[ALPS04239425] Sepolicy: fix undefined type declration

[Detail]
Unknown type:untrusted_v2_app,alarm_device,qtaguid_proc,mtd_device
Duplicated type:proc_slabinfo

MTK-Commit-Id: 11ccfcffb994452eb58a697e94a8da748ac73933

Change-Id: I2e847041d14d6b6613044cfaa98f242b7fd9381a
CR-Id: ALPS04239425
Feature: Build System

non_plat/aee_aed.te

@@ -46,7 +46,7 @@ set_prop(aee_aed, debug_mtk_aee_prop);
 allow aee_aed proc_lk_env:file rw_file_perms;
 
 # Purpose: Allow aee_aed to read /proc/pid/exe
-allow aee_aed exec_type:file r_file_perms;
+#allow aee_aed exec_type:file r_file_perms;
 
 # Purpose: Allow aee_aed to read /proc/cpu/alignment
 allow aee_aed proc_cpu_alignment:file { write open };

non_plat/aee_aedv.te

@@ -107,14 +107,14 @@ allow aee_aedv proc_lk_env:file rw_file_perms;
 # Purpose : make aee_aedv can get specific process NE info
 allow aee_aedv domain:dir r_dir_perms;
 allow aee_aedv domain:{ file lnk_file } r_file_perms;
-allow aee_aedv {
-  domain
-  -logd
-  -keystore
-  -init
-}:process ptrace;
-allow aee_aedv zygote_exec:file r_file_perms;
-allow aee_aedv init_exec:file r_file_perms;
+#allow aee_aedv {
+#  domain
+#  -logd
+#  -keystore
+#  -init
+#}:process ptrace;
+#allow aee_aedv zygote_exec:file r_file_perms;
+#allow aee_aedv init_exec:file r_file_perms;
 
 # Data : 2017/04/06
 # Operation : add selinux rule for crash_dump notify aee_aedv
@@ -297,14 +297,14 @@ allow aee_aedv hwservicemanager_prop:file { read open getattr };
 # - avc: denied { find } for interface=android.hardware.camera.provider::ICameraProvider pid=2956
 #   scontext=u:r:aee_aedv:s0 tcontext=u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager
 # - Transaction error in ICameraProvider::debug: Status(EX_TRANSACTION_FAILED)
-allow aee_aedv hal_camera_hwservice:hwservice_manager { find };
+#allow aee_aedv hal_camera_hwservice:hwservice_manager { find };
 binder_call(aee_aedv, mtk_hal_camera)
 
 # Purpose: allow aee to read /sys/fs/selinux/enforce to get selinux status
 allow aee_aedv selinuxfs:file r_file_perms;
 
 # Purpose: Allow aee_aedv to read /proc/pid/exe
-allow aee_aedv exec_type:file r_file_perms;
+#allow aee_aedv exec_type:file r_file_perms;
 
 # Purpose: mrdump pre-allocation: immutable and userdata
 # - avc: denied { linux_immutable } for capability=9 scontext=u:r:aee_aedv:s0
@@ -388,11 +388,11 @@ allow aee_aedv sysfs_vcore_debug:file r_file_perms;
 allow aee_aedv sysfs_boot_mode:file r_file_perms;
 
 #Purpose: Allow aee_aedv to read/write /sys/kernel/debug/tracing/buffer_total_size_kb
-userdebug_or_eng(`
-  allow aee_aedv debugfs_tracing_debug:file { r_file_perms write };
-')
+#userdebug_or_eng(`
+#  allow aee_aedv debugfs_tracing_debug:file { r_file_perms write };
+#')
 # Purpose: allow aee_aedv self to sys_ptrace/dac_read_search/dac_override
-userdebug_or_eng(`allow aee_aedv self:capability { sys_ptrace dac_read_search dac_override };')
+#userdebug_or_eng(`allow aee_aedv self:capability { sys_ptrace dac_read_search dac_override };')
 
 #Purpose: Allow aee_aedv to read /sys/mtk_memcfg/slabtrace
 allow aee_aedv proc_slabtrace:file r_file_perms;

non_plat/audiocmdservice_atci.te

@@ -22,7 +22,7 @@ binder_call(audiocmdservice_atci,mtk_hal_audio);
 #Android O porting
 hwbinder_use(audiocmdservice_atci)
 get_prop(audiocmdservice_atci, hwservicemanager_prop);
-allow audiocmdservice_atci hal_audio_hwservice:hwservice_manager find;
+#allow audiocmdservice_atci hal_audio_hwservice:hwservice_manager find;
 
 #To access the file at /dev/kmsg
 allow audiocmdservice_atci kmsg_device:chr_file w_file_perms;

non_plat/connsyslogger.te

@@ -5,7 +5,7 @@
 # Type Declaration
 # ==============================================
 type connsyslogger,domain;
-type connsyslogger_exec, exec_type, file_type;
+type connsyslogger_exec, system_file_type, exec_type, file_type;
 typeattribute connsyslogger coredomain;
 # Purpose : for create hidl server
 hal_server_domain(connsyslogger, mtk_hal_log)

non_plat/domain.te

@@ -33,7 +33,6 @@ allow coredomain vendor_file:lnk_file { getattr read };
 allow {
   coredomain
   -untrusted_app_all
-  -untrusted_v2_app
 } aee_aed:unix_stream_socket connectto;
 allow { domain -coredomain -hal_configstore_server -vendor_init } aee_aedv:unix_stream_socket connectto;
 

non_plat/factory.te

@@ -310,10 +310,10 @@ allow factory self:tcp_socket create_stream_socket_perms;
 allow factory self:udp_socket create_socket_perms;
 
 allow factory sysfs_wake_lock:file rw_file_perms;
-allow factory system_file:file x_file_perms;
+#allow factory system_file:file x_file_perms;
 
 # For Light HIDL permission
-allow factory hal_light_hwservice:hwservice_manager find;
+#allow factory hal_light_hwservice:hwservice_manager find;
 allow factory mtk_hal_light:binder call;
 allow factory merged_hal_service:binder call;
 # For vibrator test permission

non_plat/file.te

@@ -55,7 +55,6 @@ type proc_lk_env, fs_type, proc_type;
 type proc_ged, fs_type, proc_type;
 type proc_perfmgr, fs_type, proc_type;
 type proc_wmtdbg, fs_type, proc_type;
-type proc_slabinfo, fs_type, proc_type;
 type proc_zraminfo, fs_type, proc_type;
 type proc_cpu_alignment, fs_type, proc_type;
 type proc_gpulog, fs_type, proc_type;

non_plat/file_contexts

@@ -315,8 +315,6 @@
 /dev/ttyUSB3         u:object_r:tty_device:s0
 /dev/ttyUSB4         u:object_r:tty_device:s0
 /dev/TV-out(/.*)? u:object_r:TV_out_device:s0
-/dev/ubi_ctrl u:object_r:mtd_device:s0
-/dev/ubi[_0-9]* u:object_r:mtd_device:s0
 /dev/uboot(/.*)? u:object_r:uboot_device:s0
 /dev/uibc(/.*)? u:object_r:uibc_device:s0
 /dev/uinput(/.*)? u:object_r:uinput_device:s0
@@ -382,8 +380,6 @@
 /dev/block/sdc u:object_r:bootdevice_block_device:s0
 /dev/block/mmcblk1 u:object_r:mmcblk1_block_device:s0
 /dev/block/mmcblk1p1 u:object_r:mmcblk1p1_block_device:s0
-/dev/block/mtd(.*)?     u:object_r:mtd_device:s0
-/dev/block/mntlblk(.*)?     u:object_r:mtd_device:s0
 /dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/proinfo     u:object_r:nvram_device:s0
 /dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvram       u:object_r:nvram_device:s0
 /dev/block/platform/mtk-\b(msdc|ufs)\b\.0/[0-9]+\.\b(msdc0|ufs0)\b/by-name/nvdata      u:object_r:nvdata_device:s0

non_plat/fm_hidl_service.te

@@ -14,6 +14,6 @@ init_daemon_domain(fm_hidl_service)
 
 vndbinder_use(fm_hidl_service)
 
-r_dir_file(fm_hidl_service, system_file)
+#r_dir_file(fm_hidl_service, system_file)
 
 allow fm_hidl_service fm_device:chr_file { rw_file_perms };

non_plat/genfs_contexts

@@ -21,7 +21,6 @@ genfscon proc /ged u:object_r:proc_ged:s0
 genfscon proc /perfmgr u:object_r:proc_perfmgr:s0
 genfscon proc /driver/wmt_dbg u:object_r:proc_wmtdbg:s0
 
-genfscon proc /slabinfo u:object_r:proc_slabinfo:s0
 genfscon proc /zraminfo u:object_r:proc_zraminfo:s0
 genfscon proc /gpulog u:object_r:proc_gpulog:s0
 genfscon proc /cpu/alignment u:object_r:proc_cpu_alignment:s0

non_plat/init.te

@@ -42,7 +42,7 @@ allow init para_block_device:blk_file w_file_perms;
 # Operation : Migration
 # Purpose : disable AT_SECURE for LD_PRELOAD
 userdebug_or_eng(`
-  allow init { domain -lmkd -crash_dump }:process noatsecure;
+  allow init { domain -lmkd -crash_dump -llkd }:process noatsecure;
 ')
 
 # Date : WK16.26

non_plat/lbs_dbg.te

@@ -9,7 +9,7 @@ type lbs_dbg, domain;
 # MTK Policy Rule
 # ==============================================
 file_type_auto_trans(lbs_dbg, system_data_file, lbs_dbg_data_file);
-type lbs_dbg_exec, exec_type, file_type;
+type lbs_dbg_exec, system_file_type, exec_type, file_type;
 typeattribute lbs_dbg coredomain;
 
 init_daemon_domain(lbs_dbg)
@@ -53,4 +53,4 @@ allow lbs_dbg media_rw_data_file:file unlink;
 allow lbs_dbg sdcardfs:file unlink;
 
 allow lbs_dbg vfat:dir { write remove_name create add_name };
-allow lbs_dbg vfat:file { write rename create open getattr unlink };
+allow lbs_dbg vfat:file { write rename create open getattr unlink };

non_plat/lbs_hidl_service.te

@@ -5,7 +5,7 @@ type lbs_hidl_service_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(lbs_hidl_service)
 vndbinder_use(lbs_hidl_service)
 
-r_dir_file(lbs_hidl_service, system_file)
+#r_dir_file(lbs_hidl_service, system_file)
 unix_socket_connect(lbs_hidl_service, agpsd, mtk_agpsd);
 allow lbs_hidl_service mtk_agpsd:unix_dgram_socket sendto;
 allow lbs_hidl_service mnld:unix_dgram_socket sendto;

non_plat/merged_hal_service.te

@@ -20,7 +20,7 @@ allow merged_hal_service sysfs:file write;
 #mtk libs_hidl_service permissions
 hal_server_domain(merged_hal_service, mtk_hal_lbs)
 vndbinder_use(merged_hal_service)
-r_dir_file(merged_hal_service, system_file)
+#r_dir_file(merged_hal_service, system_file)
 unix_socket_connect(merged_hal_service, agpsd, mtk_agpsd);
 allow merged_hal_service mtk_agpsd:unix_dgram_socket sendto;
 

non_plat/meta_tst.te

@@ -277,7 +277,7 @@ allow meta_tst mddb_data_file:dir { search write add_name create getattr read op
 # Purpose : Allow meta_tst to call Audio HAL service
 binder_call(meta_tst, mtk_hal_audio)
 allow meta_tst mtk_hal_audio:binder call;
-allow meta_tst hal_audio_hwservice:hwservice_manager find;
+#allow meta_tst hal_audio_hwservice:hwservice_manager find;
 allow meta_tst mtk_audiohal_data_file:dir {read search open};
 allow meta_tst proc:file {read open};
 allow meta_tst audio_device:chr_file rw_file_perms;

non_plat/mtk_hal_bluetooth.te

@@ -2,7 +2,7 @@ type mtk_hal_bluetooth, domain;
 type mtk_hal_bluetooth_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(mtk_hal_bluetooth)
 
-r_dir_file(mtk_hal_bluetooth, system_file)
+#r_dir_file(mtk_hal_bluetooth, system_file)
 # call into the Bluetooth process (callbacks)
 binder_call(mtk_hal_bluetooth, bluetooth)
 hwbinder_use(mtk_hal_bluetooth);
@@ -39,9 +39,9 @@ allow mtk_hal_bluetooth nvdata_file:lnk_file read;
 # Purpose: Allow to search /mnt/vendor/* for fstab when using NVM_Init()
 allow mtk_hal_bluetooth mnt_vendor_file:dir search;
 
-allow mtk_hal_bluetooth hwservicemanager_prop:file r_file_perms;
+get_prop(mtk_hal_bluetooth, hwservicemanager_prop)
 
-add_hwservice(hal_bluetooth, mtk_hal_bluetooth_hwservice)
+#add_hwservice(hal_bluetooth, mtk_hal_bluetooth_hwservice)
 allow hal_bluetooth_client mtk_hal_bluetooth_hwservice:hwservice_manager find;
 
 allow mtk_hal_bluetooth system_data_file:lnk_file read;

non_plat/mtk_hal_camera.te

@@ -52,7 +52,7 @@ binder_call(mtk_hal_camera, mtk_hal_power)
 # Purpose: Allow camerahalserver to find a service from hwservice_manager
 # -----------------------------------
 allow mtk_hal_camera hal_graphics_mapper_hwservice:hwservice_manager find;
-allow mtk_hal_camera hal_graphics_allocator_hwservice:hwservice_manager find;
+#allow mtk_hal_camera hal_graphics_allocator_hwservice:hwservice_manager find;
 allow mtk_hal_camera fwk_sensor_hwservice:hwservice_manager find;
 allow mtk_hal_camera mtk_hal_power_hwservice:hwservice_manager find;
 allow mtk_hal_camera nvram_data_file:lnk_file { read write getattr setattr read create open };

non_plat/mtk_hal_gnss.te

@@ -7,7 +7,7 @@ init_daemon_domain(mtk_hal_gnss)
 #TODO:: work around solution, wait for correct solution from google
 vndbinder_use(mtk_hal_gnss)
 
-r_dir_file(mtk_hal_gnss, system_file)
+#r_dir_file(mtk_hal_gnss, system_file)
 
 # Communicate over a socket created by mnld process.
 allow mtk_hal_gnss mnld_data_file:sock_file create_file_perms;

non_plat/mtk_hal_light.te

@@ -20,5 +20,5 @@ allow mtk_hal_light sysfs_leds:lnk_file read;
 allow mtk_hal_light sysfs_leds:file rw_file_perms;
 allow mtk_hal_light sysfs_leds:dir r_dir_perms;
 
-allow mtk_hal_light hwservicemanager_prop:file r_file_perms;
+get_prop(mtk_hal_light, hwservicemanager_prop)
 hal_server_domain(mtk_hal_light,hal_light);

non_plat/mtk_hal_power.te

@@ -8,11 +8,11 @@ type mtk_hal_power_exec, exec_type, file_type, vendor_file_type;
 init_daemon_domain(mtk_hal_power)
 hwbinder_use(mtk_hal_power);
 
-allow mtk_hal_power hwservicemanager_prop:file r_file_perms;
+get_prop(mtk_hal_power, hwservicemanager_prop)
 allow mtk_hal_power hal_power_hwservice:hwservice_manager { add find };
 allow mtk_hal_power hidl_base_hwservice:hwservice_manager add;
 
-add_hwservice(hal_power, mtk_hal_power_hwservice)
+#add_hwservice(hal_power, mtk_hal_power_hwservice)
 allow hal_power_client mtk_hal_power_hwservice:hwservice_manager find;
 
 hal_server_domain(mtk_hal_power, hal_power);

non_plat/mtk_hal_sensors.te

@@ -31,7 +31,7 @@ allow mtk_hal_sensors sysfs:file rw_file_perms;
 
 # hal sensor for chr_file
 allow mtk_hal_sensors hwmsensor_device:chr_file r_file_perms;
-allow mtk_hal_sensors hwservicemanager_prop:file r_file_perms;
+get_prop(mtk_hal_sensors, hwservicemanager_prop)
 
 #hwservicemanager
 hal_server_domain(mtk_hal_sensors, hal_sensors);

non_plat/mtkfusionrild.te

@@ -42,7 +42,7 @@ allow rild bluetooth_efs_file:dir r_dir_perms;
 # (radio data/system data/proc/etc)
 # Violate Android P rule
 allow rild sdcardfs:dir r_dir_perms;
-allow rild system_file:file x_file_perms;
+#allow rild system_file:file x_file_perms;
 allow rild proc:file rw_file_perms;
 allow rild proc_net:file w_file_perms;
 
@@ -51,7 +51,6 @@ allow rild proc_net:file w_file_perms;
 allow rild self:netlink_route_socket nlmsg_write;
 
 # Allow read/write to devices/files
-allow rild alarm_device:chr_file rw_file_perms;
 allow rild radio_device:chr_file rw_file_perms;
 allow rild radio_device:blk_file r_file_perms;
 allow rild mtd_device:dir search;
@@ -99,7 +98,7 @@ allow rild mtk_agpsd:unix_stream_socket connectto;
 
 #Date 2017/10/12
 #Purpose: allow set MTU size
-allow rild toolbox_exec:file getattr;
+#allow rild toolbox_exec:file getattr;
 allow rild mtk_net_ipv6_prop:property_service set;
 
 #Dat: 2017/10/17

non_plat/mtkrild.te

@@ -53,7 +53,7 @@ allow mtkrild bluetooth_efs_file:dir r_dir_perms;
 # Violate Android P rule
 allow mtkrild sdcardfs:dir r_dir_perms;
 # Violate Android P rule
-allow mtkrild system_file:file x_file_perms;
+#allow mtkrild system_file:file x_file_perms;
 allow mtkrild proc:file rw_file_perms;
 allow mtkrild proc_net:file w_file_perms;
 
@@ -61,7 +61,6 @@ allow mtkrild proc_net:file w_file_perms;
 allow mtkrild self:netlink_route_socket nlmsg_write;
 
 # Allow read/write to devices/files
-allow mtkrild alarm_device:chr_file rw_file_perms;
 allow mtkrild radio_device:chr_file rw_file_perms;
 allow mtkrild radio_device:blk_file r_file_perms;
 allow mtkrild mtd_device:dir search;

non_plat/nvram_agent_binder.te

@@ -50,7 +50,7 @@ allow nvram_agent_binder mtd_device:dir search;
 allow nvram_agent_binder mtd_device:chr_file rw_file_perms;
 
 #for nvram agent hidl
-allow nvram_agent_binder hwservicemanager_prop:file r_file_perms;
+get_prop(nvram_agent_binder, hwservicemanager_prop)
 
 #for nvram hidl client support
 allow nvram_agent_binder sysfs:file { read open };
@@ -71,4 +71,4 @@ get_prop(nvram_daemon, tel_switch_prop)
 # Purpose: Allow to search /mnt/vendor/nvdata when using nvram function
 allow nvram_agent_binder mnt_vendor_file:dir search;
 
-allow nvram_agent_binder sysfs_boot_mode:file r_file_perms;
+allow nvram_agent_binder sysfs_boot_mode:file r_file_perms;

non_plat/radio.te

@@ -104,7 +104,7 @@ hal_client_domain(radio, hal_imsa)
 
 #Dat: 2017/06/29
 #Purpose: For audio parameter tuning
-allow radio hal_audio_hwservice:hwservice_manager find;
+#allow radio hal_audio_hwservice:hwservice_manager find;
 binder_call(radio,mtk_hal_audio)
 
 # TODO : Will move to plat_private when SEPolicy split done
@@ -148,7 +148,7 @@ get_prop(radio, mtk_debug_md_reset_prop)
 # Operation : P migration
 # Purpose : For EM access battery info
 allow radio sysfs_batteryinfo:dir search;
-allow radio sysfs_batteryinfo:file { read write getattr open create};
+#allow radio sysfs_batteryinfo:file { read write getattr open create};
 allow radio sysfs_vbus:file { read getattr open };
 
 # Date : 2018/06/15

non_plat/rilproxy.te

@@ -33,7 +33,7 @@ allow rild netd_socket:sock_file read;
 
 #Date : W17.13
 #Purpose: Treble SEpolicy denied clean up
-allow rild hwservicemanager_prop:file r_file_perms;
+get_prop(rild, hwservicemanager_prop)
 
 #Date : W17.18
 #Purpose: Treble SEpolicy denied clean up
@@ -47,7 +47,7 @@ vndbinder_use(rild)
 #Date : W17.20
 #Purpose: allow access to audio hal
 binder_call(rild, mtk_hal_audio)
-allow rild hal_audio_hwservice:hwservice_manager find;
+#allow rild hal_audio_hwservice:hwservice_manager find;
 
 #Date : W18.15
 #Purpose: allow rild access to vendor.ril.ipo system property

non_plat/shell.te

@@ -8,7 +8,7 @@ allow shell aee_aed:unix_stream_socket connectto;
 
 # Date : WK17.35
 # Purpose : allow shell to dump the debugging information of camera hal.
-allow shell hal_camera_hwservice:hwservice_manager { find };
+#allow shell hal_camera_hwservice:hwservice_manager { find };
 binder_call(shell, mtk_hal_camera)
 
 # Date : WK17.36

non_plat/stp_dump3.te

@@ -6,7 +6,7 @@
 # Type Declaration
 # ==============================================
 
-type stp_dump3_exec, exec_type, file_type;
+type stp_dump3_exec, system_file_type, exec_type, file_type;
 type stp_dump3, domain;
 typeattribute stp_dump3 coredomain;
 

non_plat/system_server.te

@@ -29,7 +29,7 @@ allow system_server aee_dumpsys_data_file:file w_file_perms;
 allow system_server aee_exp_data_file:file w_file_perms;
 
 # Dump native process backtrace.
-allow system_server exec_type:file r_file_perms;
+#allow system_server exec_type:file r_file_perms;
 
 # Querying zygote socket.
 allow system_server zygote:unix_stream_socket { getopt getattr };

non_plat/untrusted_app.te

@@ -23,6 +23,6 @@ allow untrusted_app_25 proc_thermal:file { getattr open read };
 allow untrusted_app_25 sysfs_fps:dir search;
 allow untrusted_app_25 sysfs_fps:file { getattr open read };
 allow untrusted_app_25 sysfs_batteryinfo:dir search;
-allow untrusted_app_25 sysfs_batteryinfo:file { getattr open read };
+#allow untrusted_app_25 sysfs_batteryinfo:file { getattr open read };
 allow untrusted_app_25 sysfs_therm:dir { open read search };
 allow untrusted_app_25 sysfs_therm:file { getattr open read };

plat_private/aee_aed.te

@@ -4,7 +4,7 @@
 # ==============================================
 # Type Declaration
 # ==============================================
-type aee_aed_exec, exec_type, file_type;
+type aee_aed_exec, system_file_type, exec_type, file_type;
 typeattribute aee_aed coredomain;
 typeattribute aee_aed mlstrustedsubject;
 
@@ -32,7 +32,7 @@ allow aee_aed domain:lnk_file getattr;
 allow aee_aed usermodehelper:file r_file_perms;
 
 #suid_dumpable. this is neverallow
-# allow aee_aed proc_security:file r_file_perms;
+#allow aee_aed proc_security:file r_file_perms;
 
 #property
 allow aee_aed init:unix_stream_socket connectto;
@@ -100,7 +100,7 @@ allow aee_aed dumpstate:file r_file_perms;
 
 allow aee_aed logdr_socket:sock_file write;
 allow aee_aed logd:unix_stream_socket connectto;
-# allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule
+#allow aee_aed system_ndebug_socket:sock_file write;
 
 # vibrator
 allow aee_aed sysfs_vibrator:file w_file_perms;
@@ -110,15 +110,15 @@ allow aee_aed sysfs_vibrator:file w_file_perms;
 # Purpose : make aee_aed can get specific process NE info
 allow aee_aed domain:dir r_dir_perms;
 allow aee_aed domain:{ file lnk_file } r_file_perms;
-allow aee_aed {
-  domain
-  -logd
-  -keystore
-  -init
-}:process ptrace;
+#allow aee_aed {
+#  domain
+#  -logd
+#  -keystore
+#  -init
+#}:process ptrace;
 allow aee_aed dalvikcache_data_file:dir r_dir_perms;
-allow aee_aed zygote_exec:file r_file_perms;
-allow aee_aed init_exec:file r_file_perms;
+#allow aee_aed zygote_exec:file r_file_perms;
+#allow aee_aed init_exec:file r_file_perms;
 
 # Data : 2017/04/06
 # Operation : add selinux rule for crash_dump notify aee_aed
@@ -136,9 +136,9 @@ allow aee_aed self:capability { sys_nice chown fowner kill };
 userdebug_or_eng(`allow aee_aed debugfs_tracing_debug:file { write open };')
 
 # Purpose: Allow aee_aed self to sys_ptrace/dac_override/dac_read_search
-userdebug_or_eng(`
-  allow aee_aed self:capability { sys_ptrace dac_override dac_read_search };
-')
+#userdebug_or_eng(`
+#  allow aee_aed self:capability { sys_ptrace dac_override dac_read_search };
+#')
 
 # Purpose: Allow aee_aed to read/write /sys/kernel/debug/tracing/tracing_on
-userdebug_or_eng(` allow aee_aed debugfs_tracing:file { r_file_perms write };')
+#userdebug_or_eng(` allow aee_aed debugfs_tracing:file { r_file_perms write };')

plat_private/aee_core_forwarder.te

@@ -4,7 +4,7 @@
 # ==============================================
 # Type Declaration
 # ==============================================
-type aee_core_forwarder_exec, exec_type, file_type;
+type aee_core_forwarder_exec, system_file_type, exec_type, file_type;
 typeattribute aee_core_forwarder coredomain;
 
 # ==============================================

plat_private/boot_logo_updater.te

@@ -3,7 +3,7 @@
 
 # New added for move to /system
 typeattribute boot_logo_updater coredomain;
-type boot_logo_updater_exec , exec_type, file_type;
+type boot_logo_updater_exec, system_file_type, exec_type, file_type;
 
 # ==============================================
 # MTK Policy Rule

plat_private/cmddumper.te

@@ -3,7 +3,7 @@
 # ==============================================
 
 # New added for move to /system
-type cmddumper_exec, exec_type, file_type;
+type cmddumper_exec, system_file_type, exec_type, file_type;
 typeattribute cmddumper coredomain;
 
 init_daemon_domain(cmddumper)

plat_private/crash_dump.te

@@ -1 +1,2 @@
-allow crash_dump aee_aed:unix_stream_socket connectto;
+allow crash_dump aee_aed:unix_stream_socket connectto;
+

plat_private/dumpstate.te

@@ -14,7 +14,7 @@ allow dumpstate mnt_user_file:lnk_file read;
 allow dumpstate storage_file:lnk_file read;
 
 # Purpose: timer_intval. this is neverallow
-allow dumpstate app_data_file:dir search;
+#allow dumpstate app_data_file:dir search;
 allow dumpstate kmsg_device:chr_file r_file_perms;
 
 # Purpose:
@@ -39,7 +39,7 @@ allow dumpstate gpu_device:dir search;
 # Purpose: 01-01 08:30:57.474   286   286 E SELinux : avc:  denied  { find } for interface=
 # android.hardware.camera.provider::ICameraProvider pid=3133 scontext=u:r:dumpstate:s0 tcontext=
 # u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager
-allow dumpstate hal_camera_hwservice:hwservice_manager find;
+#allow dumpstate hal_camera_hwservice:hwservice_manager find;
 
 #Purpose: Allow dumpstate to read/write /sys/kernel/debug/tracing/buffer_total_size_kb
 userdebug_or_eng(`allow dumpstate debugfs_tracing_debug:file { r_file_perms write };')

plat_private/em_svr.te

@@ -6,7 +6,7 @@
 # Type Declaration
 # ==============================================
 
-type em_svr_exec , exec_type, file_type;
+type em_svr_exec, system_file_type, exec_type, file_type;
 typeattribute em_svr coredomain;
 
 # ==============================================
@@ -65,8 +65,8 @@ allow em_svr sysfs:dir { open read };
 # Date: WK1822
 # Purpose: battery temprature setting
 allow em_svr sysfs_batteryinfo:dir search;
-allow em_svr sysfs_batteryinfo:file { write open };
-r_dir_file(em_svr, sysfs_batteryinfo);
+#allow em_svr sysfs_batteryinfo:file { write open };
+#r_dir_file(em_svr, sysfs_batteryinfo);
 
 
 

plat_private/emdlogger.te

@@ -3,7 +3,7 @@
 # ==============================================
 
 # New added for move to /system
-type emdlogger_exec , exec_type, file_type;
+type emdlogger_exec, system_file_type, exec_type, file_type;
 typeattribute emdlogger coredomain;
 
 init_daemon_domain(emdlogger)

plat_private/file_contexts

@@ -42,7 +42,7 @@
 /system/bin/mtkbootanimation u:object_r:mtkbootanimation_exec:s0
 /system/bin/boot_logo_updater u:object_r:boot_logo_updater_exec:s0
 
-#MTK vibrator
-/sys/devices/platform/vibrator@0/leds/vibrator(/.*)? u:object_r:sysfs_vibrator:s0
-
-/sys/block/mmcblk0rpmb/size u:object_r:access_sys_file:s0
+/dev/ubi_ctrl u:object_r:mtd_device:s0
+/dev/ubi[_0-9]* u:object_r:mtd_device:s0
+/dev/block/mtd(.*)?     u:object_r:mtd_device:s0
+/dev/block/mntlblk(.*)?     u:object_r:mtd_device:s0

plat_private/genfs_contexts

@@ -0,0 +1,4 @@
+#MTK vibrator
+genfscon sysfs /devices/platform/vibrator@0/leds/vibrator u:object_r:sysfs_vibrator:s0
+
+genfscon sysfs /block/mmcblk0rpmb/size u:object_r:access_sys_file:s0

plat_private/kisd.te

@@ -18,7 +18,7 @@ init_daemon_domain(kisd)
 allow kisd tee_device:chr_file {read write open ioctl};
 allow kisd provision_file:dir {read write open ioctl add_name search remove_name};
 allow kisd provision_file:file {create read write open getattr unlink};
-allow kisd system_file:file {execute_no_trans};
+#allow kisd system_file:file {execute_no_trans};
 allow kisd block_device:dir {read write open ioctl search};
 allow kisd kb_block_device:blk_file {read write open ioctl getattr};
 allow kisd dkb_block_device:blk_file {read write open ioctl getattr};

plat_private/loghidlsysservice.te

@@ -4,7 +4,7 @@
 # ==============================================
 # Type Declaration
 # ==============================================
-type loghidlsysservice_exec, exec_type, file_type;
+type loghidlsysservice_exec, system_file_type, exec_type, file_type;
 typeattribute loghidlsysservice coredomain;
 
 

plat_private/mdlogger.te

@@ -3,7 +3,7 @@
 # ==============================================
 
 # New added for move to /system
-type mdlogger_exec , exec_type, file_type;
+type mdlogger_exec , system_file_type, exec_type, file_type;
 typeattribute mdlogger coredomain;
 
 init_daemon_domain(mdlogger)

plat_private/mobile_log_d.te

@@ -3,7 +3,7 @@
 # ==============================================
 
 # New added for moving to /system
-type mobile_log_d_exec , exec_type, file_type;
+type mobile_log_d_exec, system_file_type, exec_type, file_type;
 typeattribute mobile_log_d coredomain;
 
 init_daemon_domain(mobile_log_d)

plat_private/mtkbootanimation.te

@@ -6,7 +6,7 @@ typeattribute mtkbootanimation coredomain;
 
 init_daemon_domain(mtkbootanimation)
 
-type mtkbootanimation_exec, exec_type, file_type;
+type mtkbootanimation_exec, system_file_type, exec_type, file_type;
 
 # Date W17.39
 # Operation Migration

plat_private/netdiag.te

@@ -3,7 +3,7 @@
 # ==============================================
 
 # New added for move to /system
-type netdiag_exec , exec_type, file_type;
+type netdiag_exec, system_file_type, exec_type, file_type;
 typeattribute netdiag coredomain;
 
 init_daemon_domain(netdiag)
@@ -31,8 +31,6 @@ allow netdiag system_file:file rx_file_perms;
 allow netdiag self:capability { net_admin setuid net_raw setgid};
 allow netdiag shell_exec:file rx_file_perms;
 
-#/proc/3523/net/xt_qtaguid/ctrl & /proc
-allow netdiag qtaguid_proc:file r_file_perms;
 
 #access /proc/318/net/psched
 allow netdiag proc_net:file r_file_perms;

plat_private/thermalindicator.te

@@ -3,7 +3,7 @@
 # =============================================================================
 
 # New added for move to /system
-type thermalindicator_exec, exec_type, file_type;
+type thermalindicator_exec, system_file_type, exec_type, file_type;
 typeattribute thermalindicator coredomain;
 
 init_daemon_domain(thermalindicator)

plat_public/device.te

@@ -3,4 +3,5 @@
 # ==============================================
 
 type kb_block_device,dev_type;
-type dkb_block_device,dev_type;
+type dkb_block_device,dev_type;
+type mtd_device, dev_type;

prebuilts/api/26.0/plat_private/aee_aed.te

@@ -41,7 +41,7 @@ allow aee_aed property_socket:sock_file write;
 allow aee_aed system_file:file execute_no_trans;
 
 allow aee_aed init:process getsched;
-allow aee_aed kernel:process getsched;
+#allow aee_aed kernel:process getsched;
 
 # Date: W15.34
 # Operation: Migration
@@ -78,8 +78,8 @@ domain_auto_trans(aee_aed, dumpstate_exec, dumpstate)
 # allow aee_aed aee_core_forwarder:file { read getattr open };
 
 userdebug_or_eng(`
-  allow aee_aed su:dir {search read open };
-  allow aee_aed su:file { read getattr open };
+#  allow aee_aed su:dir {search read open };
+#  allow aee_aed su:file { read getattr open };
 ')
 
 # /data/tombstone
@@ -90,7 +90,7 @@ allow aee_aed tombstone_data_file:file create_file_perms;
 allow aee_aed self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module};
 
 # system(cmd) aee_dumpstate aee_archive
-allow aee_aed shell_exec:file rx_file_perms;
+#allow aee_aed shell_exec:file rx_file_perms;
 
 # PROCESS_FILE_STATE
 allow aee_aed dumpstate:unix_stream_socket { read write ioctl };

prebuilts/api/26.0/plat_private/crash_dump.te

@@ -1 +1 @@
-allow crash_dump aee_aed:unix_stream_socket connectto;
+#allow crash_dump aee_aed:unix_stream_socket connectto;

prebuilts/api/26.0/plat_private/dumpstate.te

@@ -14,7 +14,7 @@ allow dumpstate mnt_user_file:lnk_file read;
 allow dumpstate storage_file:lnk_file read;
 
 # Purpose: timer_intval. this is neverallow
-allow dumpstate app_data_file:dir search;
+#allow dumpstate app_data_file:dir search;
 allow dumpstate kmsg_device:chr_file r_file_perms;
 
 # Purpose:
@@ -40,4 +40,4 @@ allow dumpstate gpu_device:dir search;
 # Purpose: 01-01 08:30:57.474   286   286 E SELinux : avc:  denied  { find } for interface=
 # android.hardware.camera.provider::ICameraProvider pid=3133 scontext=u:r:dumpstate:s0 tcontext=
 # u:object_r:hal_camera_hwservice:s0 tclass=hwservice_manager
-allow dumpstate hal_camera_hwservice:hwservice_manager find;
+#allow dumpstate hal_camera_hwservice:hwservice_manager find;

prebuilts/api/26.0/plat_private/kisd.te

@@ -18,7 +18,7 @@ init_daemon_domain(kisd)
 allow kisd tee_device:chr_file {read write open ioctl};
 allow kisd provision_file:dir {read write open ioctl add_name search remove_name};
 allow kisd provision_file:file {create read write open getattr unlink};
-allow kisd system_file:file {execute_no_trans};
+#allow kisd system_file:file {execute_no_trans};
 allow kisd block_device:dir {read write open ioctl search};
 allow kisd kb_block_device:blk_file {read write open ioctl getattr};
 allow kisd dkb_block_device:blk_file {read write open ioctl getattr};