_file:dir r_dir_perms;
 allow bluetooth proc_bt_sleep:dir search;
 allow bluetooth proc_bt_sleep:file w_file_perms;
 
+allow bluetooth_loader bluetooth_efs_file:dir search;
+allow bluetooth_loader bluetooth_efs_file:file { open read };
+allow bluetooth_loader efs_file:dir search;
+allow bluetooth_loader bluetooth_efs_file:file getattr;
+
 allow bluetooth {
     bt_fw_file
     wifi_data_file

sepolicy/common/file_contexts

@@ -27,6 +27,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.sensors@1\.0-service.samsung8226        u:object_r:hal_sensors_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.samsung-qcom    u:object_r:hal_lineage_livedisplay_sysfs_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.samsung               u:object_r:hal_lineage_touch_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung             u:object_r:hal_light_default_exec:s0
  
 # sockets
 /data/cam_socket3                                       u:object_r:camera_socket:s0
@@ -37,8 +38,7 @@
 /sys/devices/virtual/camera(/.*)?                                u:object_r:sysfs_camera:s0
 /sys/devices/virtual/input(/.*)?                                 u:object_r:sysfs_input:s0
 /sys/devices/.*bcl.*(/.*)?                                       u:object_r:sysfs_thermal:s0
-/sys/module/dhd/parameters/firmware_path                         u:object_r:sysfs_wifi_writeable:s0
-/sys/module/dhd/parameters/nvram_path                            u:object_r:sysfs_wifi_writeable:s0
+/sys/module/wlan/parameters/fwpath                               u:object_r:sysfs_wifi_writeable:s0
 
 # sysfs - battery/charger
 /sys/devices/battery\.[0-9]+/power_supply(/.*)?         u:object_r:sysfs_batteryinfo:s0
@@ -69,6 +69,7 @@
 # sysfs - leds
 /sys/devices/i2c\.[0-9]+/i2c-[0-9]+/[0-9]+-[a-z0-9]+/leds(/.*)?  u:object_r:sysfs_leds:s0
 /sys/devices/i2c\.[0-9]+/i2c-[0-9]+/[0-9]+-[a-z0-9]+/max[a-z0-9]+-led/leds(/.*)? u:object_r:sysfs_leds:s0
+/sys/class/leds(/.*)?                                   u:object_r:sysfs_leds:s0
 
 # sysfs - sec
 /sys/devices/platform/sec-thermistor(/.*)?              u:object_r:sysfs_sec_thermistor:s0
@@ -86,4 +87,4 @@
 /sys/devices/virtual/sensors(/.*)?                      u:object_r:sysfs_sensors:s0
 
 # sysfs - usb
-/sys/devices/virtual/host_notify/usb_otg(/.*)?               u:object_r:sysfs_usb_otg:s0
+/sys/devices/virtual/host_notify/usb_otg(/.*)?          u:object_r:sysfs_usb_otg:s0

sepolicy/common/hal_health_default.te

@@ -0,0 +1,5 @@
+r_dir_file(hal_health_default, sysfs_batteryinfo)
+
+allow hal_health_default sysfs_batteryinfo:file rw_file_perms;
+allow hal_health_default sysfs:file { open read };
+allow hal_health_default sysfs:file getattr;

sepolicy/common/hal_light_default.te

@@ -0,0 +1,3 @@
+allow hal_light_default sysfs:file { getattr write open read };
+allow hal_light_default sysfs_sec_led:dir { getattr write open read search };
+allow hal_light_default sysfs_sec_led:file { getattr write open read };

sepolicy/common/hal_lineage_livedisplay_sysfs.te

@@ -5,8 +5,13 @@ allow hal_lineage_livedisplay_sysfs display_vendor_data_file:file create_file_pe
 # Allow LiveDisplay to read and write to files in sysfs_graphics
 allow hal_lineage_livedisplay_sysfs {
     sysfs_graphics
+    sysfs_mdnie
 }:dir search;
 
 allow hal_lineage_livedisplay_sysfs {
     sysfs_graphics
+    sysfs_mdnie
 }:file rw_file_perms;
+
+allow hal_lineage_livedisplay_sysfs sysfs:file { open read write };
+allow hal_lineage_livedisplay_sysfs sysfs:file getattr;

sepolicy/common/hal_sensors_default.te

@@ -32,3 +32,9 @@ allow hal_sensors_default {
     sysfs_iio
     sysfs_input
 }:lnk_file read;
+
+allow hal_sensors_default system_data_file:file write;
+allow hal_sensors_default sysfs:dir read;
+allow hal_sensors_default sysfs:dir open;
+allow hal_sensors_default sysfs:file read;
+allow hal_sensors_default system_data_file:file { open read getattr };

sepolicy/common/healthd.te

@@ -1,3 +1,8 @@
 allow healthd alarm_device:chr_file rw_file_perms;
 allow healthd device:dir r_dir_perms;
 allow healthd rtc_device:chr_file rw_file_perms;
+allow healthd sysfs:file { getattr open read };
+
+userdebug_or_eng(`
+	permissive healthd;
+')

sepolicy/common/init.te

@@ -21,6 +21,7 @@ allow init {
     sysfs_input
     sysfs_kgsl
     sysfs_leds
+    sysfs_mdnie
     sysfs_msmuart_file
     sysfs_sec_bamdmux
     sysfs_sec_barcode_emul

sepolicy/common/mediaserver.te

@@ -2,3 +2,4 @@ allow mediaserver sysfs_camera:dir search;
 allow mediaserver sysfs_camera:file r_file_perms;
 allow mediaserver vendor_file:file execmod;
 allow mediaserver system_data_file:sock_file write;
+allow mediaserver hal_lineage_camera_motor_hwservice:hwservice_manager find;

sepolicy/common/netd.te

@@ -0,0 +1 @@
+allow system_app netd:binder call; 

sepolicy/common/priv_app.te

@@ -2,3 +2,6 @@ get_prop(priv_app, camera_prop)
 
 allow priv_app device:dir r_dir_perms;
 allow priv_app proc_interrupts:file r_file_perms;
+allow priv_app proc_modules:file open;
+allow priv_app sysfs:file { open read };
+allow priv_app proc_modules:file getattr;

sepolicy/common/surfaceflinger.te

@@ -0,0 +1,3 @@
+allow surfaceflinger sysfs:file read;
+allow surfaceflinger sysfs:file open;
+allow surfaceflinger sysfs:file getattr;

sepolicy/common/system_app.te

@@ -1 +1,2 @@
+allow system_app sysfs_mdnie:dir search;
 allow system_app sysfs_mdnie:file rw_file_perms;

sepolicy/common/system_server.te

@@ -13,3 +13,5 @@ allow system_server {
     sysfs_sec_led
     sysfs_sec_touchkey
 }:file w_file_perms;
+
+allow system_server unlabeled:file unlink;

sepolicy/common/untrusted_app.te

@@ -1,2 +0,0 @@
-allow untrusted_app sysfs_batteryinfo:dir r_dir_perms;
-allow untrusted_app sysfs_batteryinfo:file r_file_perms; 

sepolicy/common/wcnss_service.te

@@ -0,0 +1 @@
+allow wcnss_service efs_file:dir search;

sepolicy/common/webview_zygote.te

@@ -0,0 +1 @@
+allow webview_zygote zygote:unix_dgram_socket write; 

sepolicy/common/zygote.te

@@ -0,0 +1,3 @@
+allow zygote proc_cmdline:file read; 
+allow zygote proc_cmdline:file open;
+allow zygote proc_cmdline:file getattr;