sm8450-common: sepolicy: Overall cleanup

Change-Id: I0d6282ea0315774fa29e8155cb0e113123025623

sepolicy/public/property_contexts

@@ -1,5 +0,0 @@
-# MIUI
-ro.miui.                       u:object_r:exported_system_prop:s0
-ro.product.mod_device    u:object_r:exported_default_prop:s0 exact string
-ro.cust.test                      u:object_r:exported_system_prop:s0
-ro.carrier u:object_r:exported_default_prop:s0 exact string

sepolicy/vendor/agmservice_qti.te

@@ -1 +0,0 @@
-allow vendor_agmservice_qti debugfs:dir r_dir_perms;

sepolicy/vendor/audioadsprpcd.te

@@ -1,2 +0,0 @@
-allow vendor_audioadsprpcd vendor_audio_data_file:dir search;
-allow vendor_audioadsprpcd vendor_audio_data_file:file { append create getattr open read setattr write };

sepolicy/vendor/audioserver.te

@@ -1,8 +0,0 @@
-allow audioserver system_server:dir search;
-allow audioserver mediaserver:dir search;
-allow audioserver mediaserver:file { open read };
-allow audioserver system_app:dir search;
-allow audioserver hal_audio_default:process signal;
-allow audioserver sound_device:chr_file rw_file_perms;
-get_prop(audioserver, bootanim_system_prop)
-set_prop(audioserver, audio_prop)

sepolicy/vendor/batterysecret.te

@@ -1,3 +1,11 @@
+type batterysecret, domain;
+type batterysecret_exec, exec_type, vendor_file_type, file_type;
+
+hwbinder_use(batterysecret)
+init_daemon_domain(batterysecret)
+
+binder_call(batterysecret, system_suspend_server)
+
 allow batterysecret rootfs:dir write;
 allow batterysecret self:capability sys_tty_config;
 allow batterysecret self:capability sys_boot;
@@ -12,8 +20,6 @@ allow batterysecret vendor_sysfs_qcom_battery:file rw_file_perms;
 allow batterysecret vendor_sysfs_qcom_battery:file write;
 allow batterysecret vendor_sysfs_qcom_battery:file { open read write };
 allow batterysecret vendor_sysfs_qcom_battery:dir r_dir_perms;
-allow batterysecret system_suspend_server:binder { call transfer };
-allow batterysecret system_suspend_server:fd *;
 allow batterysecret system_suspend_hwservice:hwservice_manager find;
 allow batterysecret hidl_manager_hwservice:hwservice_manager find;
 allow batterysecret sysfs:file write;
@@ -22,14 +28,13 @@ allow batterysecret vendor_sysfs_usb_supply:file write;
 allow batterysecret sysfs_batteryinfo:file r_file_perms;
 allow batterysecret kmsg_device:chr_file rw_file_perms;
 allow batterysecret mnt_vendor_file:dir rw_dir_perms;
-init_daemon_domain(batterysecret)
+
 r_dir_file(batterysecret, sysfs_type)
 r_dir_file(batterysecret, rootfs)
 r_dir_file(batterysecret, cgroup)
 r_dir_file(batterysecret, vendor_sysfs_usb_supply)
+
 get_prop(batterysecret, hwservicemanager_prop)
 get_prop(batterysecret, vendor_default_prop)
 set_prop(batterysecret, vendor_system_prop)
-hwbinder_use(batterysecret)
-type batterysecret, domain;
-type batterysecret_exec, exec_type, vendor_file_type, file_type;
+

sepolicy/vendor/bluetooth.te

@@ -1,27 +0,0 @@
-allow bluetooth hal_audio:binder { call transfer };
-allow bluetooth hal_audio:fd *;
-allow bluetooth sysfs_bluetooth_writable:file w_file_perms;
-allow bluetooth media_rw_data_file:dir create_dir_perms;
-allow bluetooth media_rw_data_file:file create_file_perms;
-allow bluetooth serial_device:chr_file rw_file_perms;
-allow bluetooth uhid_device:chr_file rw_file_perms;
-allow bluetooth vendor_bt_device:chr_file rw_file_perms;
-allow bluetooth vendor_smd_device:chr_file rw_file_perms;
-allow bluetooth vendor_hal_iop_hwservice:hwservice_manager find;
-allow bluetooth vendor_default_prop:file { getattr map };
-allow bluetooth vendor_bt_data_file:dir search;
-allow bluetooth vendor_bt_data_file:file { getattr open read };
-allow bluetooth system_app_data_file:dir getattr;
-allow bluetooth system_app_data_file:file { getattr open read };
-allow bluetooth self:socket { create getopt read write };
-#allow bluetooth self:socket ioctl;
-allow bluetooth servicemanager:fd *;
-allow bluetooth system_app:binder { call transfer };
-allow bluetooth system_app:fd *;
-allow bluetooth vendor_dun_service:service_manager find;
-allow bluetooth hal_audio_hwservice:hwservice_manager find;
-#allowxperm bluetooth self:ioctl socket ((range 0xc300 0xc305));
-dontaudit bluetooth netd_service:service_manager find;
-get_prop(bluetooth, vendor_display_prop)
-get_prop(bluetooth, vendor_audio_prop)
-binder_use(bluetooth)

sepolicy/vendor/bootanim.te

@@ -1,2 +0,0 @@
-allow bootanim vendor_audio_prop:file read;
-allow bootanim vendor_proc_audiod:file read;

sepolicy/vendor/device.te

@@ -1,9 +1,20 @@
-type vendor_displayfeature_device, dev_type;
+# Audio
 type sound_device, dev_type, mlstrustedobject;
+
+# Camera
 type stmvl53l5_device, dev_type;
+
+# Display
+type vendor_displayfeature_device, dev_type;
+
+# Fingerprint
 type vendor_fingerprint_device, dev_type;
-type touchfeature_device, dev_type;
-type vendor_radio_smd_device, dev_type;
+
+# IR
 type ir_spi_device, dev_type;
-type ddr_partition, dev_type;
-type minidump_data_file, data_file_type, file_type;
+
+# Modem
+type vendor_radio_smd_device, dev_type;
+
+# Touchscreen
+type touchfeature_device, dev_type;

sepolicy/vendor/file_contexts

@@ -11,7 +11,6 @@
 # Camera
 /(vendor|system/vendor)/bin/hw/[email protected] u:object_r:hal_quickcamera_default_exec:s0
 /mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0
-#/vendor/bin/camera_cal u:object_r:DualCameraCal_exec:s0
 /vendor/lib(64)?/libQnnHtpV69Stub\.so u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libQnnHtp\.so u:object_r:same_process_hal_file:s0
 /vendor/lib(64)?/libSNPE\.so u:object_r:same_process_hal_file:s0
@@ -64,6 +63,7 @@
 
 # Mac Address
 /data/vendor/mac_addr(/.*)? u:object_r:vendor_mac_vendor_data_file:s0
+/mnt/vendor/persist/qca6490/wlan_mac\.bin u:object_r:vendor_mac_vendor_data_file:s0
 /vendor/bin/nv_mac u:object_r:vendor_wcnss_service_exec:s0
 
 # Mlipay
@@ -86,9 +86,6 @@
 # QRTR
 /(vendor|system/vendor)/bin/qrtr-lookup u:object_r:vendor_qrtr_exec:s0
 
-# RIL
-/data/vendor/diag(/.*)? u:object_r:minidump_data_file:s0
-
 # Sensors
 /(vendor|system/vendor)/bin/hw/android\.hardware\[email protected]\.xiaomi-multihal u:object_r:hal_sensors_default_exec:s0
 /(vendor|system/vendor)/bin/hw/[email protected] u:object_r:vendor_hal_sensorcommunicate_default_exec:s0

sepolicy/vendor/genfs_contexts

@@ -6,6 +6,7 @@ genfscon sysfs /devices/platform/soc/soc:spf_core_platform/soc:spf_core_platform
 # Suspend
 genfscon sysfs /devices/platform/soc/3000000.remoteproc-adsp/remoteproc/remoteproc2/3000000.remoteproc-adsp:glink-edge/3000000.remoteproc-adsp:glink-edge.adsp_apps.-1.-1/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/884000.i2c/i2c-3/3-005a/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/88c000.i2c/i2c-6/6-005a/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/990000.spi/spi_master/spi0/spi0.0/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/c42d000.qcom,spmi/spmi-0/0-00/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300:pwrkey-bark/wakeup u:object_r:sysfs_wakeup:s0
 genfscon sysfs /devices/platform/soc/c42d000.qcom,spmi/spmi-0/0-00/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300/c42d000.qcom,spmi:qcom,pmk8350@0:pon_hlos@1300:pwrkey-resin-bark/wakeup u:object_r:sysfs_wakeup:s0

sepolicy/vendor/hal_audio.te

@@ -1,10 +1,6 @@
-allow hal_audio_default vendor_persist_audio_file:file rw_file_perms;
-allow hal_audio_default mnt_vendor_file:dir r_dir_perms;
-allow hal_audio_default vendor_audio_prop:property_service set;
 allow hal_audio_default audio_socket:sock_file rw_file_perms;
 allow hal_audio_default sound_device:chr_file rw_file_perms;
-allow hal_audio_default sysfs_f0_value:file rw_file_perms;
-allow hal_audio_default sysfs:file rw_file_perms;
-unix_socket_connect(hal_audio_default, property, init)
+
 unix_socket_connect(hal_audio_default, property, hal_sensors_default)
+
 set_prop(hal_audio_default, vendor_audio_prop)

sepolicy/vendor/hal_camera_default.te

@@ -1,38 +1,25 @@
 attribute vendor_hal_camerapostproc_xiaomi;
 attribute vendor_hal_camerapostproc_xiaomi_client;
 attribute vendor_hal_camerapostproc_xiaomi_server;
+
 type vendor_hal_camerapostproc_xiaomi_hwservice, hwservice_manager_type;
 
-allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:binder { call transfer };
-allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:binder transfer;
-allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_server:fd *;
-allow vendor_hal_camerapostproc_xiaomi_client vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find;
-allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:binder transfer;
-allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:binder { call transfer };
-allow vendor_hal_camerapostproc_xiaomi_server vendor_hal_camerapostproc_xiaomi_client:fd *;
-allow vendor_hal_camerapostproc_xiaomi platform_app:binder transfer;
-allow vendor_hal_camerapostproc_xiaomi platform_app:binder { call transfer };
-allow vendor_hal_camerapostproc_xiaomi platform_app:fd *;
-allow vendor_hal_camerapostproc_xiaomi priv_app:binder transfer;
-allow vendor_hal_camerapostproc_xiaomi priv_app:binder { call transfer };
-allow vendor_hal_camerapostproc_xiaomi priv_app:fd *;
-allow vendor_hal_camerapostproc_xiaomi system_app:binder transfer;
-allow vendor_hal_camerapostproc_xiaomi system_app:binder { call transfer };
-allow vendor_hal_camerapostproc_xiaomi system_app:fd *;
-add_hwservice(vendor_hal_camerapostproc_xiaomi_server, vendor_hal_camerapostproc_xiaomi_hwservice)
+binder_call(vendor_hal_camerapostproc_xiaomi_client, vendor_hal_camerapostproc_xiaomi_server)
+binder_call(vendor_hal_camerapostproc_xiaomi_server, vendor_hal_camerapostproc_xiaomi_client)
+
+hal_server_domain(hal_camera_default, vendor_hal_camerapostproc_xiaomi)
+hal_attribute_hwservice(hal_camera, vendor_hal_camerapostproc_xiaomi_hwservice)
 
-allow hal_camera_client vendor_hal_camerapostproc_xiaomi_hwservice:hwservice_manager find;
-allow hal_camera_default mnt_vendor_file:dir search;
 allow hal_camera_default camera_persist_file:dir search;
 allow hal_camera_default vendor_persist_sensors_file:dir search;
 allow hal_camera_default stmvl53l5_device:chr_file { ioctl open read write };
-allow hal_camera_default hal_quickcamera_hwservice:hwservice_manager { add find };
-dontaudit hal_camera graphics_device:dir search;
-dontaudit hal_camera_default default_prop:file read;
+
 r_dir_file(hal_camera_default, mnt_vendor_file)
 r_dir_file(hal_camera_default, camera_persist_file)
 r_dir_file(hal_camera_default, vendor_persist_sensors_file)
-hal_server_domain(hal_camera_default, vendor_hal_camerapostproc_xiaomi)
-add_hwservice(hal_camera_server, vendor_hal_camerapostproc_xiaomi_hwservice)
+
 set_prop(hal_camera_default, vendor_camera_p3enable_prop)
 set_prop(hal_camera_default, vendor_camera_sensor_prop)
+
+dontaudit hal_camera graphics_device:dir search;
+dontaudit hal_camera_default default_prop:file read;

sepolicy/vendor/hal_citsensorservice_xiaomi.te

@@ -1,50 +1,39 @@
-type vendor_hal_citsensorservice_xiaomi_default, domain;
-type vendor_hal_citsensorservice_xiaomi_default_exec, exec_type, file_type, vendor_file_type;
-type vendor_hal_citsensorservice_xiaomi_hwservice, hwservice_manager_type;
 attribute vendor_hal_citsensorservice_xiaomi;
 attribute vendor_hal_citsensorservice_xiaomi_client;
 attribute vendor_hal_citsensorservice_xiaomi_server;
+
+type vendor_hal_citsensorservice_xiaomi_default, domain;
+type vendor_hal_citsensorservice_xiaomi_default_exec, exec_type, file_type, vendor_file_type;
+type vendor_hal_citsensorservice_xiaomi_hwservice, hwservice_manager_type;
+
 init_daemon_domain(vendor_hal_citsensorservice_xiaomi_default)
-r_dir_file(vendor_hal_citsensorservice_xiaomi_default, mnt_vendor_file)
-#set_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_cct_prop)
-vndbinder_use(vendor_hal_citsensorservice_xiaomi)
+
 hal_server_domain(vendor_hal_citsensorservice_xiaomi_default, vendor_hal_citsensorservice_xiaomi)
 hal_client_domain(vendor_hal_citsensorservice_xiaomi_default, hal_graphics_allocator)
+
 add_hwservice(vendor_hal_citsensorservice_xiaomi_server, vendor_hal_citsensorservice_xiaomi_hwservice)
-allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:binder { call transfer };
-allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:binder transfer;
-allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_server:fd *;
-allow vendor_hal_citsensorservice_xiaomi_client vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find;
-allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:binder transfer;
-allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:binder { call transfer };
-allow vendor_hal_citsensorservice_xiaomi_server vendor_hal_citsensorservice_xiaomi_client:fd *;
-allow vendor_hal_citsensorservice_xiaomi_default input_device:dir rw_dir_perms;
-allow vendor_hal_citsensorservice_xiaomi_default input_device:chr_file rw_file_perms;
-allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_data:file r_file_perms;
+
+vndbinder_use(vendor_hal_citsensorservice_xiaomi)
+binder_call(vendor_hal_citsensorservice_xiaomi_client, vendor_hal_citsensorservice_xiaomi_server)
+binder_call(vendor_hal_citsensorservice_xiaomi_server, vendor_hal_citsensorservice_xiaomi_client)
+binder_call(vendor_hal_citsensorservice_xiaomi_default, vendor_hal_display_config_hwservice)
+binder_call(vendor_hal_citsensorservice_xiaomi_default, hal_graphics_composer)
+
 allow vendor_hal_citsensorservice_xiaomi_default self:socket create_socket_perms;
 allow vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket create_socket_perms;
-allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_graphics:dir r_dir_perms;
-allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_graphics:file r_file_perms;
 allow vendor_hal_citsensorservice_xiaomi_default vendor_persist_sensors_file:dir create_dir_perms;
 allow vendor_hal_citsensorservice_xiaomi_default vendor_persist_sensors_file:file create_file_perms;
 allow vendor_hal_citsensorservice_xiaomi_default fwk_sensor_hwservice:hwservice_manager find;
-allow vendor_hal_citsensorservice_xiaomi_default system_server:binder call;
-allow vendor_hal_citsensorservice_xiaomi_default system_server:binder transfer;
+allow vendor_hal_citsensorservice_xiaomi_default system_server:binder { call transfer };
 allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_displayfeature:dir search;
 allow vendor_hal_citsensorservice_xiaomi_default vendor_sysfs_displayfeature:file { open read };
 allow vendor_hal_citsensorservice_xiaomi_default vendor_displayfeature_device:chr_file { ioctl open read write };
 allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_mapper_hwservice:hwservice_manager find;
-allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:hwservice_manager find;
-allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:binder { call transfer };
-allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_display_config_hwservice:fd *;
-allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer:binder { call transfer };
-allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer:fd *;
 allow vendor_hal_citsensorservice_xiaomi_default vendor_qdisplay_service:service_manager find;
-allow vendor_hal_citsensorservice_xiaomi_default hal_graphics_composer_default:binder transfer;
 allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_sensorcommunicate_default:binder call;
 allow vendor_hal_citsensorservice_xiaomi_default vendor_hal_sensorcommunicate_default:binder transfer;
-allowxperm vendor_hal_citsensorservice_xiaomi_default self:socket ioctl { 0xc300 0xc301 0xc302 0xc303 0xc304 0xc305 };
-allowxperm vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket ioctl { 0xc300 0xc301 0xc302 0xc303 0xc304 0xc305 };
+allowxperm vendor_hal_citsensorservice_xiaomi_default self:socket ioctl msm_sock_ipc_ioctls;
+allowxperm vendor_hal_citsensorservice_xiaomi_default self:qipcrtr_socket ioctl msm_sock_ipc_ioctls;
 
 get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_sensors_prop)
 userdebug_or_eng(`get_prop(vendor_hal_citsensorservice_xiaomi_default, vendor_sensors_debug_prop)');

sepolicy/vendor/hal_fingerprint.te

@@ -1,9 +1,7 @@
 type vendor_hal_fingerprint_hwservice_xiaomi, hwservice_manager_type;
 
-allow hal_fingerprint_default dmabuf_system_heap_device:chr_file r_file_perms;
-allow hal_fingerprint_default input_device:chr_file rwx_file_perms;
+allow hal_fingerprint_default input_device:chr_file rw_file_perms;
 allow hal_fingerprint_default input_device:dir r_dir_perms;
-allow hal_fingerprint_default mnt_vendor_file:dir search;
 allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
 allow hal_fingerprint_default sysfs_tp_fodstatus:chr_file r_file_perms;
 allow hal_fingerprint_default sysfs_tp_fodstatus:file r_file_perms;

sepolicy/vendor/hal_mfidoca.te

@@ -1,13 +1,17 @@
 type hal_mfidoca_default, domain;
 type hal_mfidoca_default_exec, exec_type, file_type, vendor_file_type;
 type hal_mfidoca_hwservice, hwservice_manager_type;
+
 hal_attribute(mfidoca)
-allow hal_mfidoca_client hal_mfidoca_server:binder { call transfer };
-allow hal_mfidoca_client hal_mfidoca_server:binder transfer;
-allow hal_mfidoca_client hal_mfidoca_server:fd *;
-allow hal_mfidoca_server hal_mfidoca_client:binder transfer;
-allow hal_mfidoca_server hal_mfidoca_client:binder { call transfer };
-allow hal_mfidoca_server hal_mfidoca_client:fd *;
+init_daemon_domain(hal_mfidoca_default)
+
+hwbinder_use(hal_mfidoca_default)
+binder_call(hal_mfidoca_client, hal_mfidoca_server)
+binder_call(hal_mfidoca_server, hal_mfidoca_client)
+
+add_hwservice(hal_mfidoca_server, hal_mfidoca_hwservice)
+hal_server_domain(hal_mfidoca_default, hal_mfidoca)
+
 allow hal_mfidoca_default tee_device:chr_file rw_file_perms;
 allow hal_mfidoca_default firmware_file:dir r_dir_perms;
 allow hal_mfidoca_default firmware_file:file r_file_perms;
@@ -15,10 +19,8 @@ allow hal_mfidoca_default ion_device:chr_file rw_file_perms;
 allow hal_mfidoca_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read };
 allow hal_mfidoca_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read };
 allow hal_mfidoca_default hal_mtdservice_default:binder transfer;
-init_daemon_domain(hal_mfidoca_default)
+
 get_prop(hal_mfidoca_default, vendor_fp_prop)
 get_prop(hal_mfidoca_default, vendor_system_prop)
 set_prop(hal_mfidoca_default, vendor_payment_security_prop)
-hwbinder_use(hal_mfidoca_default)
-hal_server_domain(hal_mfidoca_default, hal_mfidoca)
-add_hwservice(hal_mfidoca_server, hal_mfidoca_hwservice)
+

sepolicy/vendor/hal_mlipay.te

@@ -1,27 +1,25 @@
 type hal_mlipay_default, domain;
 type hal_mlipay_default_exec, exec_type, file_type, vendor_file_type;
 type hal_mlipay_hwservice, hwservice_manager_type;
+
 hal_attribute(mlipay)
-allow hal_mlipay_client hal_mlipay_server:binder { call transfer };
-allow hal_mlipay_client hal_mlipay_server:binder transfer;
-allow hal_mlipay_client hal_mlipay_server:fd *;
-allow hal_mlipay_client hal_mlipay_hwservice:hwservice_manager find;
-allow hal_mlipay_server hal_mlipay_client:binder transfer;
-allow hal_mlipay_server hal_mlipay_client:binder { call transfer };
-allow hal_mlipay_server hal_mlipay_client:fd *;
-allow hal_mlipay_default hal_mlipay_hwservice:hwservice_manager add;
+init_daemon_domain(hal_mlipay_default)
+
+hwbinder_use(hal_mlipay_default)
+binder_call(hal_mlipay_client, hal_mlipay_server)
+binder_call(hal_mlipay_server, hal_mlipay_client)
+
+add_hwservice(hal_mlipay_server, hal_mlipay_hwservice)
+hal_server_domain(hal_mlipay_default, hal_mlipay)
+
 allow hal_mlipay_default tee_device:chr_file rw_file_perms;
 allow hal_mlipay_default firmware_file:dir r_dir_perms;
 allow hal_mlipay_default firmware_file:file r_file_perms;
 allow hal_mlipay_default ion_device:chr_file rw_file_perms;
-allow hal_mlipay_default rootfs:lnk_file r_file_perms;
 allow hal_mlipay_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read };
 allow hal_mlipay_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read };
 allow hal_mlipay_default hal_mtdservice_default:binder transfer;
-init_daemon_domain(hal_mlipay_default)
+
 get_prop(hal_mlipay_default, vendor_fp_prop)
 get_prop(hal_mlipay_default, vendor_system_prop)
 set_prop(hal_mlipay_default, vendor_payment_security_prop)
-hwbinder_use(hal_mlipay_default)
-hal_server_domain(hal_mlipay_default, hal_mlipay)
-add_hwservice(hal_mlipay_server, hal_mlipay_hwservice)

sepolicy/vendor/hal_mtdservice.te

@@ -1,17 +1,20 @@
 type hal_mtdservice_default, domain;
 type hal_mtdservice_default_exec, exec_type, file_type, vendor_file_type;
 type hal_mtdservice_hwservice, hwservice_manager_type;
+
 hal_attribute(mtdservice)
-allow hal_mtdservice_client hal_mtdservice_server:binder { call transfer };
-allow hal_mtdservice_client hal_mtdservice_server:binder transfer;
-allow hal_mtdservice_client hal_mtdservice_server:fd *;
-allow hal_mtdservice_server hal_mtdservice_client:binder transfer;
-allow hal_mtdservice_server hal_mtdservice_client:binder { call transfer };
-allow hal_mtdservice_server hal_mtdservice_client:fd *;
-allow hal_mtdservice_default hal_mlipay_default:binder { call transfer };
-allow hal_mtdservice_default hal_mlipay_default:fd *;
-allow hal_mtdservice_default hal_mfidoca_default:binder { call transfer };
-allow hal_mtdservice_default hal_mfidoca_default:fd *;
+
+init_daemon_domain(hal_mtdservice_default)
+
+hwbinder_use(hal_mtdservice_default)
+binder_call(hal_mtdservice_client, hal_mtdservice_server)
+binder_call(hal_mtdservice_server, hal_mtdservice_client)
+binder_call(hal_mtdservice_default, hal_mlipay_default)
+binder_call(hal_mtdservice_default, hal_mfidoca_default)
+
+add_hwservice(hal_mtdservice_server, hal_mtdservice_hwservice)
+hal_server_domain(hal_mtdservice_default, hal_mtdservice)
+
 allow hal_mtdservice_default hal_mtdservice_hwservice:hwservice_manager add;
 allow hal_mtdservice_default firmware_file:dir r_dir_perms;
 allow hal_mtdservice_default firmware_file:file r_file_perms;
@@ -43,13 +46,8 @@ allow hal_mtdservice_default system_server:binder transfer;
 allow hal_mtdservice_default block_device:dir r_dir_perms;
 allow hal_mtdservice_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read };
 allow hal_mtdservice_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read };
-allow hal_mtdservice_default hal_tidaservice_default:binder transfer;
-allow hal_mtdservice_default hal_secure_element_default:binder transfer;
 type_transition hal_mtdservice mnt_vendor_file:dir vendor_persist_drm_file "fdsd";
-init_daemon_domain(hal_mtdservice_default)
+
 get_prop(hal_mtdservice_default, vendor_system_prop)
 get_prop(hal_mtdservice_default, vendor_cpuid_prop)
 set_prop(hal_mtdservice_default, vendor_payment_security_prop)
-hwbinder_use(hal_mtdservice_default)
-hal_server_domain(hal_mtdservice_default, hal_mtdservice)
-add_hwservice(hal_mtdservice_server, hal_mtdservice_hwservice)

sepolicy/vendor/hal_nfc.te

@@ -1,4 +1,4 @@
 allow hal_nfc_default vendor_nfc_vendor_data_file:dir create_dir_perms;
-allow hal_nfc_default vendor_data_file:dir rw_dir_perms;
-allow hal_nfc_default vendor_data_file:file { create rw_file_perms };
+allow hal_nfc_default vendor_nfc_vendor_data_file:file create_file_perms;
+
 get_prop(hal_nfc_default, vendor_nfc_mi_prop)

sepolicy/vendor/hal_quickcamera.te

@@ -1,27 +1,13 @@
 type hal_quickcamera_default, domain;
 type hal_quickcamera_default_exec, exec_type, file_type, vendor_file_type;
 type hal_quickcamera_hwservice, hwservice_manager_type;
+
 hal_attribute(quickcamera)
-allow hal_quickcamera_client hal_quickcamera_server:binder { call transfer };
-allow hal_quickcamera_client hal_quickcamera_server:binder transfer;
-allow hal_quickcamera_client hal_quickcamera_server:fd *;
-allow hal_quickcamera_client hal_quickcamera_hwservice:hwservice_manager find;
-allow hal_quickcamera_server hal_quickcamera_client:binder transfer;
-allow hal_quickcamera_server hal_quickcamera_client:binder { call transfer };
-allow hal_quickcamera_server hal_quickcamera_client:fd *;
-allow hal_quickcamera_server hidl_base_hwservice:hwservice_manager add;
-allow hal_quickcamera_server hal_quickcamera_hwservice:hwservice_manager { add find };
-allow hal_quickcamera_default platform_app:binder transfer;
-allow hal_quickcamera_default platform_app:binder { call transfer };
-allow hal_quickcamera_default platform_app:fd *;
-allow hal_quickcamera_default system_app:binder transfer;
-allow hal_quickcamera_default system_app:binder { call transfer };
-allow hal_quickcamera_default system_app:fd *;
-allow hal_quickcamera platform_app:binder transfer;
-allow hal_quickcamera platform_app:binder { call transfer };
-allow hal_quickcamera platform_app:fd *;
-allow hal_quickcamera system_app:binder transfer;
-allow hal_quickcamera system_app:binder { call transfer };
-allow hal_quickcamera system_app:fd *;
+
 init_daemon_domain(hal_quickcamera_default)
 hal_server_domain(hal_quickcamera_default, hal_quickcamera)
+
+binder_call(hal_quickcamera_client, hal_quickcamera_server)
+binder_call(hal_quickcamera_server, hal_quickcamera_client)
+
+add_hwservice(hal_quickcamera_server, hal_quickcamera_hwservice)

sepolicy/vendor/hal_secure_element.te

@@ -1,3 +1,3 @@
+binder_call(hal_secure_element_default, hal_mtdservice_default)
+
 allow hal_secure_element_default hal_mtdservice_hwservice:hwservice_manager find;
-allow hal_secure_element_default hal_mtdservice_default:binder { call transfer };
-allow hal_secure_element_default hal_mtdservice_default:fd *;

sepolicy/vendor/hal_sensorcommunicate.te

@@ -1,26 +1,24 @@
 type vendor_hal_sensorcommunicate_default, domain;
 type vendor_hal_sensorcommunicate_default_exec, exec_type, file_type, vendor_file_type;
 type vendor_hal_sensorcommunicate_hwservice, hwservice_manager_type;
+
 attribute vendor_hal_sensorcommunicate;
 attribute vendor_hal_sensorcommunicate_client;
 attribute vendor_hal_sensorcommunicate_server;
-allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:binder { call transfer };
-allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:binder transfer;
-allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_server:fd *;
+
+init_daemon_domain(vendor_hal_sensorcommunicate_default)
+
+hwbinder_use(vendor_hal_sensorcommunicate_default)
+binder_call(vendor_hal_sensorcommunicate_client, vendor_hal_sensorcommunicate_server)
+binder_call(vendor_hal_sensorcommunicate_server, vendor_hal_sensorcommunicate_client)
+
+add_hwservice(vendor_hal_sensorcommunicate_server, vendor_hal_sensorcommunicate_hwservice)
+hal_server_domain(vendor_hal_sensorcommunicate_default, vendor_hal_sensorcommunicate)
+
 allow vendor_hal_sensorcommunicate_client vendor_hal_sensorcommunicate_hwservice:hwservice_manager find;
-allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:binder transfer;
-allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:binder { call transfer };
-allow vendor_hal_sensorcommunicate_server vendor_hal_sensorcommunicate_client:fd *;
-allow vendor_hal_sensorcommunicate_default fwk_sensor_hwservice:hwservice_manager find;
 allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_hwservice:hwservice_manager find;
-allow vendor_hal_sensorcommunicate_default system_server:binder call;
-allow vendor_hal_sensorcommunicate_default system_server:binder transfer;
 allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_default:binder call;
 allow vendor_hal_sensorcommunicate_default vendor_hal_citsensorservice_xiaomi_default:binder transfer;
-allow vendor_hal_sensorcommunicate_default mnt_vendor_file:dir search;
 allow vendor_hal_sensorcommunicate_default vendor_persist_sensors_file:dir search;
 allow vendor_hal_sensorcommunicate_default vendor_persist_sensors_file:file { getattr open read };
-init_daemon_domain(vendor_hal_sensorcommunicate_default)
-hwbinder_use(vendor_hal_sensorcommunicate_default)
-hal_server_domain(vendor_hal_sensorcommunicate_default, vendor_hal_sensorcommunicate)
-add_hwservice(vendor_hal_sensorcommunicate_server, vendor_hal_sensorcommunicate_hwservice)
+

sepolicy/vendor/hal_sensors.te

@@ -4,5 +4,5 @@ allow hal_sensors_default sound_device:chr_file rw_file_perms;
 allow hal_sensors_default vendor_sysfs_graphics:dir r_dir_perms;
 allow hal_sensors_default vendor_sysfs_graphics:file r_file_perms;
 allow hal_sensors_default stmvl53l5_device:chr_file { ioctl open read write };
-
-allow hal_sensors_default sysfs_tp_fodstatus:file r_file_perms;
+allow hal_sensors_default sysfs_tp_fodstatus:file r_file_perms;
+allow hal_sensors_default sysfs_tp_virtual_prox:file rw_file_perms;

sepolicy/vendor/hal_slaservice.te

@@ -1,17 +1,22 @@
 type hal_slaservice_qti, domain;
 type hal_slaservice_qti_exec, exec_type, file_type, vendor_file_type;
 type hal_slaservice_hwservice, hwservice_manager_type;
+
 hal_attribute(slaservice)
-allow hal_slaservice_qti vendor_slad_prop:file read;
+
+init_daemon_domain(hal_slaservice_qti)
+
+add_hwservice(hal_slaservice_server, hal_slaservice_hwservice)
+hal_server_domain(hal_slaservice_qti, hal_slaservice)
+
+binder_call(hal_slaservice_client, hal_slaservice_server)
+
 allow hal_slaservice_qti socket_device:sock_file write;
-allow hal_slaservice_client hal_slaservice_server:binder { call transfer };
-allow hal_slaservice_client hal_slaservice_server:fd *;
 allow hal_slaservice_client hal_slaservice_hwservice:hwservice_manager find;
-allow hal_slaservice_server hal_slaservice_client:binder transfer;
-init_daemon_domain(hal_slaservice_qti)
+
 unix_socket_connect(hal_slaservice_qti, property, slad)
 unix_socket_connect(hal_slaservice_qti, slad, init)
 unix_socket_connect(hal_slaservice_qti, slad, slad)
+
+set_prop(hal_slaservice_qti, vendor_slad_prop)
 set_prop(hal_slaservice_qti, vendor_slad_prop)
-hal_server_domain(hal_slaservice_qti, hal_slaservice)
-add_hwservice(hal_slaservice_server, hal_slaservice_hwservice)

sepolicy/vendor/hal_tidaservice.te

@@ -1,34 +1,31 @@
 type hal_tidaservice_default, domain;
 type hal_tidaservice_default_exec, exec_type, file_type, vendor_file_type;
 type hal_tidaservice_hwservice, hwservice_manager_type;
+
 hal_attribute(tidaservice)
-allow hal_tidaservice_client hal_tidaservice_server:binder { call transfer };
-allow hal_tidaservice_client hal_tidaservice_server:binder transfer;
-allow hal_tidaservice_client hal_tidaservice_server:fd *;
+
+init_daemon_domain(hal_tidaservice_default)
+
+hwbinder_use(hal_tidaservice_default)
+binder_call(hal_tidaservice_client, hal_tidaservice_server)
+binder_call(hal_tidaservice_server, hal_tidaservice_client)
+binder_call(hal_tidaservice_default, hal_mtdservice_default)
+
+add_hwservice(hal_tidaservice_server, hal_tidaservice_hwservice)
+hal_server_domain(hal_tidaservice_default, hal_tidaservice)
+
 allow hal_tidaservice_client hal_tidaservice_hwservice:hwservice_manager find;
-allow hal_tidaservice_server hal_tidaservice_client:binder transfer;
-allow hal_tidaservice_server hal_tidaservice_client:binder { call transfer };
-allow hal_tidaservice_server hal_tidaservice_client:fd *;
-allow hal_tidaservice_default hal_mtdservice_default:binder { call transfer };
-allow hal_tidaservice_default hal_mtdservice_default:fd *;
 allow hal_tidaservice_default tee_device:chr_file rw_file_perms;
 allow hal_tidaservice_default firmware_file:dir r_dir_perms;
 allow hal_tidaservice_default firmware_file:file r_file_perms;
 allow hal_tidaservice_default ion_device:chr_file rw_file_perms;
-allow hal_tidaservice_default rootfs:lnk_file r_file_perms;
 allow hal_tidaservice_default hal_mtdservice_hwservice:hwservice_manager find;
-allow hal_tidaservice_default platform_app:binder transfer;
 allow hal_tidaservice_default vendor_hal_tui_comm_hwservice:hwservice_manager find;
 allow hal_tidaservice_default vendor_hal_tui_comm_hwservice:binder { call transfer };
 allow hal_tidaservice_default vendor_hal_tui_comm_qti:binder { call transfer };
-allow hal_tidaservice_default sysfs:dir { open read };
-allow hal_tidaservice_default sysfs:file { open read write };
 allow hal_tidaservice_default vendor_dmabuf_qseecom_heap_device:chr_file { ioctl open read };
 allow hal_tidaservice_default vendor_dmabuf_qseecom_ta_heap_device:chr_file { ioctl open read };
-init_daemon_domain(hal_tidaservice_default)
+
 get_prop(hal_tidaservice_default, vendor_fp_prop)
 get_prop(hal_tidaservice_default, vendor_system_prop)
 get_prop(hal_tidaservice_default, vendor_payment_security_prop)
-hwbinder_use(hal_tidaservice_default)
-hal_server_domain(hal_tidaservice_default, hal_tidaservice)
-add_hwservice(hal_tidaservice_server, hal_tidaservice_hwservice)

sepolicy/vendor/hwservice_contexts

@@ -1,12 +1,20 @@
-vendor.xiaomi.hardware.campostproc::IMiPostProcService       u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0
-vendor.qti.sla.service::ISlaService                          u:object_r:hal_slaservice_hwservice:s0
-vendor.xiaomi.sensor.citsensorservice::ICitSensorService   u:object_r:vendor_hal_citsensorservice_xiaomi_hwservice:s0
-vendor.xiaomi.sensor.communicate::ISensorCommunicate  u:object_r:vendor_hal_sensorcommunicate_hwservice:s0
-vendor.xiaomi.hardware.quickcamera::IQuickCameraService    u:object_r:hal_quickcamera_hwservice:s0
-
-vendor.xiaomi.hardware.mfidoca::IFidoService       u:object_r:hal_mfidoca_hwservice:s0
-vendor.xiaomi.hardware.mlipay::IMlipayService       u:object_r:hal_mlipay_hwservice:s0
-vendor.xiaomi.hardware.mtdservice::IMTService       u:object_r:hal_mtdservice_hwservice:s0
-vendor.xiaomi.hardware.tidaservice::ITidaService       u:object_r:hal_tidaservice_hwservice:s0
-vendor.xiaomi.hardware.bgservice::IBGService                 u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0
-vendor.xiaomi.hardware.fx.tunnel::IMiFxTunnel                                        u:object_r:vendor_hal_fingerprint_hwservice_xiaomi:s0
+# Camera
+vendor.xiaomi.hardware.bgservice::IBGService u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0
+vendor.xiaomi.hardware.campostproc::IMiPostProcService u:object_r:vendor_hal_camerapostproc_xiaomi_hwservice:s0
+vendor.xiaomi.hardware.quickcamera::IQuickCameraService u:object_r:hal_quickcamera_hwservice:s0
+
+# Fingerprint
+vendor.xiaomi.hardware.fx.tunnel::IMiFxTunnel u:object_r:vendor_hal_fingerprint_hwservice_xiaomi:s0
+
+# SLA
+vendor.qti.sla.service::ISlaService u:object_r:hal_slaservice_hwservice:s0
+
+# Sensors
+vendor.xiaomi.sensor.citsensorservice::ICitSensorService u:object_r:vendor_hal_citsensorservice_xiaomi_hwservice:s0
+vendor.xiaomi.sensor.communicate::ISensorCommunicate u:object_r:vendor_hal_sensorcommunicate_hwservice:s0
+
+# Mlipay
+vendor.xiaomi.hardware.mfidoca::IFidoService u:object_r:hal_mfidoca_hwservice:s0
+vendor.xiaomi.hardware.mlipay::IMlipayService u:object_r:hal_mlipay_hwservice:s0
+vendor.xiaomi.hardware.mtdservice::IMTService u:object_r:hal_mtdservice_hwservice:s0
+vendor.xiaomi.hardware.tidaservice::ITidaService u:object_r:hal_tidaservice_hwservice:s0

sepolicy/vendor/init.te

@@ -1,6 +1,6 @@
-allow init ddr_training_exec:file { execute getattr open read };
 allow init slad_exec:file { getattr open read };
 allow init sla_data_file:file rw_file_perms;
+
 set_prop(vendor_init, vendor_fp_prop)
 set_prop(vendor_init, vendor_fp_info_prop)
 set_prop(vendor_init, vendor_thermal_normal_prop)
@@ -8,4 +8,3 @@ set_prop(vendor_init, vendor_nfc_mi_prop)
 set_prop(vendor_init, vendor_ssr_prop)
 set_prop(vendor_init, vendor_edgnss_qxwz_downloadak_prop)
 set_prop(vendor_init, vendor_qcc_prop)
-allow vendor_init cgroup:file getattr;

sepolicy/vendor/mi_thermald.te

@@ -1,5 +1,8 @@
 type mi_thermald, domain, mlstrustedsubject;
 type mi_thermald_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mi_thermald)
+
 allow mi_thermald sysfs_devices_system_cpu:file rw_file_perms;
 allow mi_thermald self:capability { fsetid sys_boot };
 allow mi_thermald sysfs_thermal:file w_file_perms;
@@ -22,9 +25,9 @@ allow mi_thermald vendor_data_file:dir { add_name read remove_name watch write }
 allow mi_thermald vendor_data_file:file { create getattr open read rename setattr unlink write };
 allow mi_thermald sys_thermal_wifi_limit:file { open read write };
 allow mi_thermald sys_thermal_wifi_limit:file rw_file_perms;
-init_daemon_domain(mi_thermald)
+
 r_dir_file(mi_thermald, sysfs_thermal)
-r_dir_file(mi_thermald, sysfs)
 r_dir_file(mi_thermald, sysfs_leds)
 r_dir_file(mi_thermald, vendor_sysfs_qcom_battery)
+
 set_prop(mi_thermald, vendor_thermal_normal_prop)

sepolicy/vendor/property.te

@@ -2,9 +2,6 @@
 vendor_public_prop(vendor_camera_p3enable_prop)
 vendor_public_prop(vendor_camera_sensor_prop)
 
-# DDR
-vendor_public_prop(vendor_ddr_prop)
-
 # Device ID
 vendor_public_prop(vendor_deviceid_prop)
 vendor_public_prop(vendor_sno_prop)

sepolicy/vendor/qrtr.te

@@ -1,2 +0,0 @@
-allow vendor_qrtr vendor_data_file:dir create_dir_perms;
-allow vendor_qrtr vendor_data_file:file create_file_perms;

sepolicy/vendor/rild.te

@@ -2,8 +2,6 @@ allow rild vendor_radio_smd_device:file { open read write };
 allow rild vendor_radio_smd_device:chr_file { open read write };
 allow rild vendor_modem_data_file:dir create_dir_perms;
 allow rild vendor_modem_data_file:file create_file_perms;
+
 set_prop(rild, vendor_deviceid_prop)
 set_prop(rild, vendor_sno_prop)
-#set_prop(rild, default_prop)
-allow rild vendor_data_file:dir create_dir_perms;
-allow rild vendor_data_file:file create_file_perms;

sepolicy/vendor/slad.te

@@ -1,6 +1,7 @@
 type slad, domain;
 type slad_exec, exec_type, file_type, vendor_file_type;
 type qti_proc_sla, proc_type;
+
 allow slad slad_socket:sock_file { getattr read write };
 allow slad slad_socket:sock_file unlink;
 allow slad slad:netlink_socket { bind create read write };
@@ -22,8 +23,11 @@ allow slad socket_device:sock_file { create setattr unlink };
 allow slad qti_proc_sla:dir search;
 allow slad qti_proc_sla:file { map open read write };
 allow slad vendor_shell_exec:file execute_no_trans;
+
 dontaudit slad self:capability dac_read_search;
+
 init_daemon_domain(slad)
+
 unix_socket_connect(slad, dnsproxyd, slad)
 unix_socket_connect(slad, dnsproxyd, netd)
 unix_socket_connect(slad, dnsproxyd, init)
@@ -32,5 +36,6 @@ unix_socket_connect(slad, fwmarkd, netd)
 unix_socket_connect(slad, fwmarkd, init)
 unix_socket_connect(slad, property, slad)
 unix_socket_connect(slad, property, netd)
+
 set_prop(slad, vendor_slad_prop)
 net_domain(slad)

sepolicy/vendor/surfaceflinger.te

@@ -1 +0,0 @@
-allow surfaceflinger vendor_sysfs_graphics:dir { open read search };

sepolicy/vendor/tee.te

@@ -1,3 +1,2 @@
-allow tee vendor_fingerprint_data_file:dir rw_dir_perms;
-allow tee vendor_fingerprint_data_file:file rw_file_perms;
+allow tee vendor_fingerprint_data_file:dir create_dir_perms;
 allow tee vendor_fingerprint_data_file:file create_file_perms;

sepolicy/vendor/vendor_qti_init_shell.te

@@ -1,11 +1,3 @@
-allow vendor_qti_init_shell configfs:dir { add_name create write };
-# NECESSARY?
-allow vendor_qti_init_shell configfs:dir setattr;
-# END
-allow vendor_qti_init_shell sysfs_dm:file rw_file_perms;
-allow vendor_qti_init_shell sysfs_dm:dir r_dir_perms;
 allow vendor_qti_init_shell vendor_sysfs_msm_perf:file w_file_perms;
-allow vendor_qti_init_shell vendor_sysfs_qdss_dev:file { setattr write };
-set_prop(vendor_qti_init_shell, vendor_panel_info_prop)
 
-#get_prop(vendor_qti_init_shell, default_prop)
+set_prop(vendor_qti_init_shell, vendor_panel_info_prop)

sepolicy/vendor/wcnss_service.te

@@ -1,16 +1,6 @@
-#allow vendor_wcnss_service self:netlink_generic_socket ioctl;
 allow vendor_wcnss_service self:capability { net_raw setgid setuid };
-#allow vendor_wcnss_service self:packet_socket { bind create getopt ioctl map read setopt };
 allow vendor_wcnss_service self:packet_socket write;
 allow vendor_wcnss_service sysfs_net:file read;
-allow vendor_wcnss_service vendor_mac_vendor_data_file:dir { add_name open read search setattr write };
-allow vendor_wcnss_service vendor_mac_vendor_data_file:dir rw_dir_perms;
-allow vendor_wcnss_service vendor_mac_vendor_data_file:file { create getattr open read setattr write };
-allow vendor_wcnss_service mnt_vendor_file:dir { add_name create read search write };
-allow vendor_wcnss_service mnt_vendor_file:file { create open read setattr write };
-#allow vendor_wcnss_service vendor_diag_device:chr_file { create ioctl open read write };
-allow vendor_wcnss_service vendor_sysfs_diag:dir search;
-allow vendor_wcnss_service vendor_sysfs_diag:file { open read };
-allow vendor_wcnss_service vendor_wifi_vendor_log_data_file:dir { add_name getattr open read remove_name search setattr write };
-allow vendor_wcnss_service vendor_wifi_vendor_log_data_file:file { append create getattr open read rename setattr unlink write };
-allow vendor_wcnss_service vendor_proc_wifi_dbg:file { create getattr open read setattr write };
+allow vendor_wcnss_service mnt_vendor_file:dir search;
+allow vendor_wcnss_service vendor_mac_vendor_data_file:dir create_dir_perms;
+allow vendor_wcnss_service vendor_mac_vendor_data_file:file create_file_perms;