[ALPS03825066] P migration selinux build failed fix

1. Mark polices which accessing proc/sysfs file system 2. Add violator attribute to modules violate vendor/system rule. MTK-Commit-Id: 3954cad7a1428cda694d8428c2235a78aa6e7cc8 Change-Id: I401ae5b87eb9a03f324bef83c6678149606b15a8 CR-Id: ALPS03825066 Feature: [Android Default] SELinux, SEAndroid, and SE-MTK
2020-01-18 09:29:36 +08:00 · 2020-01-18 09:29:36 +08:00 · 5849c224e3
commit 5849c224e3
parent bbecfaa68b
83 changed files with 179 additions and 179 deletions
--- a/non_plat/adbd.te
+++ b/non_plat/adbd.te
@ -34,6 +34,7 @@ allow adbd adbd_data_file:file create_file_perms;
 allow adbd qemu_pipe_device:chr_file rw_file_perms;

 # user load adb pull /data/aee_exp db
+typeattribute adbd data_between_core_and_vendor_violators;
 allow adbd aee_exp_data_file:dir r_dir_perms;
 allow adbd aee_exp_data_file:file r_file_perms;

--- a/non_plat/aee_aed.te
+++ b/non_plat/aee_aed.te
@ -22,6 +22,7 @@ allow aee_aed mtd_device:chr_file rw_file_perms;
 allow aee_aed RT_Monitor_device:chr_file r_file_perms;

 #data/aee_exp
+typeattribute aee_aed data_between_core_and_vendor_violators;
 allow aee_aed aee_exp_data_file:dir create_dir_perms;
 allow aee_aed aee_exp_data_file:file create_file_perms;

@ -43,7 +44,7 @@ set_prop(aee_aed, persist_aee_prop);
 set_prop(aee_aed, debug_mtk_aee_prop);

 # /proc/lk_env
-allow aee_aed proc_lk_env:file rw_file_perms;
+#allow aee_aed proc_lk_env:file rw_file_perms;

 # Purpose: Allow aee_aedv to read /proc/pid/exe
 allow aee_aed exec_type:file r_file_perms;
--- a/non_plat/aee_aedv.te
+++ b/non_plat/aee_aedv.te
@ -31,6 +31,7 @@ allow aee_aedv sdcard_type:dir create_dir_perms;
 allow aee_aedv sdcard_type:file create_file_perms;

 #data/anr
+typeattribute aee_aedv data_between_core_and_vendor_violators;
 allow aee_aedv anr_data_file:dir create_dir_perms;
 allow aee_aedv anr_data_file:file create_file_perms;

@ -183,7 +184,6 @@ allow aee_aedv debugfs_page_owner_slim_debug:file { read open };
 allow aee_aedv debugfs_ion_mm_heap:dir search;
 allow aee_aedv debugfs_ion_mm_heap:file { read open };
 allow aee_aedv debugfs_ion_mm_heap:lnk_file read;
-allow aee_aedv debugfs_ion_mm_heap:lnk_file read;
 allow aee_aedv debugfs_cpuhvfs:dir search;
 allow aee_aedv debugfs_cpuhvfs:file { read open };
 allow aee_aedv debugfs_emi_mbw_buf:file { read open };
--- a/non_plat/aee_core_forwarder.te
+++ b/non_plat/aee_core_forwarder.te
@ -16,6 +16,7 @@ init_daemon_domain(aee_core_forwarder)
 allow aee_core_forwarder aee_core_data_file:dir relabelto;
 allow aee_core_forwarder aee_core_data_file:dir create_dir_perms;
 allow aee_core_forwarder aee_core_data_file:file create_file_perms;
+typeattribute aee_core_forwarder data_between_core_and_vendor_violators;
 allow aee_core_forwarder system_data_file:dir { write relabelfrom create add_name };

 #mkdir /sdcard/mtklog/aee_exp and write /sdcard/mtklog/aee_exp/zcorexxx.zip
--- a/non_plat/audiocmdservice_atci.te
+++ b/non_plat/audiocmdservice_atci.te
@ -3,6 +3,7 @@

 # Read/Write NV
 allow audiocmdservice_atci nvram_device:devfile_class_set rw_file_perms;
+typeattribute audiocmdservice_atci data_between_core_and_vendor_violators;
 allow audiocmdservice_atci nvram_data_file:dir create_dir_perms;
 allow audiocmdservice_atci nvram_data_file:{file lnk_file} create_file_perms;
 allow audiocmdservice_atci nvdata_file:dir create_dir_perms;
--- a/non_plat/audioserver.te
+++ b/non_plat/audioserver.te
@ -16,7 +16,7 @@ allow audioserver ttySDIO_device:chr_file rw_file_perms;
 # Data: WK14.44
 # Operation : Migration
 # Purpose : for low SD card latency issue
-allow audioserver sysfs_lowmemorykiller:file { read open };
+#allow audioserver sysfs_lowmemorykiller:file { read open };

 # Data: WK14.45
 # Operation : Migration
@ -24,6 +24,7 @@ allow audioserver sysfs_lowmemorykiller:file { read open };
 allow audioserver proc_mtkcooler:dir search;
 allow audioserver proc_mtktz:dir search;
 allow audioserver proc_thermal:dir search;
+typeattribute audioserver data_between_core_and_vendor_violators;
 allow audioserver thermal_manager_data_file:file create_file_perms;
 allow audioserver thermal_manager_data_file:dir { rw_dir_perms setattr };

@ -35,7 +36,7 @@ allow audioserver offloadservice_device:chr_file rw_file_perms;
 # Date : WK16.17
 # Operation : Migration
 # Purpose: read/open sysfs node
-allow audioserver sysfs_ccci:file r_file_perms;
+#allow audioserver sysfs_ccci:file r_file_perms;

 # Date : WK16.18
 # Operation : Migration
@ -45,7 +46,7 @@ allow audioserver tmpfs:dir search;
 # Date : WK16.18
 # Operation : Migration
 # Purpose: access sysfs node
-allow audioserver sysfs:file { open read write };
+#allow audioserver sysfs:file { open read write };
 allow audioserver sysfs_ccci:dir search;

 # Purpose: Dump debug info
@ -60,8 +61,6 @@ allow audioserver proc_ged:file {open read write ioctl getattr};
 # Purpose: Allow to trigger AEE dump
 allow audioserver aee_aed:unix_stream_socket connectto;

-
-
 # Date : WK17.28
 # Operation : MT6757 SQC
 # Purpose : Change thermal config
--- a/non_plat/boot_logo_updater.te
+++ b/non_plat/boot_logo_updater.te
@ -14,7 +14,7 @@ allow boot_logo_updater bootdevice_block_device:blk_file r_file_perms;
 #To access file at  /dev/logo
 allow boot_logo_updater logo_device:chr_file r_file_perms;
 # To access file at   /proc/lk_env
-allow boot_logo_updater proc_lk_env:file rw_file_perms;
+#allow boot_logo_updater proc_lk_env:file rw_file_perms;

 # Date : WK16.25
 # Operation : Global_Device/Uniservice Feature
--- a/non_plat/bootanim.te
+++ b/non_plat/bootanim.te
@ -5,6 +5,7 @@
 # Date : WK14.37
 # Operation : Migration
 # Purpose : for opetator
+typeattribute bootanim data_between_core_and_vendor_violators;
 allow bootanim custom_file:dir search;
 allow bootanim custom_file:file r_file_perms;
 allow bootanim bootani_prop:property_service set;
--- a/non_plat/cameraserver.te
+++ b/non_plat/cameraserver.te
@ -16,7 +16,6 @@ binder_call(cameraserver, mtk_hal_camera)
 # call the graphics allocator hal
 binder_call(cameraserver, hal_graphics_allocator)

-
 # -----------------------------------
 # Android O
 # Purpose: Debugging
@ -24,13 +23,11 @@ binder_call(cameraserver, hal_graphics_allocator)
 # Purpose: adb shell dumpsys media.camera --unreachable
 allow cameraserver self:process { ptrace };

-
 # -----------------------------------
 # Purpose: property access
 # -----------------------------------
 allow cameraserver mtkcam_prop:file { open read getattr };

-
 # Date : WK14.31
 # Operation : Migration
 # Purpose : camera devices access.
@ -40,11 +37,12 @@ allow cameraserver vpu_device:chr_file rw_file_perms;
 allow cameraserver kd_camera_hw_device:chr_file rw_file_perms;
 allow cameraserver seninf_device:chr_file rw_file_perms;
 allow cameraserver self:capability { setuid ipc_lock sys_nice };
-allow cameraserver sysfs_wake_lock:file rw_file_perms;
+#allow cameraserver sysfs_wake_lock:file rw_file_perms;
 allow cameraserver MTK_SMI_device:chr_file r_file_perms;
 allow cameraserver camera_pipemgr_device:chr_file r_file_perms;
 allow cameraserver kd_camera_flashlight_device:chr_file rw_file_perms;
 allow cameraserver lens_device:chr_file rw_file_perms;
+typeattribute cameraserver data_between_core_and_vendor_violators;
 allow cameraserver nvdata_file:dir { write search add_name };
 allow cameraserver nvdata_file:file { read write getattr setattr open create };
 allow cameraserver nvram_data_file:dir search;
@ -52,9 +50,9 @@ allow cameraserver nvram_data_file:dir w_dir_perms;
 allow cameraserver nvram_data_file:file create_file_perms;
 allow cameraserver nvram_data_file:lnk_file read;
 allow cameraserver nvdata_file:lnk_file read;
-allow cameraserver proc:file { read ioctl open };
-allow cameraserver proc_meminfo:file { read getattr open };
-allow cameraserver sysfs:file { read write open };
+#allow cameraserver proc:file { read ioctl open };
+#allow cameraserver proc_meminfo:file { read getattr open };
+#allow cameraserver sysfs:file { read write open };

 # Date : WK14.34
 # Operation : Migration
@ -146,7 +144,6 @@ allow cameraserver MAINAF_device:chr_file rw_file_perms;
 allow cameraserver MAIN2AF_device:chr_file rw_file_perms;
 allow cameraserver SUBAF_device:chr_file rw_file_perms;

-
 # Data : WK14.38
 # Operation : Migration
 # Purpose : for boot animation.
@ -221,7 +218,7 @@ allow cameraserver surfaceflinger:file getattr;
 # Data: WK14.44
 # Operation : Migration
 # Purpose : for low SD card latency issue
-allow cameraserver sysfs_lowmemorykiller:file { read open };
+#allow cameraserver sysfs_lowmemorykiller:file { read open };

 # Data: WK14.45
 # Operation : Migration
@ -281,13 +278,11 @@ allow cameraserver mnt_user_file:lnk_file {read write};
 # Purpose: Allow cameraserver to read binder from surfaceflinger
 allow cameraserver surfaceflinger:fifo_file {read write};

-
 # Date : WK15.45
 # Purpose : camera read/write /nvcfg/camera data
 allow cameraserver nvcfg_file:dir create_dir_perms;
 allow cameraserver nvcfg_file:file create_file_perms;

-
 # Date : WK15.46
 # Operation : Migration
 # Purpose : DPE Driver
@ -314,9 +309,10 @@ allow cameraserver gpu_device:dir search;
 # Operation : Migration
 # Purpose :  Use file_type_auto_trans to specify label to avoid violated(never allow)
 allow cameraserver property_socket:sock_file write;
-allow cameraserver proc:file getattr;
+#allow cameraserver proc:file getattr;
 allow cameraserver shell_exec:file { execute read getattr open};
 domain_auto_trans(cameraserver, thermal_manager_exec, thermal_manager)
+typeattribute cameraserver system_executes_vendor_violators;
 allow cameraserver thermal_manager_exec:file { read getattr open execute};
 allow cameraserver init:unix_stream_socket connectto;

@ -327,7 +323,7 @@ allow cameraserver camera_rsc_device:chr_file rw_file_perms;

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow cameraserver proc_ged:file {open read write ioctl getattr};
+#allow cameraserver proc_ged:file {open read write ioctl getattr};

 # Date : WK16.33
 # Operation : Migration
@ -367,7 +363,7 @@ allow cameraserver camera_owe_device:chr_file rw_file_perms;

 # Date : WK17.25
 # Operation : Migration
-allow cameraserver debugfs_tracing:file { write open };
+#allow cameraserver debugfs_tracing:file { write open };
 allow cameraserver nvram_data_file:dir { add_name write create};
 allow cameraserver nvram_data_file:file { write getattr setattr read create open };
 allow cameraserver debugfs_ion:dir search;
@ -397,4 +393,4 @@ allow cameraserver camera_mfb_device:chr_file rw_file_perms;
 # Operation : MT6771 SQC
 # Purpose: Allow permgr access
 allow cameraserver proc_perfmgr:dir {read search};
-allow cameraserver proc_perfmgr:file {open read ioctl};
+#allow cameraserver proc_perfmgr:file {open read ioctl};
--- a/non_plat/ccci_mdinit.te
+++ b/non_plat/ccci_mdinit.te
@ -68,6 +68,7 @@ allow ccci_mdinit bootdevice_block_device:blk_file rw_file_perms;

 set_prop(ccci_mdinit, ril_mux_report_case_prop)

+typeattribute ccci_mdinit data_between_core_and_vendor_violators;
 allow ccci_mdinit mdlog_data_file:dir search;
 allow ccci_mdinit mdlog_data_file:file r_file_perms;

--- a/non_plat/cmddumper.te
+++ b/non_plat/cmddumper.te
@ -25,5 +25,5 @@ allow cmddumper media_rw_data_file:dir { create_dir_perms };
 allow cmddumper file_contexts_file:file { read getattr open };

 # purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode
-allow cmddumper sysfs:file { read open };
+#allow cmddumper sysfs:file { read open };

--- a/non_plat/drmserver.te
+++ b/non_plat/drmserver.te
@ -4,4 +4,4 @@

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow drmserver proc_ged:file {open read write ioctl getattr};
+#allow drmserver proc_ged:file {open read write ioctl getattr};
--- a/non_plat/dumpstate.te
+++ b/non_plat/dumpstate.te
@ -9,6 +9,7 @@ set_prop(dumpstate, debug_bq_dump_prop);
 allow dumpstate aed_device:chr_file { read getattr };

 # Purpose: data/dumpsys/*
+typeattribute dumpstate data_between_core_and_vendor_violators;
 allow dumpstate aee_dumpsys_data_file:dir { w_dir_perms };
 allow dumpstate aee_dumpsys_data_file:file { create_file_perms };

@ -35,19 +36,18 @@ allow dumpstate debugfs_page_owner_slim_debug:file { read open };
 allow dumpstate debugfs_ion_mm_heap:dir search;
 allow dumpstate debugfs_ion_mm_heap:file { read open };
 allow dumpstate debugfs_ion_mm_heap:lnk_file read;
-allow dumpstate debugfs_ion_mm_heap:lnk_file read;
 allow dumpstate debugfs_cpuhvfs:dir search;
 allow dumpstate debugfs_cpuhvfs:file { read open };

 # Purpose: /sys/kernel/ccci/md_chn
 allow dumpstate sysfs_ccci:dir search;
-allow dumpstate sysfs_ccci:file { read open };
+#allow dumpstate sysfs_ccci:file { read open };

 # Purpose: leds status
 allow dumpstate sysfs_leds:lnk_file read;

 # Purpose: /sys/module/lowmemorykiller/parameters/adj
-allow dumpstate sysfs_lowmemorykiller:file { read open };
+#allow dumpstate sysfs_lowmemorykiller:file { read open };
 allow dumpstate sysfs_lowmemorykiller:dir search;

 # Purpose: /dev/block/mmcblk0p10
@ -69,7 +69,7 @@ allow dumpstate aee_aed:unix_stream_socket { read write ioctl };
 # allow dumpstate config_gz:file read;

 allow dumpstate sysfs_leds:dir r_dir_perms;
-allow dumpstate sysfs_leds:file r_file_perms;
+#allow dumpstate sysfs_leds:file r_file_perms;

 # Purpose: 01-01 08:30:57.260  3070  3070 W aee_dumpstate: type=1400 audit(0.0:13196): avc: denied
 # { read } for name="SF_dump" dev="dm-0" ino=352257 scontext=u:r:dumpstate:s0 tcontext=u:object_r:
--- a/non_plat/em_svr.te
+++ b/non_plat/em_svr.te
@ -8,6 +8,7 @@ allow em_svr misc_sd_device:chr_file { read open ioctl };
 allow em_svr als_ps_device:chr_file { read ioctl open };
 allow em_svr gsensor_device:chr_file { read ioctl open };
 allow em_svr gyroscope_device:chr_file { read ioctl open };
+typeattribute em_svr data_between_core_and_vendor_violators;
 allow em_svr nvram_data_file:dir { write read open add_name search };
 allow em_svr nvram_data_file:file { write getattr setattr read create open };
 allow em_svr nvram_data_file:lnk_file read;
@ -15,30 +16,30 @@ allow em_svr nvdata_file:lnk_file read;
 allow em_svr nvdata_file:dir { write read open add_name search };
 allow em_svr nvdata_file:file { write getattr setattr read create open };
 allow em_svr nvram_device:chr_file { open read write ioctl };
+typeattribute em_svr system_executes_vendor_violators;
 allow em_svr thermal_manager_exec:file { getattr execute read open execute_no_trans };
 allow em_svr proc_mtkcooler:dir search;
-allow em_svr proc_mtkcooler:file { read getattr open write };
+#allow em_svr proc_mtkcooler:file { read getattr open write };
 allow em_svr proc_thermal:dir search;
-allow em_svr proc_thermal:file { read getattr open write };
+#allow em_svr proc_thermal:file { read getattr open write };
 allow em_svr proc_mtktz:dir search;
-allow em_svr proc_mtktz:file  { read getattr open write };
-allow em_svr proc_slogger:file { read getattr open write };
-allow em_svr proc_lk_env:file { read getattr open write ioctl};
+#allow em_svr proc_mtktz:file  { read getattr open write };
+#allow em_svr proc_slogger:file { read getattr open write };
+#allow em_svr proc_lk_env:file { read getattr open write ioctl};
 allow em_svr para_block_device:blk_file { read open };
 # Date: 2015/12/22
 # Operation : M Migration
 # Purpose : Battery Log can change temperature
 userdebug_or_eng(`
 allow em_svr proc_battery_cmd:dir search;
-allow em_svr proc_battery_cmd:file { read getattr open write };
+#allow em_svr proc_battery_cmd:file { read getattr open write };
 ')

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow em_svr proc_ged:file {open read write ioctl getattr};
+#allow em_svr proc_ged:file {open read write ioctl getattr};

 # Date : WK17.42
 # Purpose: Allow to query md log filter bin
 allow em_svr md_block_device:blk_file { read open };

-
--- a/non_plat/emdlogger.te
+++ b/non_plat/emdlogger.te
@ -57,11 +57,11 @@ allow emdlogger storage_file:file { create_file_perms };

 #permission for read boot mode
 #avc: denied { open }  path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
-allow emdlogger sysfs:file { read open };
+#allow emdlogger sysfs:file { read open };

 # Allow read to sys/kernel/ccci/* files
 allow emdlogger sysfs_ccci:dir search;
-allow emdlogger sysfs_ccci:file r_file_perms;
+#allow emdlogger sysfs_ccci:file r_file_perms;

 # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 
 # scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
--- a/non_plat/factory.te
+++ b/non_plat/factory.te
@ -5,7 +5,6 @@
 # Type Declaration
 # ==============================================

-
 # ==============================================
 # MTK Policy Rule
 # ==============================================
@ -52,13 +51,12 @@ allow factory vmodem_device:chr_file rw_file_perms;
 # Purpose: for nand project
 allow factory mtd_device:dir search;
 allow factory mtd_device:chr_file rw_file_perms;
-allow factory mtd_device:chr_file rw_file_perms;
 allow factory self:capability sys_resource;
 allow factory pro_info_device:chr_file rw_file_perms;

 # Data: WK15.28
 # Purpose: for mt-ramdump reset
-allow factory proc_mrdump_rst:file w_file_perms;
+#allow factory proc_mrdump_rst:file w_file_perms;

 #Date: WK15.31
 #Purpose: define factory_data_file instead of system_data_file
@ -75,6 +73,7 @@ allow factory factory_idle_state_prop:property_service set;

 # Date: WK15.46
 # Purpose: gps factory mode
+typeattribute factory data_between_core_and_vendor_violators;
 allow factory agpsd_data_file:dir search;
 allow factory apk_data_file:dir write;
 #allow factory gps_data_file:dir r_dir_perms;
@ -220,7 +219,7 @@ allow factory input_device:dir rw_dir_perms;
 # Purpose:  N Migration For ccci sysfs node
 # Allow read to sys/kernel/ccci/* files
 allow factory sysfs_ccci:dir search;
-allow factory sysfs_ccci:file r_file_perms;
+#allow factory sysfs_ccci:file r_file_perms;

 # Date: WK16.18
 # Purpose: N Migration For boot_mode
@ -228,7 +227,7 @@ allow factory sysfs_ccci:file r_file_perms;
 # avc: denied { read } for name="boot_mode" dev="sysfs" ino=117
 # scontext=u:r:factory:s0 tcontext=u:object_r:sysfs:s0
 # tclass=file permissive=0
-allow factory sysfs:file rw_file_perms;
+#allow factory sysfs:file rw_file_perms;

 # Date: WK16.30
 #Purpose: For gps test
@ -259,7 +258,7 @@ allow factory flashlight_device:chr_file rw_file_perms;
 # Date : WK16.48
 # Purpose: For SmartPa speaker calibration
 allow factory proc:dir search;
-allow factory proc:file {open read write};
+#allow factory proc:file {open read write};

 # Date: WK15.25
 #Purpose: for unmount sdcardfs and stop services which are using data partition
@ -270,19 +269,19 @@ allow factory tmpfs:filesystem unmount;
 allow factory sysfs:dir { read open };
 allow factory sysfs_leds:dir search;
 allow factory sysfs_leds:lnk_file read;
-allow factory sysfs_vibrator:file {open read write};
+#allow factory sysfs_vibrator:file {open read write};
 allow factory ion_device:chr_file { read open ioctl };
 allow factory debugfs_ion:dir search;
-allow factory proc:file ioctl;
+#allow factory proc:file ioctl;
 # Date: WK17.27
 # Purpose: STMicro NFC solution integration
 allow factory st21nfc_device:chr_file { open read getattr write ioctl };
 allow factory nfc_socket:dir search;
-allow factory vendor_file:file { getattr execute execute_no_trans read open };
+#allow factory vendor_file:file { getattr execute execute_no_trans read open };
 set_prop(factory,hwservicemanager_prop);
 hwbinder_use(factory);
 hal_client_domain(factory, hal_nfc);
-allow factory debugfs_tracing:file { open write };
+#allow factory debugfs_tracing:file { open write };

 # Date : WK17.32
 # Operation : O Migration
@ -293,10 +292,9 @@ allow factory mtk_cmdq_device:chr_file { read ioctl open };
 # Purpose: add selinux policy to stop 'ccci_fsd' for clear emmc in factory mode
 set_prop(factory,ctl_ccci_fsd_prop);

-
 # Date : WK17.38
 # Operation : O Migration
 # Purpose: Allow to access sysfs
 allow factory sysfs_therm:dir search;
-allow factory sysfs_therm:file {open read write};
+#allow factory sysfs_therm:file {open read write};

--- a/non_plat/file_contexts
+++ b/non_plat/file_contexts
@ -281,7 +281,7 @@
 /dev/socket/soc_vt_svc(/.*)? u:object_r:soc_vt_svc_socket:s0
 /dev/socket/soc_vt_tcv(/.*)? u:object_r:soc_vt_tcv_socket:s0
 /dev/socket/sysctl(/.*)? u:object_r:sysctl_socket:s0
-/dev/socket/vold(/.*)? u:object_r:vold_socket:s0
+#/dev/socket/vold(/.*)? u:object_r:vold_socket:s0
 /dev/socket/volte_vt(/.*)? u:object_r:volte_vt_socket:s0
 /dev/socket/wpa_wlan0(/.*)? u:object_r:wpa_wlan0_socket:s0
 /dev/stpant(/.*)? u:object_r:stpant_device:s0
--- a/non_plat/fuelgauged.te
+++ b/non_plat/fuelgauged.te
@ -53,6 +53,7 @@ allow fuelgauged self:netlink_route_socket { bind create getattr write nlmsg_rea
 # Purpose : For fg daemon can access /data/FG folder
 file_type_auto_trans(fuelgauged, system_data_file, fuelgauged_file);
 allow fuelgauged fuelgauged_file:file rw_file_perms;
+typeattribute fuelgauged data_between_core_and_vendor_violators;
 allow fuelgauged system_data_file:dir rw_dir_perms;

 # Data : WK16.21
--- a/non_plat/fuelgauged_nvram.te
+++ b/non_plat/fuelgauged_nvram.te
@ -27,6 +27,7 @@ init_daemon_domain(fuelgauged_nvram)
 # Purpose : For fg daemon can access /data/FG folder
 file_type_auto_trans(fuelgauged_nvram, system_data_file, fuelgauged_nvram_file);
 allow fuelgauged_nvram fuelgauged_nvram_file:file rw_file_perms;
+typeattribute fuelgauged_nvram data_between_core_and_vendor_violators;
 allow fuelgauged_nvram system_data_file:dir rw_dir_perms;

 # Data : WK16.21
--- a/non_plat/fuelgauged_static.te
+++ b/non_plat/fuelgauged_static.te
@ -26,6 +26,7 @@ allow fuelgauged_static kmsg_device:chr_file w_file_perms;
 # Data : WK16.21
 # Operation : New Feature
 # Purpose : For fg daemon can do nvram r/w to save car_tune_value
+typeattribute fuelgauged_static data_between_core_and_vendor_violators;
 allow fuelgauged_static nvdata_file:dir rw_dir_perms;
 allow fuelgauged_static nvdata_file:file {rw_file_perms create_file_perms};
 allow fuelgauged_static nvram_data_file:lnk_file rw_file_perms;
--- a/non_plat/kernel.te
+++ b/non_plat/kernel.te
@ -21,6 +21,7 @@ allow kernel system_data_file:lnk_file r_file_perms;
 # Date : WK14.31
 # Operation : Migration
 # Purpose : transit from kernel to aee_core_forwarder domain when executing aee_core_forwarder
+typeattribute kernel system_executes_vendor_violators;
 domain_auto_trans(kernel, aee_core_forwarder_exec, aee_core_forwarder)

 # Date : WK14.43
@ -49,6 +50,7 @@ allow kernel proc_thermal:dir search;
 # because wifi driver need to access nvram to get radio configuration. On Userdebug or Eng load,
 # factory engineers may need to update nvram by Egineer Mode, so we need to grant write permissions
 # on Eng or Userdebug load
+typeattribute kernel data_between_core_and_vendor_violators;
 allow kernel nvram_data_file:dir search;
 allow kernel nvram_data_file:file r_file_perms;
 allow kernel nvram_data_file:lnk_file read;
--- a/non_plat/keystore.te
+++ b/non_plat/keystore.te
@ -10,5 +10,5 @@ allow keystore app_data_file:file write;
 # Date : WK17.30 2017/07/25
 # Operation : keystore
 # Purpose : Fix keystore boot selinux violation
-allow keystore debugfs_tracing:file write;
+#allow keystore debugfs_tracing:file write;
 allow hal_keymaster_default debugfs_tracing:file write;
--- a/non_plat/mdlogger.te
+++ b/non_plat/mdlogger.te
@ -36,7 +36,7 @@ allow mdlogger storage_file:file { create_file_perms };

 # Allow read to sys/kernel/ccci/* files
 allow mdlogger sysfs_ccci:dir search;
-allow mdlogger sysfs_ccci:file r_file_perms;
+#allow mdlogger sysfs_ccci:file r_file_perms;

 # purpose: allow mdlogger to access storage in new version
 allow mdlogger media_rw_data_file:file  { create_file_perms };
--- a/non_plat/mediaextractor.te
+++ b/non_plat/mediaextractor.te
@ -4,4 +4,4 @@

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow mediaextractor proc_ged:file {open read write ioctl getattr};
+#allow mediaextractor proc_ged:file {open read write ioctl getattr};
--- a/non_plat/mediaserver.te
+++ b/non_plat/mediaserver.te
@ -22,6 +22,7 @@ allow mediaserver lens_device:chr_file rw_file_perms;
 # Purpose : Set audio driver permission to access SD card for debug purpose and accss NVRam.
 allow mediaserver sdcard_type:dir { w_dir_perms create };
 allow mediaserver sdcard_type:file create;
+typeattribute mediaserver data_between_core_and_vendor_violators;
 allow mediaserver nvram_data_file:dir w_dir_perms;
 allow mediaserver nvram_data_file:file create_file_perms;
 allow mediaserver nvram_data_file:lnk_file read;
@ -304,6 +305,7 @@ allow mediaserver camera_tsf_device:chr_file rw_file_perms;
 # Operation : N Migration
 # Purpose : add permission for thermal manager
 domain_auto_trans(mediaserver, thermal_manager_exec, thermal_manager)
+typeattribute mediaserver system_executes_vendor_violators;
 allow mediaserver thermal_manager_exec:file { read getattr open execute};

 # Date : WK16.32
@ -345,7 +347,7 @@ allow mediaserver camera_owe_device:chr_file rw_file_perms;
 # Date : WK17.27
 # Operation : O Migration
 # Purpose : m4u Driver
-allow mediaserver proc:file r_file_perms;
+#allow mediaserver proc:file r_file_perms;

 # Date : WK17.29
 # Operation : O Migration
--- a/non_plat/merged_hal_service.te
+++ b/non_plat/merged_hal_service.te
@ -59,6 +59,7 @@ allow merged_hal_service init:unix_stream_socket connectto;
 allow merged_hal_service property_socket:sock_file write;
 allow merged_hal_service sysfs:file write;
 #allow merged_hal_service self:capability { fowner chown dac_override fsetid };
+typeattribute merged_hal_service data_between_core_and_vendor_violators;
 allow merged_hal_service system_data_file:dir create_file_perms;
 allow merged_hal_service nvram_device:chr_file rw_file_perms;
 allow merged_hal_service pro_info_device:chr_file rw_file_perms;
--- a/non_plat/meta_tst.te
+++ b/non_plat/meta_tst.te
@ -39,6 +39,7 @@ allow meta_tst cache_block_device:blk_file rw_file_perms;
 # Date: WK16.12
 # Operation : Migration
 # Purpose : for meta mode nvram
+typeattribute meta_tst data_between_core_and_vendor_violators;
 allow meta_tst nvram_data_file:dir create_dir_perms;
 allow meta_tst nvram_data_file:file create_file_perms;
 allow meta_tst nvram_data_file:lnk_file r_file_perms;
@ -49,7 +50,6 @@ allow meta_tst nvram_device:chr_file rw_file_perms;
 allow meta_tst nvram_device:blk_file rw_file_perms;
 allow meta_tst nvdata_device:blk_file rw_file_perms;

-
 # Date: WK14.47
 # Operation : Migration
 # Purpose : for meta mode audio
@ -63,7 +63,6 @@ set_prop(meta_tst, audiohal_prop);
 allow meta_tst rtc_device:chr_file r_file_perms;
 allow meta_tst MT_pmic_adc_cali_device:chr_file rw_file_perms;

-
 # Date: WK14.45
 # Operation : Migration
 # Purpose : HDCP
@ -120,7 +119,6 @@ allow meta_tst FM50AF_device:chr_file rw_file_perms;
 # Purpose : meta mode wifi
 allow meta_tst wmtWifi_device:chr_file w_file_perms;

-
 # Date: WK16.12
 # Operation : Migration
 # Purpose : meta mode BT
@ -157,8 +155,7 @@ allow meta_tst key_install_data_file:file create_file_perms;
 # Date: WK14.51
 # Purpose : set/get cryptfs cfg in sys env
 allow meta_tst misc_device:chr_file rw_file_perms;
-allow meta_tst proc_lk_env:file rw_file_perms;
-
+#allow meta_tst proc_lk_env:file rw_file_perms;

 # Purpose : FT_EMMC_OP_FORMAT_TCARD
 allow meta_tst block_device:blk_file getattr;
@ -179,7 +176,6 @@ allow meta_tst self:process execmem;
 allow meta_tst mtd_device:dir search;
 allow meta_tst mtd_device:chr_file rw_file_perms;

-
 # Date: WK15.38
 # Purpose: M Migration for CCT linker fail
 allow meta_tst sdcard_type:dir create_dir_perms;
@ -191,14 +187,14 @@ allow meta_tst storage_file:lnk_file read;
 # Date: WK16.17
 # Purpose:  N Migration For ccci sysfs node
 allow meta_tst sysfs_ccci:dir search;
-allow meta_tst sysfs_ccci:file r_file_perms;
+#allow meta_tst sysfs_ccci:file r_file_perms;

 #Date: W16.17
 # Purpose:  N Migration for meta_tst get com port type and uart port info
 # detail avc log: [   11.751803] <1>.(1)[227:logd.auditd]type=1400 audit(1262304016.560:10):
 #avc: denied { read } for pid=203 comm="meta_tst" name="meta_com_type_info" dev=
 #"sysfs" ino=11073 scontext=u:r:meta_tst:s0 tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
-allow meta_tst sysfs:file rw_file_perms;
+#allow meta_tst sysfs:file rw_file_perms;

 #Date: W16.17
 # Purpose:  N Migration For meta_tst load MD NVRAM database
@ -259,7 +255,7 @@ allow meta_tst self:netlink_socket create_socket_perms_no_ioctl;
 allow meta_tst self:rawip_socket create;
 allow meta_tst self:udp_socket create_socket_perms_no_ioctl;
 allow meta_tst self:rawip_socket create_socket_perms_no_ioctl;
-allow meta_tst proc_ged:file r_file_perms;
+#allow meta_tst proc_ged:file r_file_perms;
 allowxperm meta_tst self:udp_socket ioctl {SIOCSIFFLAGS SIOCGIFCONF SIOCIWFIRSTPRIV_08 SIOCIWFIRSTPRIV_09};
 allow meta_tst meta_tst:netlink_generic_socket { read write getattr bind create setopt };

@ -294,11 +290,11 @@ allow meta_tst system_data_file:lnk_file read;
 allow meta_tst st21nfc_device:chr_file { open read write ioctl };
 allow meta_tst factory_data_file:sock_file { write unlink };
 allow meta_tst nfc_socket:dir search;
-allow meta_tst vendor_file:file { getattr execute execute_no_trans read open };
+#allow meta_tst vendor_file:file { getattr execute execute_no_trans read open };
 set_prop(meta_tst,hwservicemanager_prop);
 hwbinder_use(meta_tst);
 hal_client_domain(meta_tst, hal_nfc);
-allow meta_tst debugfs_tracing:file { open write };
+#allow meta_tst debugfs_tracing:file { open write };

 # Date: W17.29
 # Purpose : Allow meta_tst to call vendor.mediatek.hardware.keymaster_attestation@1.0-service.
@ -308,7 +304,7 @@ hal_client_domain(meta_tst, mtk_hal_keyattestation)
 # Operation : Android O migration
 # Purpose : add sepolicy for accessing sysfs_leds
 allow meta_tst sysfs_leds:lnk_file read;
-allow meta_tst sysfs_leds:file rw_file_perms;
+#allow meta_tst sysfs_leds:file rw_file_perms;
 allow meta_tst sysfs_leds:dir r_dir_perms;

 # Date: WK17.43
@ -345,15 +341,15 @@ binder_call(meta_tst, mtk_hal_audio)
 allow meta_tst mtk_hal_audio:binder call;
 allow meta_tst hal_audio_hwservice:hwservice_manager find;
 allow meta_tst mtk_audiohal_data_file:dir {read search open};
-allow meta_tst proc:file {read open};
+#allow meta_tst proc:file {read open};
 allow meta_tst audio_device:chr_file rw_file_perms;
 allow meta_tst audio_device:dir w_dir_perms;
 allow meta_tst audiohal_prop:property_service set;

 #Data:W1745
 # Purpose : Allow meta_tst to open and read proc/bootprof
-allow meta_tst proc:file write;
-allow meta_tst proc:file getattr;
+#allow meta_tst proc:file write;
+#allow meta_tst proc:file getattr;

 # Date:W17.51
 # Operation : lbs hal
--- a/non_plat/mnld.te
+++ b/non_plat/mnld.te
@ -49,6 +49,7 @@ allow mnld lbs_hidl_service:unix_dgram_socket sendto;
 allow mnld merged_hal_service:unix_dgram_socket sendto;

 # Purpose : For access system data
+typeattribute mnld data_between_core_and_vendor_violators;
 allow mnld system_data_file:dir { write add_name };
 allow mnld system_data_file:lnk_file read;
 allow mnld bootdevice_block_device:blk_file rw_file_perms;
--- a/non_plat/mobile_log_d.te
+++ b/non_plat/mobile_log_d.te
@ -1,14 +1,15 @@
 #scp
-allow mobile_log_d sysfs_scp:file { open write };
+#allow mobile_log_d sysfs_scp:file { open write };
 allow mobile_log_d sysfs_scp:dir search;
 allow mobile_log_d scp_device:chr_file { read open };

 #sspm
-allow mobile_log_d sysfs_sspm:file { open write };
+#allow mobile_log_d sysfs_sspm:file { open write };
 allow mobile_log_d sysfs_sspm:dir search;
 allow mobile_log_d sspm_device:chr_file { read open };

 #data/misc/mblog
+typeattribute mobile_log_d data_between_core_and_vendor_violators;
 allow mobile_log_d logmisc_data_file:dir { relabelto create_dir_perms };
 allow mobile_log_d logmisc_data_file:file create_file_perms;

--- a/non_plat/mpe.te
+++ b/non_plat/mpe.te
@ -17,6 +17,8 @@ type MPED_exec, exec_type, file_type, vendor_file_type;
 init_daemon_domain(MPED)
 net_domain(MPED)

+typeattribute MPED data_between_core_and_vendor_violators;
+
 # Date : WK15.29
 # Operation : Feature Developing
 # Purpose : Setup Connection with GPS for sensor aiding data exchange
--- a/non_plat/mtk_agpsd.te
+++ b/non_plat/mtk_agpsd.te
@ -34,6 +34,7 @@ allow mtk_agpsd mnt_user_file:dir create_dir_perms;
 allow mtk_agpsd tmpfs:lnk_file create_file_perms;
 allow mtk_agpsd storage_file:lnk_file create_file_perms;
 allow mtk_agpsd mnt_user_file:lnk_file create_file_perms;
+typeattribute mtk_agpsd data_between_core_and_vendor_violators;
 allow mtk_agpsd media_rw_data_file:dir { search write add_name read open };
 allow mtk_agpsd media_rw_data_file:file { create open append read getattr };

--- a/non_plat/mtk_hal_audio.te
+++ b/non_plat/mtk_hal_audio.te
@ -47,6 +47,7 @@ allow mtk_hal_audio nvdata_file:dir w_dir_perms;
 allow mtk_hal_audio nvdata_file:file create_file_perms;
 allow mtk_hal_audio sdcard_type:dir remove_name;
 allow mtk_hal_audio sdcard_type:file unlink;
+typeattribute mtk_hal_audio data_between_core_and_vendor_violators;
 allow mtk_hal_audio system_data_file:lnk_file read;

 # Date : WK14.34
--- a/non_plat/mtk_hal_bluetooth.te
+++ b/non_plat/mtk_hal_bluetooth.te
@ -34,6 +34,7 @@ userdebug_or_eng(`
 ')

 # Logging for backward compatibility
+typeattribute mtk_hal_bluetooth data_between_core_and_vendor_violators;
 allow mtk_hal_bluetooth bluetooth_data_file:dir ra_dir_perms;
 allow mtk_hal_bluetooth bluetooth_data_file:file create_file_perms;

--- a/non_plat/mtk_hal_camera.te
+++ b/non_plat/mtk_hal_camera.te
@ -29,7 +29,6 @@ vndbinder_use(mtk_hal_camera)

 allow mtk_hal_camera hwservicemanager_prop:file { open read getattr };

-
 # -----------------------------------
 # Purpose: Allow camerahalserver to perform binder IPC to servers and callbacks.
 # -----------------------------------
@ -119,7 +118,6 @@ allow mtk_hal_camera CAM_CAL_DRV_device:chr_file rw_file_perms;
 allow mtk_hal_camera CAM_CAL_DRV1_device:chr_file rw_file_perms;
 allow mtk_hal_camera CAM_CAL_DRV2_device:chr_file rw_file_perms;

-
 # -----------------------------------
 # Purpose: Other device drivers used by camera
 # -----------------------------------
@ -127,7 +125,6 @@ allow mtk_hal_camera ion_device:chr_file rw_file_perms;
 allow mtk_hal_camera sw_sync_device:chr_file getattr;
 allow mtk_hal_camera MTK_SMI_device:chr_file r_file_perms;

-
 # -----------------------------------
 # Purpose: Filesystem in Userspace (FUSE)
 # - sdcard access (buffer dump for EM mode)
@ -135,7 +132,6 @@ allow mtk_hal_camera MTK_SMI_device:chr_file r_file_perms;
 allow mtk_hal_camera fuse:dir { search read write };
 allow mtk_hal_camera fuse:file rw_file_perms;

-
 # -----------------------------------
 # Purpose: Storage access
 # -----------------------------------
@ -148,20 +144,16 @@ allow mtk_hal_camera nvram_data_file:file { write getattr setattr read create op
 allow mtk_hal_camera nvram_device:chr_file rw_file_perms;
 allow mtk_hal_camera self:netlink_kobject_uevent_socket { create setopt bind };

-
 ## Date : WK14.XX-15.XX
 ## sdcard access - dump for debug
 allow mtk_hal_camera sdcard_type:dir { write add_name create };
 allow mtk_hal_camera sdcard_type:file { append create getattr };

-
-
 # -----------------------------------
 # Purpose: property access
 # -----------------------------------
 allow mtk_hal_camera mtkcam_prop:file { open read getattr };

-
 # -----------------------------------
 # Android O
 # Purpose: Shell Debugging
@ -171,7 +163,6 @@ allow mtk_hal_camera mtkcam_prop:file { open read getattr };
 allow mtk_hal_camera shell:unix_stream_socket { read write };
 allow mtk_hal_camera shell:fifo_file write;

-
 # -----------------------------------
 # Android O
 # Purpose: AEE Debugging
@ -188,7 +179,6 @@ allow mtk_hal_camera dumpstate:fifo_file write;
 allow mtk_hal_camera aee_exp_data_file:dir { w_dir_perms };
 allow mtk_hal_camera aee_exp_data_file:file { create_file_perms };

-
 # -----------------------------------
 # Android O
 # Purpose: Debugging
@ -196,7 +186,6 @@ allow mtk_hal_camera aee_exp_data_file:file { create_file_perms };
 # Purpose: libmemunreachable.so/GetUnreachableMemory()
 allow mtk_hal_camera self:process { ptrace };

-
 ################################################################################
 # Date : WK14.XX-15.XX
 # Operation : Copy from Media server
@ -206,7 +195,6 @@ allow mtk_hal_camera nvdata_file:dir { write search add_name };
 allow mtk_hal_camera nvdata_file:file { read write getattr setattr open create };
 allow mtk_hal_camera proc_meminfo:file { read getattr open };

-
 ## Purpose : for low SD card latency issue
 allow mtk_hal_camera sysfs_lowmemorykiller:file { read open };

@ -224,6 +212,7 @@ allow mtk_hal_camera untrusted_app:dir search;
 allow mtk_hal_camera offloadservice_device:chr_file rw_file_perms;

 ## Purpose: for camera middleware dump image buffer to sdcard & audio frameworks dump
+typeattribute mtk_hal_camera data_between_core_and_vendor_violators;
 allow mtk_hal_camera system_data_file:dir write;
 allow mtk_hal_camera storage_file:lnk_file {read write};
 allow mtk_hal_camera mnt_user_file:dir {write read search};
@ -260,7 +249,6 @@ allow mtk_hal_camera proc_ged:file {open read write ioctl getattr};
 ## Purpose: Allow to call hal_graphics_allocator binder.
 allow mtk_hal_camera system_data_file:lnk_file read;

-
 allow mtk_hal_camera debugfs_tracing:file { write open };

 ## Purpose : camera3 IT/CTS
--- a/non_plat/mtk_hal_power.te
+++ b/non_plat/mtk_hal_power.te
@ -29,6 +29,7 @@ allow mtk_hal_power sysfs_devices_system_cpu:file write;
 allow mtk_hal_power debugfs_ged:dir search;
 allow mtk_hal_power debugfs_ged:file { getattr open read write };

+typeattribute mtk_hal_power data_between_core_and_vendor_violators;
 allow mtk_hal_power system_data_file:dir { create write add_name };

 # proc_thermal
--- a/non_plat/mtkbootanimation.te
+++ b/non_plat/mtkbootanimation.te
@ -5,6 +5,7 @@
 # Date : WK14.37
 # Operation : Migration
 # Purpose : for opetator
+typeattribute mtkbootanimation data_between_core_and_vendor_violators;
 allow mtkbootanimation custom_file:dir search;
 allow mtkbootanimation custom_file:file r_file_perms;
 allow mtkbootanimation bootani_prop:property_service set;
@ -16,12 +17,12 @@ allow mtkbootanimation qemu_pipe_device:chr_file rw_file_perms;

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow mtkbootanimation proc_ged:file {open read write ioctl getattr};
+#allow mtkbootanimation proc_ged:file {open read write ioctl getattr};

 # Date : WK14.31
 # Operation : Migration
 # Purpose : access to sec mem proc interface.
-allow mtkbootanimation proc_secmem:file { read open};
+#allow mtkbootanimation proc_secmem:file { read open};

 # Date : WK14.36
 # Operation : Migration
@ -52,4 +53,4 @@ allow mtkbootanimation guiext-server_service:service_manager find;
 # Operation : Migration
 # Purpose : FPSGO integration
 allow mtkbootanimation proc_perfmgr:dir {search read};
-allow mtkbootanimation proc_perfmgr:file {open read ioctl};
+#allow mtkbootanimation proc_perfmgr:file {open read ioctl};
--- a/non_plat/mtkfusionrild.te
+++ b/non_plat/mtkfusionrild.te
@ -45,6 +45,7 @@ allow rild bluetooth_efs_file:dir r_dir_perms;

 # Allow access permission to dir/files
 # (radio data/system data/proc/etc)
+typeattribute rild data_between_core_and_vendor_violators;
 allow rild radio_data_file:dir rw_dir_perms;
 allow rild radio_data_file:file create_file_perms;
 allow rild sdcard_type:dir r_dir_perms;
--- a/non_plat/mtkrild.te
+++ b/non_plat/mtkrild.te
@ -52,6 +52,7 @@ allow mtkrild bluetooth_efs_file:dir r_dir_perms;

 # Allow access permission to dir/files
 # (radio data/system data/proc/etc)
+typeattribute mtkrild data_between_core_and_vendor_violators;
 allow mtkrild radio_data_file:dir rw_dir_perms;
 allow mtkrild radio_data_file:file create_file_perms;
 allow mtkrild sdcard_type:dir r_dir_perms;
--- a/non_plat/nvram_agent_binder.te
+++ b/non_plat/nvram_agent_binder.te
@ -1,7 +1,6 @@
 # ==============================================
 # Policy File of /vendor/bin/nvram_agent_binder Executable File

-
 # ==============================================
 # Type Declaration
 # ==============================================
@ -18,7 +17,6 @@ init_daemon_domain(nvram_agent_binder)
 # Purpose : ensure nvram user can access nvram file normally. 
 allow nvram_agent_binder nvram_agent_service:service_manager add;

-
 # Date : WK14.43
 # Operation : 2rd Selinux Migration 
 # Purpose : the role of nvram_agent_binder is same with nvram_daemon except property_set & exect permission
@ -42,6 +40,7 @@ allow nvram_agent_binder init:unix_stream_socket connectto;
 allow nvram_agent_binder property_socket:sock_file write;
 allow nvram_agent_binder sysfs:file write;
 #allow nvram_agent_binder self:capability { fowner chown dac_override fsetid };
+typeattribute nvram_agent_binder data_between_core_and_vendor_violators;
 allow nvram_agent_binder system_data_file:dir create_file_perms;

 # Purpose: for backup
@ -57,7 +56,6 @@ allow nvram_agent_binder mtd_device:chr_file rw_file_perms;
 #for nvram agent hidl
 allow nvram_agent_binder hwservicemanager_prop:file r_file_perms;

-
 #for nvram hidl client support
 allow nvram_agent_binder sysfs:file { read open };
 allow nvram_agent_binder system_data_file:lnk_file read;
--- a/non_plat/nvram_daemon.te
+++ b/non_plat/nvram_daemon.te
@ -70,6 +70,7 @@ allow nvram_daemon proc_lk_env:file rw_file_perms;

 # Purpose: for workaround
 # Todo: Remove this policy
+typeattribute nvram_daemon data_between_core_and_vendor_violators;
 allow nvram_daemon system_data_file:dir write;

 # Purpose: property set
--- a/non_plat/platform_app.te
+++ b/non_plat/platform_app.te
@ -72,7 +72,7 @@ allow platform_app aee_aed:unix_stream_socket connectto;
 # Date : WK17.31
 # Operation : O Migration
 # Purpose : m4u Driver
-allow platform_app proc:file r_file_perms;
+#allow platform_app proc:file r_file_perms;

 # Date : WK17.44
 # Operation : O Migration
--- a/non_plat/radio.te
+++ b/non_plat/radio.te
@ -160,7 +160,7 @@ allow radio hal_nfc_hwservice:hwservice_manager find;
 binder_call(radio, hal_nfc)
 binder_call(hal_nfc, radio)
 hwbinder_use(radio);
-allow radio debugfs_tracing:file write;
+#allow radio debugfs_tracing:file write;
 #hal_client_domain(radio, hal_nfc)
 typeattribute radio halclientdomain;
 typeattribute radio hal_nfc_client;
--- a/non_plat/stp_dump3.te
+++ b/non_plat/stp_dump3.te
@ -25,6 +25,7 @@ file_type_auto_trans(stp_dump3,system_data_file,stp_dump_data_file)
 allow stp_dump3 self:netlink_socket { read write getattr bind create setopt };
 allow stp_dump3 self:netlink_generic_socket { read write getattr bind create setopt };
 #allow stp_dump3 media_rw_data_file:sock_file { write create unlink setattr };
+typeattribute stp_dump3 data_between_core_and_vendor_violators;
 allow stp_dump3 media_rw_data_file:dir { add_name setattr };
 allow stp_dump3 media_rw_data_file:dir rmdir;
 allow stp_dump3 media_rw_data_file:dir { open read write create setattr getattr add_name remove_name search};
--- a/non_plat/surfaceflinger.te
+++ b/non_plat/surfaceflinger.te
@ -10,7 +10,7 @@ allow surfaceflinger debug_prop:property_service set;

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow surfaceflinger proc_ged:file {open read write ioctl getattr};
+#allow surfaceflinger proc_ged:file {open read write ioctl getattr};

 # Date : W16.42
 # Operation : Integration
@ -20,16 +20,16 @@ allow surfaceflinger gpu_device:dir search;

 # Date : WK17.12
 # Purpose: Fix bootup fail
-allow surfaceflinger proc:file r_file_perms;
+#allow surfaceflinger proc:file r_file_perms;

 #============= surfaceflinger ==============
 allow surfaceflinger debugfs_ion:dir search;

 #============= surfaceflinger ==============
-allow surfaceflinger debugfs_tracing:file write;
+#allow surfaceflinger debugfs_tracing:file write;

 #============= surfaceflinger ==============
-allow surfaceflinger debugfs_tracing:file open;
+#allow surfaceflinger debugfs_tracing:file open;

 # Date : WK17.30
 # Operation : O Migration
@ -56,7 +56,7 @@ allow surfaceflinger mtkbootanimation:file { read getattr open };
 # Operation : Migration
 # Purpose: Allow to access perfmgr
 allow surfaceflinger proc_perfmgr:dir {read search};
-allow surfaceflinger proc_perfmgr:file {open read ioctl};
+#allow surfaceflinger proc_perfmgr:file {open read ioctl};

 # Date : WK17.43
 # Operation : Debug
--- a/non_plat/system_server.te
+++ b/non_plat/system_server.te
@ -14,9 +14,10 @@ allow system_server wmtWifi_device:chr_file w_file_perms;
 #allow system_server gps_data_file:dir rw_dir_perms;

 # /proc access.
-allow system_server proc:file w_file_perms;
+#allow system_server proc:file w_file_perms;

 # /data/dontpanic access.
+typeattribute system_server data_between_core_and_vendor_violators;
 allow system_server dontpanic_data_file:dir search;

 # /data/agps_supl access.
@ -35,7 +36,7 @@ allow system_server zygote:binder impersonate;
 allow system_server ctl_bootanim_prop:property_service set;

 # After connected to DHCPv6, enabled 6to4 IPv6 AP to get property.
-allow system_server proc_net:file w_file_perms;
+#allow system_server proc_net:file w_file_perms;
 r_dir_file(system_server, wide_dhcpv6_data_file)

 # For dumpsys.
@ -72,7 +73,7 @@ allow system_server sysfs_dcm:file rw_file_perms;

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow system_server proc_ged:file {open read write ioctl getattr};
+#allow system_server proc_ged:file {open read write ioctl getattr};

 # Date : WK16.36
 # Purpose: Allow to set property log.tag.WifiHW to control log level of WifiHW
@ -106,7 +107,7 @@ allow system_server ttyMT_device:chr_file rw_file_perms;
 # Operation : thermal hal Feature developing
 # Purpose : thermal hal interface permission
 allow system_server proc_mtktz:dir search;
-allow system_server proc_mtktz:file r_file_perms;
+#allow system_server proc_mtktz:file r_file_perms;

 # Date : WK16.46
 # Operation: PowerManager set persist.meta.connecttype property
@ -204,7 +205,6 @@ allow system_server dhcp_data_file:file create_file_perms;
 # Purpose : lbs hidl interface permission
 hal_client_domain(system_server, mtk_hal_lbs)

-
 # Date : WK17.12
 # Operation : MT6799 SQC
 # Purpose : Change thermal config
@ -215,4 +215,4 @@ allow system_server mtk_thermal_config_prop:property_service set;
 # Operation : Migration
 # Purpose : perfmgr permission
 allow system_server proc_perfmgr:dir {read search};
-allow system_server proc_perfmgr:file {open read ioctl};
+#allow system_server proc_perfmgr:file {open read ioctl};
--- a/non_plat/thermal_manager.te
+++ b/non_plat/thermal_manager.te
@ -18,6 +18,7 @@ allow thermal_manager proc_thermal:dir search;
 allow thermal_manager proc_mtkcooler:file rw_file_perms;
 allow thermal_manager proc_mtktz:file rw_file_perms;
 allow thermal_manager proc_thermal:file rw_file_perms;
+typeattribute thermal_manager data_between_core_and_vendor_violators;
 allow thermal_manager system_data_file:dir { write add_name };
 #allow thermal_manager self:capability { fowner chown fsetid dac_override };

@ -32,7 +33,6 @@ allow thermal_manager mediaserver:fifo_file { read write };
 #allow thermal_manager pq:fd use;
 allow thermal_manager mediaserver:tcp_socket { read write };

-
 # Date : WK16.30
 # Operation : Migration
 # Purpose : Use file_type_auto_trans to specify label to avoid violated(never allow)
--- a/non_plat/untrusted_app.te
+++ b/non_plat/untrusted_app.te
@ -37,7 +37,9 @@ allow untrusted_app_25 sysfs_therm:file { getattr open read };
 # Operation: Development RenderScript opt
 # Purpose : Allow RenderScript Opt RS2CL to invoke standalone executable
 # properly for thermal tests at OEM/ODM.
+typeattribute untrusted_app_25 system_executes_vendor_violators;
 allow untrusted_app_25 vendor_file:file execute_no_trans;
+typeattribute untrusted_app system_executes_vendor_violators;
 allow untrusted_app vendor_file:file execute_no_trans;

 # Date : WK17.39
--- a/non_plat/vold.te
+++ b/non_plat/vold.te
@ -12,6 +12,7 @@ allow vold iso9660:filesystem unmount;
 # Date : WK16.19
 # Operation : Migration
 # Purpose : dotrim for the mountpoints in fstab
+typeattribute vold data_between_core_and_vendor_violators;
 allow vold nvdata_file:dir r_dir_perms;
 allow vold protect_f_data_file:dir r_dir_perms;
 allow vold protect_s_data_file:dir r_dir_perms;
--- a/non_plat/zygote.te
+++ b/non_plat/zygote.te
@ -4,7 +4,7 @@

 # Date : WK16.33
 # Purpose: Allow to access ged for gralloc_extra functions
-allow zygote proc_ged:file {open read write ioctl getattr};
+#allow zygote proc_ged:file {open read write ioctl getattr};

 # Date : WK17.02
 # Purpose: Allow to access gpu for memtrack functions
--- a/plat_private/aee_aed.te
+++ b/plat_private/aee_aed.te
@ -100,13 +100,13 @@ allow aee_aed dumpstate:unix_stream_socket { read write ioctl };
 allow aee_aed dumpstate:dir search;
 allow aee_aed dumpstate:file r_file_perms;

-allow aee_aed proc:file rw_file_perms;
+#allow aee_aed proc:file rw_file_perms;
 allow aee_aed logdr_socket:sock_file write;
 allow aee_aed logd:unix_stream_socket connectto;
 # allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule

 # vibrator
-allow aee_aed sysfs_vibrator:file w_file_perms;
+#allow aee_aed sysfs_vibrator:file w_file_perms;

 # Data : 2017/03/22
 # Operation : add NE flow rule for Android O
@ -133,4 +133,4 @@ allow aee_aed crash_dump:file r_file_perms;
 # [  217.196275] <0>.(0)[209:logd.auditd]type=1400 audit(1262304561.676:377): avc: denied { read }
 # for pid=1486 comm="aee_aed" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aed:s0
 # tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
-allow aee_aed sysfs:file r_file_perms;
+#allow aee_aed sysfs:file r_file_perms;
--- a/plat_private/audiocmdservice_atci.te
+++ b/plat_private/audiocmdservice_atci.te
@ -24,7 +24,6 @@ binder_call(audiocmdservice_atci, audioserver)
 allow audiocmdservice_atci audioserver:dir w_dir_perms;
 allow audiocmdservice_atci audioserver_service:service_manager find;

-
 # Access to fuse file system
 allow audiocmdservice_atci sdcard_type:file create_file_perms;
 allow audiocmdservice_atci sdcard_type:dir w_dir_perms;
@ -33,8 +32,6 @@ allow audiocmdservice_atci sdcard_type:dir w_dir_perms;
 allow audiocmdservice_atci media_rw_data_file:dir create_dir_perms;
 allow audiocmdservice_atci media_rw_data_file:file create_file_perms;

-
-
 #To access the file at /dev/kmsg
 allow audiocmdservice_atci kmsg_device:chr_file w_file_perms;

@ -48,4 +45,4 @@ allow radio audiocmdservice_atci_exec:file getattr;
 #Android O porting
 hwbinder_use(audiocmdservice_atci)
 get_prop(audiocmdservice_atci, hwservicemanager_prop);
-allow audiocmdservice_atci debugfs_tracing:file rw_file_perms;
+#allow audiocmdservice_atci debugfs_tracing:file rw_file_perms;
--- a/plat_private/boot_logo_updater.te
+++ b/plat_private/boot_logo_updater.te
@ -23,7 +23,7 @@ allow boot_logo_updater init:unix_stream_socket connectto;
 allow boot_logo_updater property_socket:sock_file write;
 #allow boot_logo_updater self:capability dac_override;
 # To access some boot_mode infornation
-allow boot_logo_updater sysfs:file rw_file_perms;
+#allow boot_logo_updater sysfs:file rw_file_perms;
 # To access directory /dev/block/mmcblk0 or /dev/block/sdc
 allow boot_logo_updater block_device:dir search;
 allow boot_logo_updater graphics_device:dir search;
@ -40,10 +40,10 @@ allow boot_logo_updater sysfs:dir read;
 # sanity fail for ALPS03604686:
 # for path="/sys/firmware/devicetree/base/firmware/android/fstab" andfor name = "cmdline" and "mtdblock14"
 allow boot_logo_updater mtd_device:blk_file read;
-allow boot_logo_updater proc:file read;
+#allow boot_logo_updater proc:file read;
 allow boot_logo_updater sysfs:dir open;
 # for path="/proc/cmdline and ="/dev/block/mtdblock14"
-allow boot_logo_updater proc:file open;
+#allow boot_logo_updater proc:file open;
 allow boot_logo_updater system_data_file:dir write;
 allow boot_logo_updater mtd_device:blk_file open;

--- a/plat_private/bootanim.te
+++ b/plat_private/bootanim.te
@ -42,10 +42,8 @@ allow bootanim surfaceflinger:fifo_file rw_file_perms;

 allow bootanim gpu_device:dir search;

-
+#============= bootanim ==============
+#allow bootanim debugfs_tracing:file write;

 #============= bootanim ==============
-allow bootanim debugfs_tracing:file write;
-
-#============= bootanim ==============
-allow bootanim debugfs_tracing:file open;
+#allow bootanim debugfs_tracing:file open;
--- a/plat_private/cmddumper.te
+++ b/plat_private/cmddumper.te
@ -38,4 +38,5 @@ allow cmddumper media_rw_data_file:dir { create_dir_perms };
 allow cmddumper file_contexts_file:file { read getattr open };

 # purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode
-allow cmddumper sysfs:file { read open };
+#allow cmddumper sysfs:file { read open };
+
--- a/plat_private/drmserver.te
+++ b/plat_private/drmserver.te
@ -3,4 +3,4 @@
 # ======================

 # =======drmserver======
-allow drmserver sysfs:file { read open };
+#allow drmserver sysfs:file { read open };
--- a/plat_private/dumpstate.te
+++ b/plat_private/dumpstate.te
@ -14,7 +14,7 @@ allow dumpstate mnt_user_file:lnk_file read;
 allow dumpstate storage_file:lnk_file read;

 # Purpose: timer_intval. this is neverallow
-allow dumpstate sysfs:file r_file_perms;
+#allow dumpstate sysfs:file r_file_perms;
 allow dumpstate app_data_file:dir search;
 allow dumpstate kmsg_device:chr_file r_file_perms;

--- a/plat_private/em_svr.te
+++ b/plat_private/em_svr.te
@ -1,7 +1,6 @@
 # ==============================================
 # Policy File of /system/bin/em_svr Executable File

-
 # ==============================================
 # Type Declaration
 # ==============================================
@ -26,8 +25,8 @@ init_daemon_domain(em_svr)
 # Date: W14.38 2014/09/17
 # Operation : Migration
 # Purpose : for em_svr
-allow em_svr proc:file write;
-allow em_svr sysfs:file write;
+#allow em_svr proc:file write;
+#allow em_svr sysfs:file write;
 allow em_svr shell_exec:file { read execute open getattr execute_no_trans };
 allow em_svr system_file:file execute_no_trans;
 allow em_svr block_device:dir search;
@ -35,7 +34,7 @@ allow em_svr graphics_device:chr_file { read write open ioctl};
 allow em_svr graphics_device:dir search;
 allow em_svr radio_data_file:dir { search write add_name create };
 allow em_svr radio_data_file:file { create write open read };
-allow em_svr sysfs_devices_system_cpu:file write;
+#allow em_svr sysfs_devices_system_cpu:file write;
 #allow em_svr self:capability { dac_override sys_nice fowner chown fsetid };
 allow em_svr self:process execmem;
 allow em_svr system_data_file:dir { write remove_name add_name relabelfrom create open };
@ -43,7 +42,6 @@ allow em_svr kernel:system module_request;
 allow em_svr sdcard_type:dir create_dir_perms;
 allow em_svr sdcard_type:file create_file_perms;

-
 # Date: 2015/08/09
 # Operation : M Migration
 # Purpose : set policy for surfaceflinger_service
@ -63,8 +61,8 @@ binder_call(em_svr, surfaceflinger)
 # Purpose : add policy for desense/Power/Memory access system file
 allow em_svr toolbox_exec:file { getattr execute read open execute_no_trans };
 allow em_svr vendor_toolbox_exec:file { getattr };
-allow em_svr proc:file { open read };
-allow em_svr sysfs:file { read };
+#allow em_svr proc:file { open read };
+#allow em_svr sysfs:file { read };

 # Date: 2017/07/19
 # Operation : O Migration
@ -76,13 +74,12 @@ allow em_svr system_data_file:lnk_file { read };
 # Purpose : add policy for system data file access
 allow em_svr system_data_file:file open;

-
 # Date: 2017/07/13
 # Operation: O Migration
 # Purpose: add policy for backlight file access
 allow em_svr sysfs_leds:dir search;
 allow em_svr sysfs_leds:lnk_file read;
-allow em_svr sysfs:file open;
+#allow em_svr sysfs:file open;

 # Date: WK1742
 # Purpose: add em_svr to access md log filter in sdcard
--- a/plat_private/emdlogger.te
+++ b/plat_private/emdlogger.te
@ -49,7 +49,7 @@ allow emdlogger storage_file:file { create_file_perms };

 #permission for read boot mode
 #avc: denied { open }  path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
-allow emdlogger sysfs:file { read open };
+#allow emdlogger sysfs:file { read open };

 # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 
 # scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
--- a/plat_private/factory.te
+++ b/plat_private/factory.te
@ -12,7 +12,6 @@ typeattribute factory coredomain;
 # ==============================================
 init_daemon_domain(factory)

-
 allow factory property_socket:sock_file write;
 allow factory init:unix_stream_socket connectto;
 allow factory kernel:system module_request;
@ -24,7 +23,7 @@ allow factory sdcard_type:dir r_dir_perms;
 ### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
 #allow factory self:netlink_route_socket create_socket_perms;
 allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write };
-allow factory proc_net:file { read getattr open };
+#allow factory proc_net:file { read getattr open };
 allowxperm factory self:udp_socket ioctl priv_sock_ioctls;
 allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID};

@ -32,7 +31,7 @@ allow factory self:process execmem;
 allow factory self:tcp_socket create_stream_socket_perms;
 allow factory self:udp_socket create_socket_perms;

-allow factory sysfs_wake_lock:file rw_file_perms;
+#allow factory sysfs_wake_lock:file rw_file_perms;
 allow factory system_data_file:dir w_dir_perms;
 allow factory system_data_file:sock_file create_file_perms;
 allow factory system_file:file x_file_perms;
--- a/plat_private/kisd.te
+++ b/plat_private/kisd.te
@ -16,6 +16,7 @@ typeattribute kisd coredomain;
 init_daemon_domain(kisd)

 allow kisd tee_device:chr_file {read write open ioctl};
+typeattribute kisd data_between_core_and_vendor_violators;
 allow kisd provision_file:dir {read write open ioctl add_name search remove_name};
 allow kisd provision_file:file {create read write open getattr unlink};
 allow kisd system_file:file {execute_no_trans};
--- a/plat_private/mdlogger.te
+++ b/plat_private/mdlogger.te
@ -48,7 +48,7 @@ allow mdlogger file_contexts_file:file { read getattr open };

 #permission for read boot mode
 #avc: denied { open }  path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
-allow mdlogger sysfs:file { read open };
+#allow mdlogger sysfs:file { read open };

 # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 
 # scontext=u:r:mdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
--- a/plat_private/meta_tst.te
+++ b/plat_private/meta_tst.te
@ -26,7 +26,7 @@ allow meta_tst self:tcp_socket { create connect setopt bind };
 allow meta_tst self:tcp_socket { bind setopt listen accept read write };
 allow meta_tst self:udp_socket { create ioctl };
 allow meta_tst self:capability { sys_boot ipc_lock };
-allow meta_tst sysfs_wake_lock:file rw_file_perms;
+#allow meta_tst sysfs_wake_lock:file rw_file_perms;
 #allow meta_tst sysfs:file write;
 allow meta_tst property_socket:sock_file w_file_perms;
 #allow meta_tst vold_socket:sock_file w_file_perms;
--- a/plat_private/mobile_log_d.te
+++ b/plat_private/mobile_log_d.te
@ -60,10 +60,10 @@ allow mobile_log_d mmc_prop:file { getattr open };
 allow mobile_log_d safemode_prop:file { getattr open };

 #proc/ access
-allow mobile_log_d proc:file r_file_perms;
+#allow mobile_log_d proc:file r_file_perms;

 # boot_mdoe file access
-allow mobile_log_d sysfs:file { open read };
+#allow mobile_log_d sysfs:file { open read };

 # purpose: allow MobileLog to access storage in N version
 allow mobile_log_d media_rw_data_file:file  create_file_perms;
@ -71,6 +71,6 @@ allow mobile_log_d media_rw_data_file:dir create_dir_perms;

 # access debugfs/tracing/instances/
 allow mobile_log_d debugfs_tracing:dir create_dir_perms;
-allow mobile_log_d debugfs_tracing:file create_file_perms;
+#allow mobile_log_d debugfs_tracing:file create_file_perms;
 allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms;
-allow mobile_log_d debugfs_tracing_instances:file create_file_perms;
+#allow mobile_log_d debugfs_tracing_instances:file create_file_perms;
--- a/plat_private/mtkbootanimation.te
+++ b/plat_private/mtkbootanimation.te
@ -39,9 +39,9 @@ allow mtkbootanimation hal_graphics_allocator:fd use;
 allow mtkbootanimation hal_graphics_composer:fd use;

 # Read access to pseudo filesystems.
-r_dir_file(mtkbootanimation, proc)
-allow mtkbootanimation proc_meminfo:file r_file_perms;
-r_dir_file(mtkbootanimation, sysfs)
+#r_dir_file(mtkbootanimation, proc)
+#allow mtkbootanimation proc_meminfo:file r_file_perms;
+#r_dir_file(mtkbootanimation, sysfs)
 r_dir_file(mtkbootanimation, cgroup)

 # System file accesses.
@ -89,7 +89,7 @@ allow mtkbootanimation gpu_device:dir search;


 #============= bootanim ==============
-allow mtkbootanimation debugfs_tracing:file write;
+#allow mtkbootanimation debugfs_tracing:file write;

 #============= bootanim ==============
-allow mtkbootanimation debugfs_tracing:file open;
+#allow mtkbootanimation debugfs_tracing:file open;
--- a/plat_private/thermalindicator.te
+++ b/plat_private/thermalindicator.te
@ -31,7 +31,7 @@ allow servicemanager thermalindicator:process { getattr };
 typeattribute thermalindicator mlstrustedsubject;

 allow thermalindicator proc:dir           {search getattr};
-allow thermalindicator proc:file          read;
+#allow thermalindicator proc:file          read;
 allow thermalindicator shell:dir          search;
 allow thermalindicator platform_app:dir   search;
 allow thermalindicator platform_app:file  {open read getattr};
--- a/plat_private/vold.te
+++ b/plat_private/vold.te
@ -5,4 +5,4 @@
 # volume manager

 #============= vold ==============
-allow vold debugfs_tracing:file write;
+#allow vold debugfs_tracing:file write;
--- a/prebuilts/api/26.0/plat_private/aee_aed.te
+++ b/prebuilts/api/26.0/plat_private/aee_aed.te
@ -100,13 +100,13 @@ allow aee_aed dumpstate:unix_stream_socket { read write ioctl };
 allow aee_aed dumpstate:dir search;
 allow aee_aed dumpstate:file r_file_perms;

-allow aee_aed proc:file rw_file_perms;
+#allow aee_aed proc:file rw_file_perms;
 allow aee_aed logdr_socket:sock_file write;
 allow aee_aed logd:unix_stream_socket connectto;
 # allow aee_aed system_ndebug_socket:sock_file write; mask for never allow rule

 # vibrator
-allow aee_aed sysfs_vibrator:file w_file_perms;
+#allow aee_aed sysfs_vibrator:file w_file_perms;

 # Data : 2017/03/22
 # Operation : add NE flow rule for Android O
@ -133,4 +133,4 @@ allow aee_aed crash_dump:file r_file_perms;
 # [  217.196275] <0>.(0)[209:logd.auditd]type=1400 audit(1262304561.676:377): avc: denied { read }
 # for pid=1486 comm="aee_aed" name="atag,devinfo" dev="sysfs" ino=2349 scontext=u:r:aee_aed:s0
 # tcontext=u:object_r:sysfs:s0 tclass=file permissive=0
-allow aee_aed sysfs:file r_file_perms;
+#allow aee_aed sysfs:file r_file_perms;
--- a/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te
+++ b/prebuilts/api/26.0/plat_private/audiocmdservice_atci.te
@ -49,4 +49,4 @@ allow radio audiocmdservice_atci_exec:file getattr;
 #Android O porting
 hwbinder_use(audiocmdservice_atci)
 get_prop(audiocmdservice_atci, hwservicemanager_prop);
-allow audiocmdservice_atci debugfs_tracing:file rw_file_perms;
+#allow audiocmdservice_atci debugfs_tracing:file rw_file_perms;
--- a/prebuilts/api/26.0/plat_private/boot_logo_updater.te
+++ b/prebuilts/api/26.0/plat_private/boot_logo_updater.te
@ -23,7 +23,7 @@ allow boot_logo_updater init:unix_stream_socket connectto;
 allow boot_logo_updater property_socket:sock_file write;
 #allow boot_logo_updater self:capability dac_override;
 # To access some boot_mode infornation
-allow boot_logo_updater sysfs:file rw_file_perms;
+#allow boot_logo_updater sysfs:file rw_file_perms;
 # To access directory /dev/block/mmcblk0 or /dev/block/sdc
 allow boot_logo_updater block_device:dir search;
 allow boot_logo_updater graphics_device:dir search;
--- a/prebuilts/api/26.0/plat_private/bootanim.te
+++ b/prebuilts/api/26.0/plat_private/bootanim.te
@ -44,7 +44,7 @@ allow bootanim gpu_device:dir search;


 #============= bootanim ==============
-allow bootanim debugfs_tracing:file write;
+#allow bootanim debugfs_tracing:file write;

 #============= bootanim ==============
-allow bootanim debugfs_tracing:file open;
+#allow bootanim debugfs_tracing:file open;
--- a/prebuilts/api/26.0/plat_private/cmddumper.te
+++ b/prebuilts/api/26.0/plat_private/cmddumper.te
@ -38,4 +38,4 @@ allow cmddumper media_rw_data_file:dir { create_dir_perms };
 allow cmddumper file_contexts_file:file { read getattr open };

 # purpose: access /sys/devices/virtual/BOOT/BOOT/boot/boot_mode
-allow cmddumper sysfs:file { read open };
+#allow cmddumper sysfs:file { read open };
--- a/prebuilts/api/26.0/plat_private/drmserver.te
+++ b/prebuilts/api/26.0/plat_private/drmserver.te
@ -3,4 +3,4 @@
 # ======================

 # =======drmserver======
-allow drmserver sysfs:file { read open };
+#allow drmserver sysfs:file { read open };
--- a/prebuilts/api/26.0/plat_private/dumpstate.te
+++ b/prebuilts/api/26.0/plat_private/dumpstate.te
@ -14,7 +14,7 @@ allow dumpstate mnt_user_file:lnk_file read;
 allow dumpstate storage_file:lnk_file read;

 # Purpose: timer_intval. this is neverallow
-allow dumpstate sysfs:file r_file_perms;
+#allow dumpstate sysfs:file r_file_perms;
 allow dumpstate app_data_file:dir search;
 allow dumpstate kmsg_device:chr_file r_file_perms;

--- a/prebuilts/api/26.0/plat_private/em_svr.te
+++ b/prebuilts/api/26.0/plat_private/em_svr.te
@ -26,8 +26,8 @@ init_daemon_domain(em_svr)
 # Date: W14.38 2014/09/17
 # Operation : Migration
 # Purpose : for em_svr
-allow em_svr proc:file write;
-allow em_svr sysfs:file write;
+#allow em_svr proc:file write;
+#allow em_svr sysfs:file write;
 allow em_svr shell_exec:file { read execute open getattr execute_no_trans };
 allow em_svr system_file:file execute_no_trans;
 allow em_svr block_device:dir search;
@ -35,7 +35,7 @@ allow em_svr graphics_device:chr_file { read write open ioctl};
 allow em_svr graphics_device:dir search;
 allow em_svr radio_data_file:dir { search write add_name create };
 allow em_svr radio_data_file:file { create write open read };
-allow em_svr sysfs_devices_system_cpu:file write;
+#allow em_svr sysfs_devices_system_cpu:file write;
 #allow em_svr self:capability { dac_override sys_nice fowner chown fsetid };
 allow em_svr self:process execmem;
 allow em_svr system_data_file:dir { write remove_name add_name relabelfrom create open };
@ -63,8 +63,8 @@ binder_call(em_svr, surfaceflinger)
 # Purpose : add policy for desense/Power/Memory access system file
 allow em_svr toolbox_exec:file { getattr execute read open execute_no_trans };
 allow em_svr vendor_toolbox_exec:file { getattr };
-allow em_svr proc:file { open read };
-allow em_svr sysfs:file { read };
+#allow em_svr proc:file { open read };
+#allow em_svr sysfs:file { read };

 # Date: 2017/07/19
 # Operation : O Migration
@ -81,5 +81,5 @@ allow em_svr system_data_file:file open;
 # Purpose: add policy for backlight file access
 allow em_svr sysfs_leds:dir search;
 allow em_svr sysfs_leds:lnk_file read;
-allow em_svr sysfs:file open;
+#allow em_svr sysfs:file open;

--- a/prebuilts/api/26.0/plat_private/emdlogger.te
+++ b/prebuilts/api/26.0/plat_private/emdlogger.te
@ -49,7 +49,7 @@ allow emdlogger storage_file:file { create_file_perms };

 #permission for read boot mode
 #avc: denied { open }  path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
-allow emdlogger sysfs:file { read open };
+#allow emdlogger sysfs:file { read open };

 # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 
 # scontext=u:r:emdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
--- a/prebuilts/api/26.0/plat_private/factory.te
+++ b/prebuilts/api/26.0/plat_private/factory.te
@ -24,7 +24,7 @@ allow factory sdcard_type:dir r_dir_perms;
 ### TBD, neverallowxperm on line 177 of system/sepolicy/public/domain.te
 #allow factory self:netlink_route_socket create_socket_perms;
 allow factory self:netlink_route_socket { bind create getattr write nlmsg_read read nlmsg_write };
-allow factory proc_net:file { read getattr open };
+#allow factory proc_net:file { read getattr open };
 allowxperm factory self:udp_socket ioctl priv_sock_ioctls;
 allowxperm factory self:udp_socket ioctl {SIOCGIFFLAGS SIOCGIWNWID};

@ -32,7 +32,7 @@ allow factory self:process execmem;
 allow factory self:tcp_socket create_stream_socket_perms;
 allow factory self:udp_socket create_socket_perms;

-allow factory sysfs_wake_lock:file rw_file_perms;
+#allow factory sysfs_wake_lock:file rw_file_perms;
 allow factory system_data_file:dir w_dir_perms;
 allow factory system_data_file:sock_file create_file_perms;
 allow factory system_file:file x_file_perms;
--- a/prebuilts/api/26.0/plat_private/kisd.te
+++ b/prebuilts/api/26.0/plat_private/kisd.te
@ -16,6 +16,7 @@ typeattribute kisd coredomain;
 init_daemon_domain(kisd)

 allow kisd tee_device:chr_file {read write open ioctl};
+typeattribute kisd data_between_core_and_vendor_violators;
 allow kisd provision_file:dir {read write open ioctl add_name search remove_name};
 allow kisd provision_file:file {create read write open getattr unlink};
 allow kisd system_file:file {execute_no_trans};
--- a/prebuilts/api/26.0/plat_private/mdlogger.te
+++ b/prebuilts/api/26.0/plat_private/mdlogger.te
@ -47,7 +47,7 @@ allow mdlogger file_contexts_file:file { read getattr open };

 #permission for read boot mode
 #avc: denied { open }  path="/sys/devices/virtual/BOOT/BOOT/boot/boot_mode" dev="sysfs"
-allow mdlogger sysfs:file { read open };
+#allow mdlogger sysfs:file { read open };

 # Allow read avc: denied { read } for name="mddb" dev="mmcblk0p25" ino=681 
 # scontext=u:r:mdlogger:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0
--- a/prebuilts/api/26.0/plat_private/meta_tst.te
+++ b/prebuilts/api/26.0/plat_private/meta_tst.te
@ -26,7 +26,7 @@ allow meta_tst self:tcp_socket { create connect setopt bind };
 allow meta_tst self:tcp_socket { bind setopt listen accept read write };
 allow meta_tst self:udp_socket { create ioctl };
 allow meta_tst self:capability { sys_boot ipc_lock };
-allow meta_tst sysfs_wake_lock:file rw_file_perms;
+#allow meta_tst sysfs_wake_lock:file rw_file_perms;
 #allow meta_tst sysfs:file write;
 allow meta_tst property_socket:sock_file w_file_perms;
 #allow meta_tst vold_socket:sock_file w_file_perms;
--- a/prebuilts/api/26.0/plat_private/mobile_log_d.te
+++ b/prebuilts/api/26.0/plat_private/mobile_log_d.te
@ -60,10 +60,10 @@ allow mobile_log_d mmc_prop:file { getattr open };
 allow mobile_log_d safemode_prop:file { getattr open };

 #proc/ access
-allow mobile_log_d proc:file r_file_perms;
+#allow mobile_log_d proc:file r_file_perms;

 # boot_mdoe file access
-allow mobile_log_d sysfs:file { open read };
+#allow mobile_log_d sysfs:file { open read };

 # purpose: allow MobileLog to access storage in N version
 allow mobile_log_d media_rw_data_file:file  create_file_perms;
@ -71,6 +71,6 @@ allow mobile_log_d media_rw_data_file:dir create_dir_perms;

 # access debugfs/tracing/instances/
 allow mobile_log_d debugfs_tracing:dir create_dir_perms;
-allow mobile_log_d debugfs_tracing:file create_file_perms;
+#allow mobile_log_d debugfs_tracing:file create_file_perms;
 allow mobile_log_d debugfs_tracing_instances:dir create_dir_perms;
-allow mobile_log_d debugfs_tracing_instances:file create_file_perms;
+#allow mobile_log_d debugfs_tracing_instances:file create_file_perms;
--- a/prebuilts/api/26.0/plat_private/system_server.te
+++ b/prebuilts/api/26.0/plat_private/system_server.te
@ -6,7 +6,7 @@ allow system_server zygote:binder impersonate;
 # Property service.
 allow system_server ctl_bootanim_prop:property_service set;
 # After connected to DHCPv6, enabled 6to4 IPv6 AP to get property.
-allow system_server proc_net:file w_file_perms;
+#allow system_server proc_net:file w_file_perms;
 # Querying zygote socket.
 allow system_server zygote:unix_stream_socket { getopt getattr };
 # Date : WK16.36
--- a/prebuilts/api/26.0/plat_private/thermalindicator.te
+++ b/prebuilts/api/26.0/plat_private/thermalindicator.te
@ -31,7 +31,7 @@ allow servicemanager thermalindicator:process { getattr };
 typeattribute thermalindicator mlstrustedsubject;

 allow thermalindicator proc:dir           {search getattr};
-allow thermalindicator proc:file          read;
+#allow thermalindicator proc:file          read;
 allow thermalindicator shell:dir          search;
 allow thermalindicator platform_app:dir   search;
 allow thermalindicator platform_app:file  {open read getattr};
--- a/prebuilts/api/26.0/plat_private/vold.te
+++ b/prebuilts/api/26.0/plat_private/vold.te
@ -5,4 +5,4 @@
 # volume manager

 #============= vold ==============
-allow vold debugfs_tracing:file write;
+#allow vold debugfs_tracing:file write;