[ALPS03825066] Mark file context to fix build fails

Restore the policies accessing files labeled as proc_xxx or sysfs_xxx, but there are some exceptions for coredomain process, such as meta_tst,dump_state,kpoc_charger MTK-Commit-Id: 7953b5203bb3cac099c3326d330643b4cd73746d Change-Id: I4b16c09c352891783e837bea370c264966ca6d13 CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
2020-01-18 09:29:41 +08:00 · 2020-01-18 09:29:41 +08:00 · 3ace839be3
commit 3ace839be3
parent 4dc7f49e69
30 changed files with 61 additions and 58 deletions
--- a/non_plat/aee_aed.te
+++ b/non_plat/aee_aed.te
@ -44,7 +44,7 @@ set_prop(aee_aed, persist_aee_prop);
 set_prop(aee_aed, debug_mtk_aee_prop);

 # /proc/lk_env
-#allow aee_aed proc_lk_env:file rw_file_perms;
+allow aee_aed proc_lk_env:file rw_file_perms;

 # Purpose: Allow aee_aedv to read /proc/pid/exe
 allow aee_aed exec_type:file r_file_perms;
--- a/non_plat/audioserver.te
+++ b/non_plat/audioserver.te
@ -16,7 +16,7 @@ allow audioserver ttySDIO_device:chr_file rw_file_perms;
 # Data: WK14.44
 # Operation : Migration
 # Purpose : for low SD card latency issue
-#allow audioserver sysfs_lowmemorykiller:file { read open };
+allow audioserver sysfs_lowmemorykiller:file { read open };

 # Data: WK14.45
 # Operation : Migration
@ -36,7 +36,7 @@ allow audioserver offloadservice_device:chr_file rw_file_perms;
 # Date : WK16.17
 # Operation : Migration
 # Purpose: read/open sysfs node
-#allow audioserver sysfs_ccci:file r_file_perms;
+allow audioserver sysfs_ccci:file r_file_perms;

 # Date : WK16.18
 # Operation : Migration
--- a/non_plat/boot_logo_updater.te
+++ b/non_plat/boot_logo_updater.te
@ -14,7 +14,7 @@ allow boot_logo_updater bootdevice_block_device:blk_file r_file_perms;
 #To access file at  /dev/logo
 allow boot_logo_updater logo_device:chr_file r_file_perms;
 # To access file at   /proc/lk_env
-#allow boot_logo_updater proc_lk_env:file rw_file_perms;
+allow boot_logo_updater proc_lk_env:file rw_file_perms;

 # Date : WK16.25
 # Operation : Global_Device/Uniservice Feature
--- a/non_plat/cameraserver.te
+++ b/non_plat/cameraserver.te
@ -37,7 +37,7 @@ allow cameraserver vpu_device:chr_file rw_file_perms;
 allow cameraserver kd_camera_hw_device:chr_file rw_file_perms;
 allow cameraserver seninf_device:chr_file rw_file_perms;
 allow cameraserver self:capability { setuid ipc_lock sys_nice };
-#allow cameraserver sysfs_wake_lock:file rw_file_perms;
+allow cameraserver sysfs_wake_lock:file rw_file_perms;
 allow cameraserver MTK_SMI_device:chr_file r_file_perms;
 allow cameraserver camera_pipemgr_device:chr_file r_file_perms;
 allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms;
@ -51,7 +51,7 @@ allow cameraserver nvram_data_file:file create_file_perms;
 allow cameraserver nvram_data_file:lnk_file read;
 allow cameraserver nvdata_file:lnk_file read;
 #allow cameraserver proc:file { read ioctl open };
-#allow cameraserver proc_meminfo:file { read getattr open };
+allow cameraserver proc_meminfo:file { read getattr open };
 #allow cameraserver sysfs:file { read write open };

 # Date : WK14.34
@ -218,7 +218,7 @@ allow cameraserver surfaceflinger:file getattr;
 # Data: WK14.44
 # Operation : Migration
 # Purpose : for low SD card latency issue
-#allow cameraserver sysfs_lowmemorykiller:file { read open };
+allow cameraserver sysfs_lowmemorykiller:file { read open };

 # Data: WK14.45
 # Operation : Migration
@ -309,7 +309,7 @@ allow cameraserver gpu_device:dir search;
 # Operation : Migration
 # Purpose :  Use file_type_auto_trans to specify label to avoid violated(never allow)
 allow cameraserver property_socket:sock_file write;
-#allow cameraserver proc:file getattr;
+allow cameraserver proc:file getattr;
 allow cameraserver shell_exec:file { execute read getattr open};
 domain_auto_trans(cameraserver, thermal_manager_exec, thermal_manager)
 typeattribute cameraserver system_executes_vendor_violators;
@ -323,7 +323,7 @@ allow cameraserver camera_rsc_device:chr_file rw_file_perms;

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-#allow cameraserver proc_ged:file {open read write ioctl getattr};
+allow cameraserver proc_ged:file {open read write ioctl getattr};

 # Date : WK16.33
 # Operation : Migration
@ -393,4 +393,4 @@ allow cameraserver camera_mfb_device:chr_file rw_file_perms;
 # Operation : MT6771 SQC
 # Purpose: Allow permgr access
 allow cameraserver proc_perfmgr:dir {read search};
-#allow cameraserver proc_perfmgr:file {open read ioctl};
+allow cameraserver proc_perfmgr:file {open read ioctl};
--- a/non_plat/domain.te
+++ b/non_plat/domain.te
@ -15,7 +15,10 @@ allow domain debugfs_binder:dir search;

 # Allow all processes to read /sys/bus/platform/drivers/dev_info/dev_info
 # as it is a public interface for all processes to read some OTP data.
-#allow domain sysfs_devinfo:file r_file_perms;
+allow {
+  domain
+  -isolated_app
+} sysfs_devinfo:file r_file_perms;

 # Date:20170519
 # Purpose: Full treble bootup issue, coredomain need to access libudf.so where
--- a/non_plat/drmserver.te
+++ b/non_plat/drmserver.te
@ -4,4 +4,4 @@

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-#allow drmserver proc_ged:file {open read write ioctl getattr};
+allow drmserver proc_ged:file {open read write ioctl getattr};
--- a/non_plat/dumpstate.te
+++ b/non_plat/dumpstate.te
@ -41,13 +41,13 @@ allow dumpstate debugfs_cpuhvfs:file { read open };

 # Purpose: /sys/kernel/ccci/md_chn
 allow dumpstate sysfs_ccci:dir search;
-#allow dumpstate sysfs_ccci:file { read open };
+allow dumpstate sysfs_ccci:file { read open };

 # Purpose: leds status
 allow dumpstate sysfs_leds:lnk_file read;

 # Purpose: /sys/module/lowmemorykiller/parameters/adj
-#allow dumpstate sysfs_lowmemorykiller:file { read open };
+allow dumpstate sysfs_lowmemorykiller:file { read open };
 allow dumpstate sysfs_lowmemorykiller:dir search;

 # Purpose: /dev/block/mmcblk0p10
--- a/non_plat/em_svr.te
+++ b/non_plat/em_svr.te
@ -19,25 +19,25 @@ allow em_svr nvram_device:chr_file { open read write ioctl };
 typeattribute em_svr system_executes_vendor_violators;
 allow em_svr thermal_manager_exec:file { getattr execute read open execute_no_trans };
 allow em_svr proc_mtkcooler:dir search;
-#allow em_svr proc_mtkcooler:file { read getattr open write };
+allow em_svr proc_mtkcooler:file { read getattr open write };
 allow em_svr proc_thermal:dir search;
-#allow em_svr proc_thermal:file { read getattr open write };
+allow em_svr proc_thermal:file { read getattr open write };
 allow em_svr proc_mtktz:dir search;
-#allow em_svr proc_mtktz:file  { read getattr open write };
-#allow em_svr proc_slogger:file { read getattr open write };
-#allow em_svr proc_lk_env:file { read getattr open write ioctl};
+allow em_svr proc_mtktz:file  { read getattr open write };
+allow em_svr proc_slogger:file { read getattr open write };
+allow em_svr proc_lk_env:file { read getattr open write ioctl};
 allow em_svr para_block_device:blk_file { read open };
 # Date: 2015/12/22
 # Operation : M Migration
 # Purpose : Battery Log can change temperature
 userdebug_or_eng(`
 allow em_svr proc_battery_cmd:dir search;
-#allow em_svr proc_battery_cmd:file { read getattr open write };
+allow em_svr proc_battery_cmd:file { read getattr open write };
 ')

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-#allow em_svr proc_ged:file {open read write ioctl getattr};
+allow em_svr proc_ged:file {open read write ioctl getattr};

 # Date : WK17.42
 # Purpose: Allow to query md log filter bin
--- a/non_plat/emdlogger.te
+++ b/non_plat/emdlogger.te
@ -61,7 +61,7 @@ allow emdlogger storage_file:file { create_file_perms };

 # Allow read to sys/kernel/ccci/* files
 allow emdlogger sysfs_ccci:dir search;
-#allow emdlogger sysfs_ccci:file r_file_perms;
+allow emdlogger sysfs_ccci:file r_file_perms;

 # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 
 # scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
--- a/non_plat/factory.te
+++ b/non_plat/factory.te
@ -56,7 +56,7 @@ allow factory pro_info_device:chr_file rw_file_perms;

 # Data: WK15.28
 # Purpose: for mt-ramdump reset
-#allow factory proc_mrdump_rst:file w_file_perms;
+allow factory proc_mrdump_rst:file w_file_perms;

 #Date: WK15.31
 #Purpose: define factory_data_file instead of system_data_file
@ -219,7 +219,7 @@ allow factory input_device:dir rw_dir_perms;
 # Purpose:  N Migration For ccci sysfs node
 # Allow read to sys/kernel/ccci/* files
 allow factory sysfs_ccci:dir search;
-#allow factory sysfs_ccci:file r_file_perms;
+allow factory sysfs_ccci:file r_file_perms;

 # Date: WK16.18
 # Purpose: N Migration For boot_mode
@ -269,7 +269,7 @@ allow factory tmpfs:filesystem unmount;
 allow factory sysfs:dir { read open };
 allow factory sysfs_leds:dir search;
 allow factory sysfs_leds:lnk_file read;
-#allow factory sysfs_vibrator:file {open read write};
+allow factory sysfs_vibrator:file {open read write};
 allow factory ion_device:chr_file { read open ioctl };
 allow factory debugfs_ion:dir search;
 #allow factory proc:file ioctl;
@ -296,5 +296,5 @@ set_prop(factory,ctl_ccci_fsd_prop);
 # Operation : O Migration
 # Purpose: Allow to access sysfs
 allow factory sysfs_therm:dir search;
-#allow factory sysfs_therm:file {open read write};
+allow factory sysfs_therm:file {open read write};

--- a/non_plat/mdlogger.te
+++ b/non_plat/mdlogger.te
@ -36,7 +36,7 @@ allow mdlogger storage_file:file { create_file_perms };

 # Allow read to sys/kernel/ccci/* files
 allow mdlogger sysfs_ccci:dir search;
-#allow mdlogger sysfs_ccci:file r_file_perms;
+allow mdlogger sysfs_ccci:file r_file_perms;

 # purpose: allow mdlogger to access storage in new version
 allow mdlogger media_rw_data_file:file  { create_file_perms };
--- a/non_plat/mediaextractor.te
+++ b/non_plat/mediaextractor.te
@ -4,4 +4,4 @@

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-#allow mediaextractor proc_ged:file {open read write ioctl getattr};
+allow mediaextractor proc_ged:file {open read write ioctl getattr};
--- a/non_plat/meta_tst.te
+++ b/non_plat/meta_tst.te
@ -155,7 +155,7 @@ allow meta_tst key_install_data_file:file create_file_perms;
 # Date: WK14.51
 # Purpose : set/get cryptfs cfg in sys env
 allow meta_tst misc_device:chr_file rw_file_perms;
-#allow meta_tst proc_lk_env:file rw_file_perms;
+allow meta_tst proc_lk_env:file rw_file_perms;

 # Purpose : FT_EMMC_OP_FORMAT_TCARD
 allow meta_tst block_device:blk_file getattr;
@ -187,7 +187,7 @@ allow meta_tst storage_file:lnk_file read;
 # Date: WK16.17
 # Purpose:  N Migration For ccci sysfs node
 allow meta_tst sysfs_ccci:dir search;
-#allow meta_tst sysfs_ccci:file r_file_perms;
+allow meta_tst sysfs_ccci:file r_file_perms;

 #Date: W16.17
 # Purpose:  N Migration for meta_tst get com port type and uart port info
@ -255,7 +255,7 @@ allow meta_tst self:netlink_socket create_socket_perms_no_ioctl;
 allow meta_tst self:rawip_socket create;
 allow meta_tst self:udp_socket create_socket_perms_no_ioctl;
 allow meta_tst self:rawip_socket create_socket_perms_no_ioctl;
-#allow meta_tst proc_ged:file r_file_perms;
+allow meta_tst proc_ged:file r_file_perms;
 allowxperm meta_tst self:udp_socket ioctl {SIOCSIFFLAGS SIOCGIFCONF SIOCIWFIRSTPRIV_08 SIOCIWFIRSTPRIV_09};
 allow meta_tst meta_tst:netlink_generic_socket { read write getattr bind create setopt };

@ -349,7 +349,7 @@ allow meta_tst audiohal_prop:property_service set;
 #Data:W1745
 # Purpose : Allow meta_tst to open and read proc/bootprof
 #allow meta_tst proc:file write;
-#allow meta_tst proc:file getattr;
+allow meta_tst proc:file getattr;

 # Date:W17.51
 # Operation : lbs hal
--- a/non_plat/mobile_log_d.te
+++ b/non_plat/mobile_log_d.te
@ -1,10 +1,10 @@
 #scp
-#allow mobile_log_d sysfs_scp:file { open write };
+allow mobile_log_d sysfs_scp:file { open write };
 allow mobile_log_d sysfs_scp:dir search;
 allow mobile_log_d scp_device:chr_file { read open };

 #sspm
-#allow mobile_log_d sysfs_sspm:file { open write };
+allow mobile_log_d sysfs_sspm:file { open write };
 allow mobile_log_d sysfs_sspm:dir search;
 allow mobile_log_d sspm_device:chr_file { read open };

--- a/non_plat/mtkbootanimation.te
+++ b/non_plat/mtkbootanimation.te
@ -17,12 +17,12 @@ allow mtkbootanimation qemu_pipe_device:chr_file rw_file_perms;

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-#allow mtkbootanimation proc_ged:file {open read write ioctl getattr};
+allow mtkbootanimation proc_ged:file {open read write ioctl getattr};

 # Date : WK14.31
 # Operation : Migration
 # Purpose : access to sec mem proc interface.
-#allow mtkbootanimation proc_secmem:file { read open};
+allow mtkbootanimation proc_secmem:file { read open};

 # Date : WK14.36
 # Operation : Migration
@ -53,4 +53,4 @@ allow mtkbootanimation guiext-server_service:service_manager find;
 # Operation : Migration
 # Purpose : FPSGO integration
 allow mtkbootanimation proc_perfmgr:dir {search read};
-#allow mtkbootanimation proc_perfmgr:file {open read ioctl};
+allow mtkbootanimation proc_perfmgr:file {open read ioctl};
--- a/non_plat/surfaceflinger.te
+++ b/non_plat/surfaceflinger.te
@ -10,7 +10,7 @@ allow surfaceflinger debug_prop:property_service set;

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-#allow surfaceflinger proc_ged:file {open read write ioctl getattr};
+allow surfaceflinger proc_ged:file {open read write ioctl getattr};

 # Date : W16.42
 # Operation : Integration
@ -56,7 +56,7 @@ allow surfaceflinger mtkbootanimation:file { read getattr open };
 # Operation : Migration
 # Purpose: Allow to access perfmgr
 allow surfaceflinger proc_perfmgr:dir {read search};
-#allow surfaceflinger proc_perfmgr:file {open read ioctl};
+allow surfaceflinger proc_perfmgr:file {open read ioctl};

 # Date : WK17.43
 # Operation : Debug
--- a/non_plat/system_server.te
+++ b/non_plat/system_server.te
@ -36,7 +36,7 @@ allow system_server zygote:binder impersonate;
 allow system_server ctl_bootanim_prop:property_service set;

 # After connected to DHCPv6, enabled 6to4 IPv6 AP to get property.
-#allow system_server proc_net:file w_file_perms;
+allow system_server proc_net:file w_file_perms;
 r_dir_file(system_server, wide_dhcpv6_data_file)

 # For dumpsys.
@ -73,7 +73,7 @@ allow system_server sysfs_dcm:file rw_file_perms;

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-#allow system_server proc_ged:file {open read write ioctl getattr};
+allow system_server proc_ged:file {open read write ioctl getattr};

 # Date : WK16.36
 # Purpose: Allow to set property log.tag.WifiHW to control log level of WifiHW
@ -107,7 +107,7 @@ allow system_server ttyMT_device:chr_file rw_file_perms;
 # Operation : thermal hal Feature developing
 # Purpose : thermal hal interface permission
 allow system_server proc_mtktz:dir search;
-#allow system_server proc_mtktz:file r_file_perms;
+allow system_server proc_mtktz:file r_file_perms;

 # Date : WK16.46
 # Operation: PowerManager set persist.meta.connecttype property
@ -215,4 +215,4 @@ allow system_server mtk_thermal_config_prop:property_service set;
 # Operation : Migration
 # Purpose : perfmgr permission
 allow system_server proc_perfmgr:dir {read search};
-#allow system_server proc_perfmgr:file {open read ioctl};
+allow system_server proc_perfmgr:file {open read ioctl};
--- a/non_plat/zygote.te
+++ b/non_plat/zygote.te
@ -4,7 +4,7 @@

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-#allow zygote proc_ged:file {open read write ioctl getattr};
+allow zygote proc_ged:file {open read write ioctl getattr};

 # Date : WK17.02
 # Purpose: Allow to access gpu for memtrack functions
--- a/plat_private/aee_aed.te
+++ b/plat_private/aee_aed.te
@ -106,7 +106,7 @@ allow aee_aed logd:unix_stream_socket connectto;
 # allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule

 # vibrator
-#allow aee_aed sysfs_vibrator:file w_file_perms;
+allow aee_aed sysfs_vibrator:file w_file_perms;

 # Data : 2017/03/22
 # Operation : add NE flow rule for Android O
--- a/plat_private/em_svr.te
+++ b/plat_private/em_svr.te
@ -34,7 +34,7 @@ allow em_svr graphics_device:chr_file { read write open ioctl};
 allow em_svr graphics_device:dir search;
 allow em_svr radio_data_file:dir { search write add_name create };
 allow em_svr radio_data_file:file { create write open read };
-#allow em_svr sysfs_devices_system_cpu:file write;
+allow em_svr sysfs_devices_system_cpu:file write;
 #allow em_svr self:capability { dac_override sys_nice fowner chown fsetid };
 allow em_svr self:process execmem;
 allow em_svr system_data_file:dir { write remove_name add_name relabelfrom create open };
--- a/plat_private/factory.te
+++ b/plat_private/factory.te
@ -23,7 +23,7 @@ allow factory sdcard_type:dir r_dir_perms;
 ### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
 #allow factory self:netlink_route_socket create_socket_perms;
 allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write };
-#allow factory proc_net:file { read getattr open };
+allow factory proc_net:file { read getattr open };
 allowxperm factory self:udp_socket ioctl priv_sock_ioctls;
 allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID};

@ -31,7 +31,7 @@ allow factory self:process execmem;
 allow factory self:tcp_socket create_stream_socket_perms;
 allow factory self:udp_socket create_socket_perms;

-#allow factory sysfs_wake_lock:file rw_file_perms;
+allow factory sysfs_wake_lock:file rw_file_perms;
 allow factory system_data_file:dir w_dir_perms;
 allow factory system_data_file:sock_file create_file_perms;
 allow factory system_file:file x_file_perms;
--- a/plat_private/meta_tst.te
+++ b/plat_private/meta_tst.te
@ -26,7 +26,7 @@ allow meta_tst self:tcp_socket { create connect setopt bind };
 allow meta_tst self:tcp_socket { bind setopt listen accept read write };
 allow meta_tst self:udp_socket { create ioctl };
 allow meta_tst self:capability { sys_boot ipc_lock };
-#allow meta_tst sysfs_wake_lock:file rw_file_perms;
+allow meta_tst sysfs_wake_lock:file rw_file_perms;
 #allow meta_tst sysfs:file write;
 allow meta_tst property_socket:sock_file w_file_perms;
 #allow meta_tst vold_socket:sock_file w_file_perms;
--- a/plat_private/mobile_log_d.te
+++ b/plat_private/mobile_log_d.te
@ -73,4 +73,4 @@ allow mobile_log_d media_rw_data_file:dir create_dir_perms;
 allow mobile_log_d debugfs_tracing:dir create_dir_perms;
 #allow mobile_log_d debugfs_tracing:file create_file_perms;
 allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms;
-#allow mobile_log_d debugfs_tracing_instances:file create_file_perms;
+allow mobile_log_d debugfs_tracing_instances:file create_file_perms;
--- a/plat_private/mtkbootanimation.te
+++ b/plat_private/mtkbootanimation.te
@ -40,7 +40,7 @@ allow mtkbootanimation hal_graphics_composer:fd use;

 # Read access to pseudo filesystems.
 #r_dir_file(mtkbootanimation, proc)
-#allow mtkbootanimation proc_meminfo:file r_file_perms;
+allow mtkbootanimation proc_meminfo:file r_file_perms;
 #r_dir_file(mtkbootanimation, sysfs)
 r_dir_file(mtkbootanimation, cgroup)

--- a/prebuilts/api/26.0/plat_private/aee_aed.te
+++ b/prebuilts/api/26.0/plat_private/aee_aed.te
@ -106,7 +106,7 @@ allow aee_aed logd:unix_stream_socket connectto;
 # allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule

 # vibrator
-#allow aee_aed sysfs_vibrator:file w_file_perms;
+allow aee_aed sysfs_vibrator:file w_file_perms;

 # Data : 2017/03/22
 # Operation : add NE flow rule for Android O
--- a/prebuilts/api/26.0/plat_private/em_svr.te
+++ b/prebuilts/api/26.0/plat_private/em_svr.te
@ -35,7 +35,7 @@ allow em_svr graphics_device:chr_file { read write open ioctl};
 allow em_svr graphics_device:dir search;
 allow em_svr radio_data_file:dir { search write add_name create };
 allow em_svr radio_data_file:file { create write open read };
-#allow em_svr sysfs_devices_system_cpu:file write;
+allow em_svr sysfs_devices_system_cpu:file write;
 #allow em_svr self:capability { dac_override sys_nice fowner chown fsetid };
 allow em_svr self:process execmem;
 allow em_svr system_data_file:dir { write remove_name add_name relabelfrom create open };
--- a/prebuilts/api/26.0/plat_private/factory.te
+++ b/prebuilts/api/26.0/plat_private/factory.te
@ -24,7 +24,7 @@ allow factory sdcard_type:dir r_dir_perms;
 ### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
 #allow factory self:netlink_route_socket create_socket_perms;
 allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write };
-#allow factory proc_net:file { read getattr open };
+allow factory proc_net:file { read getattr open };
 allowxperm factory self:udp_socket ioctl priv_sock_ioctls;
 allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID};

@ -32,7 +32,7 @@ allow factory self:process execmem;
 allow factory self:tcp_socket create_stream_socket_perms;
 allow factory self:udp_socket create_socket_perms;

-#allow factory sysfs_wake_lock:file rw_file_perms;
+allow factory sysfs_wake_lock:file rw_file_perms;
 allow factory system_data_file:dir w_dir_perms;
 allow factory system_data_file:sock_file create_file_perms;
 allow factory system_file:file x_file_perms;
--- a/prebuilts/api/26.0/plat_private/meta_tst.te
+++ b/prebuilts/api/26.0/plat_private/meta_tst.te
@ -26,7 +26,7 @@ allow meta_tst self:tcp_socket { create connect setopt bind };
 allow meta_tst self:tcp_socket { bind setopt listen accept read write };
 allow meta_tst self:udp_socket { create ioctl };
 allow meta_tst self:capability { sys_boot ipc_lock };
-#allow meta_tst sysfs_wake_lock:file rw_file_perms;
+allow meta_tst sysfs_wake_lock:file rw_file_perms;
 #allow meta_tst sysfs:file write;
 allow meta_tst property_socket:sock_file w_file_perms;
 #allow meta_tst vold_socket:sock_file w_file_perms;
--- a/prebuilts/api/26.0/plat_private/mobile_log_d.te
+++ b/prebuilts/api/26.0/plat_private/mobile_log_d.te
@ -73,4 +73,4 @@ allow mobile_log_d media_rw_data_file:dir create_dir_perms;
 allow mobile_log_d debugfs_tracing:dir create_dir_perms;
 #allow mobile_log_d debugfs_tracing:file create_file_perms;
 allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms;
-#allow mobile_log_d debugfs_tracing_instances:file create_file_perms;
+allow mobile_log_d debugfs_tracing_instances:file create_file_perms;
--- a/prebuilts/api/26.0/plat_private/system_server.te
+++ b/prebuilts/api/26.0/plat_private/system_server.te
@ -6,7 +6,7 @@ allow system_server zygote:binder impersonate;
 # Property service.
 allow system_server ctl_bootanim_prop:property_service set;
 # After connected to DHCPv6, enabled 6to4 IPv6 AP to get property.
-#allow system_server proc_net:file w_file_perms;
+allow system_server proc_net:file w_file_perms;
 # Querying zygote socket.
 allow system_server zygote:unix_stream_socket { getopt getattr };
 # Date : WK16.36