universal7904: Rework sepolicy
Change-Id: Ia6b25c9e15b1f44941265fab33b627718c0f2506
diff --git a/BoardConfigCommon.mk b/BoardConfigCommon.mk
index 9ede38b..1e74598 100644
--- a/BoardConfigCommon.mk
+++ b/BoardConfigCommon.mk
@@ -80,7 +80,6 @@
# Sepolicy
ifneq ($(LINEAGE_BUILD),)
include device/lineage/sepolicy/exynos/sepolicy.mk
-BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor-lineage
endif
include device/samsung_slsi/sepolicy/sepolicy.mk
BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor
diff --git a/sepolicy/vendor-lineage/hal_lineage_fastcharge_default.te b/sepolicy/vendor-lineage/hal_lineage_fastcharge_default.te
deleted file mode 100644
index 31fc983..0000000
--- a/sepolicy/vendor-lineage/hal_lineage_fastcharge_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow hal_lineage_fastcharge_default sysfs_virtual:dir search;
-allow hal_lineage_fastcharge_default sysfs_virtual:file rw_file_perms;
diff --git a/sepolicy/vendor-lineage/hal_lineage_touch_default.te b/sepolicy/vendor-lineage/hal_lineage_touch_default.te
deleted file mode 100644
index 8d63eb2..0000000
--- a/sepolicy/vendor-lineage/hal_lineage_touch_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow hal_lineage_touch_default sysfs_virtual:dir search;
-allow hal_lineage_touch_default sysfs_virtual:file rw_file_perms;
diff --git a/sepolicy/vendor/adbd.te b/sepolicy/vendor/adbd.te
deleted file mode 100644
index 9becff0..0000000
--- a/sepolicy/vendor/adbd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow adbd proc_last_kmsg:file r_file_perms;
diff --git a/sepolicy/vendor/apexd.te b/sepolicy/vendor/apexd.te
deleted file mode 100644
index 25801cb..0000000
--- a/sepolicy/vendor/apexd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow apexd sysfs_virtual:file rw_file_perms;
diff --git a/sepolicy/vendor/app.te b/sepolicy/vendor/app.te
deleted file mode 100644
index 9949db8..0000000
--- a/sepolicy/vendor/app.te
+++ /dev/null
@@ -1 +0,0 @@
-get_prop(appdomain, exported_camera_prop)
diff --git a/sepolicy/vendor/audioserver.te b/sepolicy/vendor/audioserver.te
new file mode 100644
index 0000000..b5e41f9
--- /dev/null
+++ b/sepolicy/vendor/audioserver.te
@@ -0,0 +1,2 @@
+# ro.vendor.qti.va_aosp.support
+dontaudit audioserver vendor_default_prop:file read;
diff --git a/sepolicy/vendor/bootanim.te b/sepolicy/vendor/bootanim.te
index 8733e3c..75852e1 100644
--- a/sepolicy/vendor/bootanim.te
+++ b/sepolicy/vendor/bootanim.te
@@ -1,3 +1 @@
-get_prop(bootanim, userspace_reboot_exported_prop)
-
dontaudit bootanim system_data_file:dir search;
diff --git a/sepolicy/vendor/cbd.te b/sepolicy/vendor/cbd.te
index f1e3d01..f22816b 100644
--- a/sepolicy/vendor/cbd.te
+++ b/sepolicy/vendor/cbd.te
@@ -1,2 +1 @@
-allow cbd factoryprop_efs_file:file r_file_perms;
-allow cbd sysfs_info:file r_file_perms;
+allow cbd sysfs_info:file { open read };
diff --git a/sepolicy/vendor/crash_dump.te b/sepolicy/vendor/crash_dump.te
deleted file mode 100644
index 138407f..0000000
--- a/sepolicy/vendor/crash_dump.te
+++ /dev/null
@@ -1,4 +0,0 @@
-get_prop(crash_dump, hwservicemanager_prop)
-get_prop(crash_dump, exported_camera_prop)
-
-allow crash_dump app_data_file:file read;
diff --git a/sepolicy/vendor/domain.te b/sepolicy/vendor/domain.te
index 1fa5437..38d9c34 100644
--- a/sepolicy/vendor/domain.te
+++ b/sepolicy/vendor/domain.te
@@ -1,19 +1,5 @@
-# domain.te
-
-# /sys/kernel/debug/mali
+allow domain debugfs_ion:dir search;
allow domain debugfs_mali:dir search;
-
-# /sys/kernel/debug/mali/mem
allow domain debugfs_mali_mem:dir search;
-# /sys/kernel/debug/dma_buf
-allow domain debugfs_ion_dma:dir search;
-
-# /sys/kernel/debug/ion
-allow domain debugfs_ion:dir search;
-
-# /sys/kernel/debug/tracing/trace_marker
-allow domain debugfs_trace_marker:file getattr;
-
-# /efs
-dontaudit domain efs_file:lnk_file read;
+dontaudit domain efs_file:lnk_file r_file_perms;
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index a59c3b2..0fa5fe1 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -1,13 +1,3 @@
-### efs types
-type radio_factoryapp_efs_file, file_type;
-type factoryprop_efs_file, file_type;
-type sensor_factoryapp_efs_file, file_type;
-type factorymode_factoryapp_efs_file, file_type;
-type baro_delta_factoryapp_efs_file, file_type;
-
-# gps
-type gps_socket, file_type;
-
# debugfs types
type debugfs_mali, fs_type, debugfs_type;
type debugfs_mali_mem, fs_type, debugfs_type;
@@ -15,38 +5,30 @@
type debugfs_ion_dma, fs_type, debugfs_type;
# proc
-type proc_extra, fs_type, proc_type;
-type proc_reset_reason, fs_type, proc_type;
type proc_swapiness, fs_type, proc_type;
# data types
-type fingerprintd_vendor_data_file, data_file_type, file_type;
type mediadrm_data_file, file_type, data_file_type;
type nfc_vendor_data_file, file_type, data_file_type;
# sysfs types
type sysfs_abox_writable, sysfs_type, rw_fs_type, fs_type;
+type sysfs_block_writable, sysfs_type, rw_fs_type, fs_type;
type sysfs_sensor_writable, sysfs_type, rw_fs_type, fs_type;
type sysfs_input_writable, sysfs_type, rw_fs_type, fs_type;
-type sysfs_batteryinfo_charger_writable, sysfs_type, rw_fs_type, fs_type;
-type sysfs_camera_writable, sysfs_type, rw_fs_type, fs_type;
type sysfs_decon, sysfs_type, r_fs_type, fs_type;
-type sysfs_socinfo, sysfs_type, r_fs_type, fs_type;
type sysfs_v4l, sysfs_type, r_fs_type, fs_type;
type sysfs_v4l_mfc, sysfs_type, r_fs_type, fs_type;
type sysfs_v4l_smfc, sysfs_type, r_fs_type, fs_type;
type sysfs_v4l_fimc, sysfs_type, r_fs_type, fs_type;
type sysfs_graphics, fs_type, sysfs_type;
-type sysfs_multipdp, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_sec, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_gps, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_brightness, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_virtual, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_charger, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_modem, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_camera, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_mmc_host_writable, sysfs_type, rw_fs_type, fs_type;
+type sysfs_multipdp, fs_type, sysfs_type;
+type sysfs_sec, fs_type, sysfs_type;
+type sysfs_gps, fs_type, sysfs_type;
+type sysfs_brightness, fs_type, sysfs_type;
+type sysfs_charger, fs_type, sysfs_type;
+type sysfs_modem, fs_type, sysfs_type;
+type sysfs_camera, fs_type, sysfs_type;
type sysfs_ss_writable, sysfs_type, rw_fs_type, fs_type;
-type sysfs_usb_writable, sysfs_type, rw_fs_type, fs_type;
type sysfs_gpu_writable, sysfs_type, rw_fs_type, fs_type;
type sysfs_info, sysfs_type, r_fs_type, fs_type;
diff --git a/sepolicy/vendor/file_contexts b/sepolicy/vendor/file_contexts
index b4062f0..c785543 100644
--- a/sepolicy/vendor/file_contexts
+++ b/sepolicy/vendor/file_contexts
@@ -1,4 +1,3 @@
-####################################
# Devices
/dev/mali[0-9]* u:object_r:gpu_device:s0
/dev/umts_ipc0 u:object_r:radio_device:s0
@@ -7,41 +6,23 @@
/dev/goodix_fp u:object_r:goodix_device:s0
/dev/gnss_ipc u:object_r:gps_device:s0
/dev/scsc_h4_0 u:object_r:bt_device:s0
-/dev/cpuset(/.*)? u:object_r:cgroup:s0
/dev/s5p-smem u:object_r:drm_device:s0
-
-# camera
/dev/m2m1shot_scaler0 u:object_r:m2m1shot_device:s0
-# usb
-/dev/android_ssusbcon(/.*)? u:object_r:usb_device:s0
-/dev/mtp_usb* u:object_r:mtp_device:s0
-/dev/usb(/.*)? u:object_r:usb_device:s0
-
-# adbroot and storaged
-/dev/stune(/.*)? u:object_r:cgroup:s0
-
-# blocks
+# Blocks
/dev/block/zram0 u:object_r:swap_block_device:s0
+/dev/block/platform/13500000.dwmmc0/by-name/OMR u:object_r:metadata_block_device:s0
-####################################
# efs
/mnt/vendor/cpefs(/.*)? u:object_r:efs_file:s0
-####################################
# data files
/data/vendor/nfc(/.*)? u:object_r:nfc_vendor_data_file:s0
-
-# drm
/data/vendor/mediadrm(/.*)? u:object_r:mediadrm_data_file:s0
-
-# camera
/data/camera(/.*)? u:object_r:camera_data_file:s0
+/data/hostapd(/.*)? u:object_r:hostapd_data_file:s0
-####################################
-
-### VENDOR
-/(vendor|system/vendor)/bin/main_abox u:object_r:abox_exec:s0
-
+# Vendor
+/(vendor|system/vendor)/bin/main_abox u:object_r:abox_exec:s0
/(vendor|system/vendor)/bin/hw/android\.hardware\.camera\.provider@[0-9]\.[0-9]-service\.universal7904 u:object_r:hal_camera_default_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service\.universal7904 u:object_r:hal_vibrator_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.vibrator-service\.universal7904 u:object_r:hal_vibrator_default_exec:s0
diff --git a/sepolicy/vendor/fsck.te b/sepolicy/vendor/fsck.te
index e31506a..86149f6 100644
--- a/sepolicy/vendor/fsck.te
+++ b/sepolicy/vendor/fsck.te
@@ -1,5 +1,3 @@
-allow fsck cache_file:dir getattr;
+allow fsck cpefs_block_device:blk_file { ioctl open read write };
+allow fsck efs_block_device:blk_file { ioctl open read write };
allow fsck sysfs_battery:dir search;
-allow fsck tmpfs:blk_file getattr;
-allow fsck efs_block_device:blk_file rw_file_perms;
-allow fsck cpefs_block_device:blk_file rw_file_perms;
diff --git a/sepolicy/vendor/genfs_contexts b/sepolicy/vendor/genfs_contexts
index cd8c148..93afcb4 100644
--- a/sepolicy/vendor/genfs_contexts
+++ b/sepolicy/vendor/genfs_contexts
@@ -1,82 +1,67 @@
-# DEBUGFS
-genfscon debugfs /mali/ u:object_r:debugfs_mali:s0
-genfscon debugfs /mali/mem/ u:object_r:debugfs_mali_mem:s0
-
-# ion debugfs
genfscon debugfs /ion/ u:object_r:debugfs_ion:s0
-genfscon debugfs /dma_buf u:object_r:debugfs_ion_dma:s0
-
-# PROC
-genfscon proc /extra u:object_r:proc_extra:s0
-genfscon proc /reset_reason u:object_r:proc_reset_reason:s0
+genfscon debugfs /mali/mem/ u:object_r:debugfs_mali_mem:s0
+genfscon debugfs /mali/ u:object_r:debugfs_mali:s0
genfscon proc /sys/vm/swappiness u:object_r:proc_swapiness:s0
-
-# SYSFS
-
-# class
-genfscon sysfs /class/video4linux u:object_r:sysfs_v4l:s0
-genfscon sysfs /class/input/input1 u:object_r:sysfs_input:s0
genfscon sysfs /class/backlight/panel/brightness u:object_r:sysfs_graphics:s0
genfscon sysfs /class/backlight/panel/max_brightness u:object_r:sysfs_graphics:s0
-
-# devices
-genfscon sysfs /devices/virtual u:object_r:sysfs_virtual:s0
-genfscon sysfs /devices/virtual/misc/multipdp u:object_r:sysfs_multipdp:s0
-genfscon sysfs /devices/virtual/sensors/sensor_dev/flush u:object_r:sysfs_sensor_writable:s0
+genfscon sysfs /class/input/input1 u:object_r:sysfs_input:s0
+genfscon sysfs /class/video4linux u:object_r:sysfs_v4l:s0
+genfscon sysfs /devices/platform/10000.mif_pdata/sim/ds_detect u:object_r:sysfs_sim_writable:s0
+genfscon sysfs /devices/platform/11ce0000.speedy/i2c-6/6-0000/s2mpu08-rtc/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/11ce0000.speedy/i2c-7/7-0000/s2mpu08-rtc/rtc u:object_r:sysfs_rtc:s0
+genfscon sysfs /devices/platform/11ce0000.speedy/i2c-7/7-0003/input/input11 u:object_r:sysfs_touchscreen_writable:s0
+genfscon sysfs /devices/platform/12c00000.smfc/video4linux u:object_r:sysfs_v4l_smfc:s0
+genfscon sysfs /devices/platform/12c30000.mfc0/video4linux u:object_r:sysfs_v4l_mfc:s0
+genfscon sysfs /devices/platform/13500000.dwmmc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0/queue/discard_max_bytes u:object_r:sysfs_block_writable:s0
+genfscon sysfs /devices/platform/13830000.i2c/i2c-8/8-003b/power_supply/s2mu106-fuelgauge u:object_r:sysfs_charger:s0
+genfscon sysfs /devices/platform/13830000.i2c/i2c-8/8-003c/power_supply/s2mu106-usbpd u:object_r:sysfs_charger:s0
+genfscon sysfs /devices/platform/13830000.i2c/i2c-9/9-003b/power_supply/s2mu004-fuelgauge u:object_r:sysfs_charger:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-10/10-003d/s2mu004-charger/power_supply/otg u:object_r:sysfs_charger:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-10/10-003d/s2mu004-charger/power_supply/s2mu004-charger u:object_r:sysfs_charger:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-10/10-003d/s2mu004-muic/power_supply/muic-manager u:object_r:sysfs_charger:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu106-charger/power_supply/otg u:object_r:sysfs_charger:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu106-charger/power_supply/s2mu106-charger u:object_r:sysfs_charger:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu106-muic/power_supply/muic-manager u:object_r:sysfs_charger:s0
+genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu106-powermeter/power_supply/s2mu106_pmeter u:object_r:sysfs_charger:s0
+genfscon sysfs /devices/platform/13930000.hsi2c/i2c-5/5-0048/input/ u:object_r:sysfs_touchscreen_writable:s0
+genfscon sysfs /devices/platform/14400000.fimc_is_sensor/video4linux u:object_r:sysfs_v4l_fimc:s0
+genfscon sysfs /devices/platform/14410000.fimc_is_sensor/video4linux u:object_r:sysfs_v4l_fimc:s0
+genfscon sysfs /devices/platform/14430000.fimc_is_sensor/video4linux u:object_r:sysfs_v4l_fimc:s0
+genfscon sysfs /devices/platform/14440000.fimc_is/video4linux u:object_r:sysfs_v4l_fimc:s0
+genfscon sysfs /devices/platform/14860000.decon_f u:object_r:sysfs_decon:s0
+genfscon sysfs /devices/platform/14870000.dsim/backlight/panel u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/platform/14a50000.abox/service u:object_r:sysfs_abox_writable:s0
+genfscon sysfs /devices/platform/battery/power_supply/ac/type u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/battery/power_supply/battery/batt_capacity_max u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/battery/power_supply/battery/status u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/battery/power_supply/battery/type u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/battery/power_supply/battery u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/battery/power_supply/ps/status u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/battery/power_supply/ps/type u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/battery/power_supply/wireless/type u:object_r:sysfs_battery_writable:s0
+genfscon sysfs /devices/platform/gpio_keys/input/input12 u:object_r:sysfs_input:s0
+genfscon sysfs /devices/soc0/machine u:object_r:sysfs_sec_gps:s0
+genfscon sysfs /devices/soc0/revision u:object_r:sysfs_sec_gps:s0
+genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_ss_writable:s0
+genfscon sysfs /devices/virtual/block/zram0/mm_stat u:object_r:sysfs_zram:s0
+genfscon sysfs /devices/virtual/camera u:object_r:sysfs_camera:s0
+genfscon sysfs /devices/virtual/input/input10/enable u:object_r:sysfs_input_writable:s0
genfscon sysfs /devices/virtual/input/input2/enable u:object_r:sysfs_input_writable:s0
+genfscon sysfs /devices/virtual/input/input2/poll_delay u:object_r:sysfs_input_writable:s0
genfscon sysfs /devices/virtual/input/input3/enable u:object_r:sysfs_input_writable:s0
+genfscon sysfs /devices/virtual/input/input3/poll_delay u:object_r:sysfs_input_writable:s0
genfscon sysfs /devices/virtual/input/input4/enable u:object_r:sysfs_input_writable:s0
genfscon sysfs /devices/virtual/input/input5/enable u:object_r:sysfs_input_writable:s0
genfscon sysfs /devices/virtual/input/input6/enable u:object_r:sysfs_input_writable:s0
genfscon sysfs /devices/virtual/input/input7/enable u:object_r:sysfs_input_writable:s0
genfscon sysfs /devices/virtual/input/input8/enable u:object_r:sysfs_input_writable:s0
-genfscon sysfs /devices/virtual/input/input9/enable u:object_r:sysfs_input_writable:s0
-genfscon sysfs /devices/virtual/input/input10/enable u:object_r:sysfs_input_writable:s0
-genfscon sysfs /devices/virtual/input/input2/poll_delay u:object_r:sysfs_input_writable:s0
-genfscon sysfs /devices/virtual/input/input3/poll_delay u:object_r:sysfs_input_writable:s0
genfscon sysfs /devices/virtual/input/input8/poll_delay u:object_r:sysfs_input_writable:s0
-genfscon sysfs /devices/platform/gpio_keys/input/input12 u:object_r:sysfs_input:s0
-genfscon sysfs /devices/platform/10000.mif_pdata/sim/ds_detect u:object_r:sysfs_sim_writable:s0
-genfscon sysfs /devices/platform/11ce0000.speedy/i2c-7/7-0000/s2mpu08-rtc/rtc u:object_r:sysfs_rtc:s0
-genfscon sysfs /devices/platform/11ce0000.speedy/i2c-6/6-0000/s2mpu08-rtc/rtc u:object_r:sysfs_rtc:s0
-genfscon sysfs /devices/platform/11ce0000.speedy/i2c-7/7-0003/input/input11 u:object_r:sysfs_touchscreen_writable:s0
-genfscon sysfs /devices/platform/13930000.hsi2c/i2c-5/5-0048/input/ u:object_r:sysfs_touchscreen_writable:s0
-genfscon sysfs /devices/platform/14870000.dsim/backlight/panel u:object_r:sysfs_graphics:s0
-genfscon sysfs /devices/platform/14a50000.abox/service u:object_r:sysfs_abox_writable:s0
-genfscon sysfs /devices/platform/14860000.decon_f u:object_r:sysfs_decon:s0
-genfscon sysfs /devices/platform/14410000.fimc_is_sensor/video4linux u:object_r:sysfs_v4l_fimc:s0
-genfscon sysfs /devices/platform/14430000.fimc_is_sensor/video4linux u:object_r:sysfs_v4l_fimc:s0
-genfscon sysfs /devices/platform/14400000.fimc_is_sensor/video4linux u:object_r:sysfs_v4l_fimc:s0
-genfscon sysfs /devices/platform/14440000.fimc_is/video4linux u:object_r:sysfs_v4l_fimc:s0
-genfscon sysfs /devices/platform/12c30000.mfc0/video4linux u:object_r:sysfs_v4l_mfc:s0
-genfscon sysfs /devices/platform/12c00000.smfc/video4linux u:object_r:sysfs_v4l_smfc:s0
-genfscon sysfs /devices/soc0/soc_id u:object_r:sysfs_socinfo:s0
-genfscon sysfs /devices/soc0/machine u:object_r:sysfs_sec_gps:s0
-genfscon sysfs /devices/soc0/revision u:object_r:sysfs_sec_gps:s0
-genfscon sysfs /devices/virtual/block/zram0/mm_stat u:object_r:sysfs_zram:s0
-genfscon sysfs /devices/system/chip-id/revision u:object_r:sysfs_ss_writable:s0
-genfscon sysfs /devices/platform/battery/power_supply/battery u:object_r:sysfs_battery_writable:s0
-genfscon sysfs /devices/platform/battery/power_supply/battery/batt_capacity_max u:object_r:sysfs_battery_writable:s0
-genfscon sysfs /devices/platform/battery/power_supply/battery/status u:object_r:sysfs_battery_writable:s0
-genfscon sysfs /devices/platform/battery/power_supply/battery/type u:object_r:sysfs_battery_writable:s0
-genfscon sysfs /devices/platform/battery/power_supply/ac/type u:object_r:sysfs_battery_writable:s0
-genfscon sysfs /devices/platform/battery/power_supply/wireless/type u:object_r:sysfs_battery_writable:s0
-genfscon sysfs /devices/platform/battery/power_supply/ps/type u:object_r:sysfs_battery_writable:s0
-genfscon sysfs /devices/platform/battery/power_supply/ps/status u:object_r:sysfs_battery_writable:s0
-genfscon sysfs /devices/platform/13840000.i2c/i2c-10/10-003d/s2mu004-charger/power_supply/s2mu004-charger u:object_r:sysfs_charger:s0
-genfscon sysfs /devices/platform/13840000.i2c/i2c-10/10-003d/s2mu004-charger/power_supply/otg u:object_r:sysfs_charger:s0
-genfscon sysfs /devices/platform/13830000.i2c/i2c-9/9-003b/power_supply/s2mu004-fuelgauge u:object_r:sysfs_charger:s0
-genfscon sysfs /devices/platform/13840000.i2c/i2c-10/10-003d/s2mu004-muic/power_supply/muic-manager u:object_r:sysfs_charger:s0
-genfscon sysfs /devices/platform/13830000.i2c/i2c-8/8-003b/power_supply/s2mu106-fuelgauge u:object_r:sysfs_charger:s0
-genfscon sysfs /devices/platform/13830000.i2c/i2c-8/8-003c/power_supply/s2mu106-usbpd u:object_r:sysfs_charger:s0
-genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu106-powermeter/power_supply/s2mu106_pmeter u:object_r:sysfs_charger:s0
-genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu106-muic/power_supply/muic-manager u:object_r:sysfs_charger:s0
-genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu106-charger/power_supply/otg u:object_r:sysfs_charger:s0
-genfscon sysfs /devices/platform/13840000.i2c/i2c-9/9-003d/s2mu106-charger/power_supply/s2mu106-charger u:object_r:sysfs_charger:s0
-
-genfscon sysfs /module/modem_ctrl_ss310ap/parameters/ds_detect u:object_r:sysfs_modem:s0
-genfscon sysfs /module/scsc_bt/parameters/bluetooth_address u:object_r:sysfs_bt_writable:s0
+genfscon sysfs /devices/virtual/input/input9/enable u:object_r:sysfs_input_writable:s0
+genfscon sysfs /devices/virtual/misc/multipdp u:object_r:sysfs_multipdp:s0
+genfscon sysfs /devices/virtual/sensors/sensor_dev/flush u:object_r:sysfs_sensor_writable:s0
genfscon sysfs /firmware/devicetree/base/model_info-system_rev u:object_r:sysfs_info:s0
-genfscon sysfs /kernel/gpu/ u:object_r:sysfs_gpu:s0
genfscon sysfs /kernel/gpu/gpu_max_clock u:object_r:sysfs_gpu_writable:s0
genfscon sysfs /kernel/gpu/gpu_min_clock u:object_r:sysfs_gpu_writable:s0
+genfscon sysfs /kernel/gpu/ u:object_r:sysfs_gpu:s0
+genfscon sysfs /module/modem_ctrl_ss310ap/parameters/ds_detect u:object_r:sysfs_modem:s0
+genfscon sysfs /module/scsc_bt/parameters/bluetooth_address u:object_r:sysfs_bt_writable:s0
diff --git a/sepolicy/vendor/gpsd.te b/sepolicy/vendor/gpsd.te
index 44cbae4..cbf03eb 100644
--- a/sepolicy/vendor/gpsd.te
+++ b/sepolicy/vendor/gpsd.te
@@ -1,16 +1,10 @@
-r_dir_file(gpsd, sysfs_sec_gps)
-
get_prop(gpsd, bootanim_system_prop)
+binder_call(gpsd, servicemanager)
-allow gpsd sysfs_gps_writable:file rw_file_perms;
-allow gpsd sysfs_wake_lock:file rw_file_perms;
-
+allow gpsd hal_system_suspend_service:service_manager find;
+allow gpsd gps_device:chr_file { ioctl open read write };
allow gpsd self:capability net_raw;
-allow gpsd self:capability2 block_suspend;
-
-allow gpsd bt_device:chr_file rw_file_perms;
-allow gpsd gps_device:chr_file rw_file_perms;
-
-allow gpsd gpsd_exec:file execute_no_trans;
+allow gpsd sysfs_sec_gps:file { getattr open read };
+allow gpsd sysfs_wake_lock:file { open write };
dontaudit gpsd system_data_file:dir search;
diff --git a/sepolicy/vendor/gpuservice.te b/sepolicy/vendor/gpuservice.te
deleted file mode 100644
index be795e9..0000000
--- a/sepolicy/vendor/gpuservice.te
+++ /dev/null
@@ -1 +0,0 @@
-get_prop(gpuservice, graphics_config_prop)
diff --git a/sepolicy/vendor/hal_audio_default.te b/sepolicy/vendor/hal_audio_default.te
index 9eb9415..cad1384 100644
--- a/sepolicy/vendor/hal_audio_default.te
+++ b/sepolicy/vendor/hal_audio_default.te
@@ -1,14 +1,8 @@
-allow hal_audio_default property_socket:sock_file write;
-allow hal_audio_default rild:unix_stream_socket connectto;
-allow hal_audio_default system_suspend_hwservice:hwservice_manager find;
-
-# /efs/maxim/rdc_cal
-allow hal_audio_default efs_file:file r_file_perms;
-allow hal_audio_default efs_file:dir search;
-
-allow hal_audio_default imei_efs_file:dir search;
-allow hal_audio_default imei_efs_file:file r_file_perms;
-
get_prop(hal_audio_default, vendor_radio_prop)
-allow hal_audio_default init:unix_stream_socket connectto;
+allow hal_audio_default efs_file:dir search;
+allow hal_audio_default imei_efs_file:dir search;
+allow hal_audio_default imei_efs_file:file { getattr open read };
+allow hal_audio_default mnt_vendor_file:dir search;
+allow hal_audio_default system_suspend_hwservice:hwservice_manager find;
+allow hal_audio_default rild:unix_stream_socket connectto;
diff --git a/sepolicy/vendor/hal_bluetooth_default.te b/sepolicy/vendor/hal_bluetooth_default.te
deleted file mode 100644
index 30c2bb7..0000000
--- a/sepolicy/vendor/hal_bluetooth_default.te
+++ /dev/null
@@ -1 +0,0 @@
-allow hal_bluetooth_default vendor_firmware_file:dir r_dir_perms;
diff --git a/sepolicy/vendor/hal_camera_default.te b/sepolicy/vendor/hal_camera_default.te
index dbab662..bb5d7d2 100644
--- a/sepolicy/vendor/hal_camera_default.te
+++ b/sepolicy/vendor/hal_camera_default.te
@@ -1,16 +1,9 @@
-vndbinder_use(hal_camera_default)
+get_prop(hal_camera_default, exported_camera_prop);
-allow hal_camera_default vndbinder_device:chr_file r_file_perms;
allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
allow hal_camera_default hal_graphics_composer_default:fd use;
-allow hal_camera_default sysfs_virtual:dir search;
-allow hal_camera_default sysfs_virtual:file rw_file_perms;
+allow hal_camera_default system_server:binder call;
allow hal_camera_default sysfs_camera:dir search;
allow hal_camera_default sysfs_camera:file rw_file_perms;
-get_prop(hal_camera_default, exported_camera_prop)
-
-binder_call(hal_camera_default, system_server)
-binder_call(system_server, hal_camera_default)
-
-dontaudit hal_camera_default default_prop:file read;
+dontaudit hal_camera_default default_prop:file r_file_perms;
diff --git a/sepolicy/vendor/hal_drm_clearkey.te b/sepolicy/vendor/hal_drm_clearkey.te
deleted file mode 100644
index 3a93ffa..0000000
--- a/sepolicy/vendor/hal_drm_clearkey.te
+++ /dev/null
@@ -1,6 +0,0 @@
-vndbinder_use(hal_drm_clearkey)
-
-allow hal_drm_clearkey { appdomain -isolated_app }:fd use;
-
-allow hal_drm_clearkey mediadrm_data_file:dir create_dir_perms;
-allow hal_drm_clearkey mediadrm_data_file:file create_file_perms;
diff --git a/sepolicy/vendor/hal_drm_widevine.te b/sepolicy/vendor/hal_drm_widevine.te
index 9fafbd0..b6631b6 100644
--- a/sepolicy/vendor/hal_drm_widevine.te
+++ b/sepolicy/vendor/hal_drm_widevine.te
@@ -1,20 +1,9 @@
-vndbinder_use(hal_drm_widevine)
-
allow hal_drm_widevine mediacodec:fd use;
-allow hal_drm_widevine { appdomain -isolated_app }:fd use;
-
-allow hal_drm_widevine hal_allocator_server:fd use;
-
+allow hal_drm_widevine drm_device:chr_file { ioctl read write open };
+allow hal_drm_widevine efs_file:dir search;
+allow hal_drm_widevine efs_file:file { getattr open read };
allow hal_drm_widevine mediadrm_data_file:dir create_dir_perms;
allow hal_drm_widevine mediadrm_data_file:file create_file_perms;
-allow hal_drm_widevine vendor_data_file:dir create_dir_perms;
-allow hal_drm_widevine vendor_data_file:file create_file_perms;
-
allow hal_drm_widevine mnt_vendor_file:dir search;
-allow hal_drm_widevine cpk_efs_file:file r_file_perms;
-r_dir_file(hal_drm_widevine, efs_file)
-
-allow hal_drm_widevine drm_device:chr_file rw_file_perms;
-
dontaudit hal_drm_widevine media_data_file:dir search;
diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te
index ea481ff..7244948 100644
--- a/sepolicy/vendor/hal_fingerprint_default.te
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -1,8 +1,5 @@
typeattribute hal_fingerprint_default data_between_core_and_vendor_violators;
allow hal_fingerprint_default fingerprintd_data_file:dir write;
-allow hal_fingerprint_default sysfs_virtual:dir search;
-allow hal_fingerprint_default sysfs_virtual:file r_file_perms;
-
-allow hal_fingerprint_default goodix_device:chr_file rw_file_perms;
-allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
+allow hal_fingerprint_default goodix_device:chr_file { ioctl open write };
+allow hal_fingerprint_default uhid_device:chr_file { ioctl open write };
diff --git a/sepolicy/vendor/hal_gatekeeper_default.te b/sepolicy/vendor/hal_gatekeeper_default.te
index 6f38a82..4b6ed04 100644
--- a/sepolicy/vendor/hal_gatekeeper_default.te
+++ b/sepolicy/vendor/hal_gatekeeper_default.te
@@ -1,3 +1,3 @@
-allow hal_gatekeeper_default efs_file:dir rw_dir_perms;
-allow hal_gatekeeper_default efs_file:file create_file_perms;
+allow hal_gatekeeper_default efs_file:dir search;
+allow hal_gatekeeper_default efs_file:file { read open write };
allow hal_gatekeeper_default mnt_vendor_file:dir search;
diff --git a/sepolicy/vendor/hal_gnss_default.te b/sepolicy/vendor/hal_gnss_default.te
index 573b370..6c23b41 100644
--- a/sepolicy/vendor/hal_gnss_default.te
+++ b/sepolicy/vendor/hal_gnss_default.te
@@ -1,19 +1,2 @@
-# cgroups tasks
-allow hal_gnss_default cgroup:file getattr;
-
-# /data/vendor/gps
-allow hal_gnss_default gps_vendor_data_file:dir rw_dir_perms;
-allow hal_gnss_default gps_vendor_data_file:file create_file_perms;
-allow hal_gnss_default gps_vendor_data_file:fifo_file create_file_perms;
-
-# /mnt/vendor
-allow hal_gnss_default mnt_vendor_file:dir search;
-
-# vndbinder
-allow hal_gnss_default vndbinder_device:chr_file rw_file_perms;
-
-# Connect to socket
-allow hal_gnss_default gpsd:unix_stream_socket connectto;
-
-add_hwservice(hal_gnss_default, hal_gnss_hwservice)
allow hal_gnss_default fwk_sensor_hwservice:hwservice_manager find;
+allow hal_gnss_default gpsd:unix_stream_socket connectto;
diff --git a/sepolicy/vendor/hal_graphics_allocator_default.te b/sepolicy/vendor/hal_graphics_allocator_default.te
deleted file mode 100644
index 8baf757..0000000
--- a/sepolicy/vendor/hal_graphics_allocator_default.te
+++ /dev/null
@@ -1,7 +0,0 @@
-allow hal_graphics_allocator_default cgroup:file rw_file_perms;
-
-vndbinder_use(hal_graphics_allocator_default)
-
-# /sys/kernel/debug/dma_buf/footprint/[0-9]+
-allow hal_graphics_allocator_default debugfs_ion_dma:dir r_dir_perms;
-allow hal_graphics_allocator_default debugfs_ion_dma:file r_file_perms;
diff --git a/sepolicy/vendor/hal_graphics_composer_default.te b/sepolicy/vendor/hal_graphics_composer_default.te
index 6a84d2b..55d3344 100644
--- a/sepolicy/vendor/hal_graphics_composer_default.te
+++ b/sepolicy/vendor/hal_graphics_composer_default.te
@@ -1,40 +1,11 @@
hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator)
-
vndbinder_use(hal_graphics_composer_default)
-
-allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-allow hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { add find };
-
-# cgroup tasks
-allow hal_graphics_composer_default cgroup:file getattr;
-
-# /data/vendor/log/hwc
-allow hal_graphics_composer_default log_vendor_data_file:dir rw_dir_perms;
-allow hal_graphics_composer_default log_vendor_data_file:file create_file_perms;
-
-# /dev/g2d
-allow hal_graphics_composer_default graphics_device:chr_file rw_file_perms;
-
-# /dev/video50
-allow hal_graphics_composer_default video_device:chr_file rw_file_perms;
-
-# /sys/devices/soc0/revision
-allow hal_graphics_composer_default sysfs_socinfo:dir r_dir_perms;
-allow hal_graphics_composer_default sysfs_socinfo:file r_file_perms;
-
-
-# /sys/kernel/debug/dma_buf/footprint/[0-9]+
-allow hal_graphics_composer_default debugfs_ion_dma:dir r_dir_perms;
-allow hal_graphics_composer_default debugfs_ion_dma:file r_file_perms;
-
-allow hal_graphics_composer_default sysfs_decon:dir r_dir_perms;
-allow hal_graphics_composer_default sysfs_decon:file r_file_perms;
-
-allow hal_graphics_composer_default sysfs_ss_writable:dir r_dir_perms;
-allow hal_graphics_composer_default sysfs_ss_writable:file r_file_perms;
-
get_prop(hal_graphics_composer_default, vendor_hwc_prop)
-# /dev/ion/
-allow hal_graphics_composer_default ion_device:chr_file rw_file_perms;
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket { bind create read setopt };
+allow hal_graphics_composer_default vendor_surfaceflinger_vndservice:service_manager { add find };
+allow hal_graphics_composer_default log_vendor_data_file:dir search;
+allow hal_graphics_composer_default sysfs_decon:dir search;
+allow hal_graphics_composer_default sysfs_decon:file { getattr open read };
+allow hal_graphics_composer_default sysfs_ss_writable:file { open read };
+allow hal_graphics_composer_default video_device:chr_file { ioctl open read write };
diff --git a/sepolicy/vendor/hal_health_default.te b/sepolicy/vendor/hal_health_default.te
index 65859ee..a861004 100644
--- a/sepolicy/vendor/hal_health_default.te
+++ b/sepolicy/vendor/hal_health_default.te
@@ -1,7 +1,6 @@
-r_dir_file(hal_health_default, sysfs_charger)
-
-allow hal_health_default sysfs_charger:file rw_file_perms;
-allow hal_health_default sysfs_battery:dir r_dir_perms;
-allow hal_health_default sysfs_battery:file r_file_perms;
allow hal_health_default sysfs_battery_writable:dir search;
-allow hal_health_default sysfs_battery_writable:file r_file_perms;
+allow hal_health_default sysfs_battery_writable:file { getattr open read };
+allow hal_health_default sysfs_battery:dir { open read search };
+allow hal_health_default sysfs_battery:file { getattr open read };
+allow hal_health_default sysfs_charger:dir search;
+allow hal_health_default sysfs_charger:file { getattr open read };
diff --git a/sepolicy/vendor/hal_light_default.te b/sepolicy/vendor/hal_light_default.te
index d9dfb63..bd7adb5 100644
--- a/sepolicy/vendor/hal_light_default.te
+++ b/sepolicy/vendor/hal_light_default.te
@@ -1,4 +1,2 @@
allow hal_light_default sysfs_graphics:dir search;
-allow hal_light_default sysfs_graphics:file rw_file_perms;
-allow hal_light_default sysfs_virtual:dir search;
-allow hal_light_default sysfs_virtual:file rw_file_perms;
+allow hal_light_default sysfs_graphics:file { getattr open read write };
diff --git a/sepolicy/vendor/hal_memtrack_default.te b/sepolicy/vendor/hal_memtrack_default.te
index c7f51e9..67b2c61 100644
--- a/sepolicy/vendor/hal_memtrack_default.te
+++ b/sepolicy/vendor/hal_memtrack_default.te
@@ -1,5 +1,4 @@
-r_dir_file(hal_memtrack_default, debugfs_mali)
-r_dir_file(hal_memtrack_default, debugfs_mali_mem)
-r_dir_file(hal_memtrack_default, debugfs_ion)
-r_dir_file(hal_memtrack_default, debugfs_ion_dma)
-r_dir_file(hal_memtrack_default, sysfs_gpu)
+r_dir_file(hal_memtrack_default, debugfs_ion);
+r_dir_file(hal_memtrack_default, debugfs_mali_mem);
+
+allow hal_memtrack_default sysfs_gpu:file { getattr open read };
diff --git a/sepolicy/vendor/hal_power_default.te b/sepolicy/vendor/hal_power_default.te
index 0c9bf81..c170333 100644
--- a/sepolicy/vendor/hal_power_default.te
+++ b/sepolicy/vendor/hal_power_default.te
@@ -1,7 +1,2 @@
-allow hal_power_default sysfs_graphics:dir search;
-allow hal_power_default sysfs_graphics:file r_file_perms;
-allow hal_power_default sysfs_input:file r_file_perms;
-allow hal_power_default sysfs_virtual:dir r_dir_perms;
-allow hal_power_default sysfs_virtual:file r_file_perms;
-allow hal_power_default sysfs_touchscreen_writable:dir r_dir_perms;
allow hal_power_default sysfs_decon:dir search;
+allow hal_power_default sysfs_touchscreen_writable:dir search;
diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te
index 64b1175..58eca51 100644
--- a/sepolicy/vendor/hal_sensors_default.te
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -1,17 +1,6 @@
-allow hal_sensors_default sysfs_iio:file r_file_perms;
-allow hal_sensors_default sysfs_iio:lnk_file read;
-allow hal_sensors_default sysfs_virtual:dir r_dir_perms;
-allow hal_sensors_default sysfs_virtual:file rw_file_perms;
-allow hal_sensors_default sysfs_virtual:lnk_file read;
-allow hal_sensors_default baro_delta_factoryapp_efs_file:file r_file_perms;
-allow hal_sensors_default sysfs_input:file read;
-allow hal_sensors_default sysfs_input_writable:file rw_file_perms;
-allow hal_sensors_default sysfs_sensor_writable:file rw_file_perms;
-allow hal_sensors_default sysfs_spi_writeable:file rw_file_perms;
-
-# yas_lib
+allow hal_sensors_default efs_file:file { write open read };
+allow hal_sensors_default mnt_vendor_file:dir search;
+allow hal_sensors_default sysfs_input_writable:file { open read write };
+allow hal_sensors_default sysfs_sensor_writable:file { open write };
allow hal_sensors_default vendor_data_file:file create_file_perms;
allow hal_sensors_default vendor_data_file:dir create_dir_perms;
-
-allow hal_sensors_default mnt_vendor_file:dir search;
-allow hal_sensors_default efs_file:file rw_file_perms;
diff --git a/sepolicy/vendor/hal_thermal_default.te b/sepolicy/vendor/hal_thermal_default.te
deleted file mode 100644
index 14f013d..0000000
--- a/sepolicy/vendor/hal_thermal_default.te
+++ /dev/null
@@ -1 +0,0 @@
-r_dir_file(hal_thermal_default, sysfs_virtual)
diff --git a/sepolicy/vendor/hal_vibrator_default.te b/sepolicy/vendor/hal_vibrator_default.te
deleted file mode 100644
index a81495f..0000000
--- a/sepolicy/vendor/hal_vibrator_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow hal_vibrator_default sysfs_virtual:dir search;
-allow hal_vibrator_default sysfs_virtual:file rw_file_perms;
diff --git a/sepolicy/vendor/hal_wifi_default.te b/sepolicy/vendor/hal_wifi_default.te
index 65e48f3..b5f2586 100644
--- a/sepolicy/vendor/hal_wifi_default.te
+++ b/sepolicy/vendor/hal_wifi_default.te
@@ -1,9 +1,9 @@
set_prop(hal_wifi_default, vendor_wlan_prop)
-get_prop(hal_wifi_default, vendor_wifi_prop)
-allow hal_wifi_default conn_vendor_data_file:dir search;
-allow hal_wifi_default conn_vendor_data_file:file rw_file_perms;
-allow hal_wifi_default wifi_vendor_data_file:dir search;
-allow hal_wifi_default mnt_vendor_file:dir search;
+allow hal_wifi_default conn_vendor_data_file:dir { add_name search write };
+allow hal_wifi_default conn_vendor_data_file:file { create open write };
allow hal_wifi_default efs_file:dir search;
-r_dir_file(hal_wifi_default, wifi_efs_file);
+allow hal_wifi_default mnt_vendor_file:dir search;
+allow hal_wifi_default wifi_efs_file:dir search;
+allow hal_wifi_default wifi_efs_file:file { getattr open read };
+allow hal_wifi_default wifi_vendor_data_file:dir search;
diff --git a/sepolicy/vendor/hal_wifi_hostapd_default.te b/sepolicy/vendor/hal_wifi_hostapd_default.te
deleted file mode 100644
index 137b9e8..0000000
--- a/sepolicy/vendor/hal_wifi_hostapd_default.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow hal_wifi_hostapd_default sysfs_virtual:dir search;
-allow hal_wifi_hostapd_default sysfs_virtual:lnk_file r_file_perms;
-allow hal_wifi_hostapd_default conn_vendor_data_file:dir search;
diff --git a/sepolicy/vendor/hal_wifi_supplicant_default.te b/sepolicy/vendor/hal_wifi_supplicant_default.te
deleted file mode 100644
index d97a9b7..0000000
--- a/sepolicy/vendor/hal_wifi_supplicant_default.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow hal_wifi_supplicant_default conn_vendor_data_file:dir rw_dir_perms;
-allow hal_wifi_supplicant_default conn_vendor_data_file:file rw_file_perms;
diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te
index fbd0b42..f2afd96 100644
--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te
@@ -1,48 +1,3 @@
-allow init rild:unix_stream_socket connectto;
-allow init self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow init socket_device:sock_file create_file_perms;
-allow init sysfs_devices_system_cpu:file write;
-allow init vendor_data_file:fifo_file write;
-allow init vendor_data_file:file append;
-allow init dnsproxyd_socket:sock_file write;
-allow init fwk_sensor_hwservice:hwservice_manager find;
-allow init hwservicemanager:binder call;
-allow init netd:unix_stream_socket connectto;
-allow init fwmarkd_socket:sock_file write;
-allow init nfc:binder call;
-allow init nfc_device:chr_file ioctl;
allow init efs_file:dir mounton;
-allow init efs_block_device:lnk_file relabelto;
-allow init tmpfs:lnk_file create;
-
-allow init sysfs_virtual:file create_file_perms;
-allow init sysfs_virtual:lnk_file { read };
-allow init sysfs:file setattr;
-allow init sysfs_multipdp:file setattr;
-allow init sysfs_camera:file setattr;
-allow init sysfs_charger:file setattr;
-allow init sysfs_input:file setattr;
-allow init sysfs_modem:file w_file_perms;
-allow init sysfs_battery_writable:file setattr;
-allow init sysfs_power_writable:file setattr;
-allow init sysfs_graphics:file create_file_perms;
-
-allow init system_server:binder { transfer call };
-allow init device:chr_file ioctl;
-allow init self:tcp_socket create_socket_perms;
-allow init node:tcp_socket node_bind;
-allow init port:tcp_socket { name_bind name_connect };
-allow init gps_vendor_data_file:fifo_file write;
-allow init gps_vendor_data_file:file lock;
-allow init socket_device:sock_file create_file_perms;
-allow init kernel:system module_request;
-
-allow init proc:file setattr;
-allow init proc_swapiness:file write;
-allow init proc_extra:file setattr;
-allow init proc_reset_reason:file setattr;
-allow init proc_swapiness:file open;
-allow init self:netlink_generic_socket { bind create getattr read setopt write };
-allow init mnt_vendor_file:dir mounton;
-
-unix_socket_connect(init, property, rild)
+allow init socket_device:sock_file { create setattr unlink };
+allow init sysfs_block_writable:file { open write };
diff --git a/sepolicy/vendor/kernel.te b/sepolicy/vendor/kernel.te
index 972106d..70a8aa8 100644
--- a/sepolicy/vendor/kernel.te
+++ b/sepolicy/vendor/kernel.te
@@ -1,14 +1,5 @@
-allow kernel app_efs_file:dir search;
-allow kernel app_efs_file:file open;
-allow kernel sensor_factoryapp_efs_file:file open;
-allow kernel efs_file:dir search;
-
+allow kernel block_device:dir search;
allow kernel device:chr_file { getattr setattr unlink create };
allow kernel device:dir create_dir_perms;
-allow kernel self:capability { sys_rawio mknod };
-
-allow kernel block_device:dir search;
-dontaudit kernel device:blk_file create;
-
+allow kernel self:capability { mknod sys_rawio };
allow kernel sysfs_sec_key:dir search;
-r_dir_file(kernel, sysfs_virtual)
diff --git a/sepolicy/vendor/mediacodec.te b/sepolicy/vendor/mediacodec.te
index 9bd5632..31a9231 100644
--- a/sepolicy/vendor/mediacodec.te
+++ b/sepolicy/vendor/mediacodec.te
@@ -1,6 +1,3 @@
-# /sys/class/video4linux/video6/name
-allow mediacodec sysfs_v4l:dir r_dir_perms;
allow mediacodec sysfs_v4l_mfc:dir search;
-allow mediacodec sysfs_v4l_mfc:file r_file_perms;
-
-hal_client_domain(mediacodec, hal_power)
+allow mediacodec sysfs_v4l_mfc:file { getattr open read };
+allow mediacodec sysfs_v4l:dir search;
diff --git a/sepolicy/vendor/netd.te b/sepolicy/vendor/netd.te
deleted file mode 100644
index 1e3fdb6..0000000
--- a/sepolicy/vendor/netd.te
+++ /dev/null
@@ -1,5 +0,0 @@
-allow netd self:capability sys_module;
-allow netd init:tcp_socket rw_socket_perms_no_ioctl;
-
-allow netd sysfs_virtual:dir search;
-allow netd sysfs_virtual:file w_file_perms;
diff --git a/sepolicy/vendor/platform_app.te b/sepolicy/vendor/platform_app.te
deleted file mode 100644
index 69e0abd..0000000
--- a/sepolicy/vendor/platform_app.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# /dev/mali0
-allow platform_app gpu_device:chr_file rw_file_perms;
diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te
deleted file mode 100644
index 85dbf18..0000000
--- a/sepolicy/vendor/priv_app.te
+++ /dev/null
@@ -1,8 +0,0 @@
-# /dev/mali0
-allow priv_app gpu_device:chr_file rw_file_perms;
-
-allow priv_app debugfs_ion:dir search;
-allow priv_app debugfs_mali:dir search;
-allow priv_app debugfs_mali_mem:dir search;
-
-allow priv_app sysfs_zram:file r_file_perms;
diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te
deleted file mode 100644
index 8984885..0000000
--- a/sepolicy/vendor/radio.te
+++ /dev/null
@@ -1 +0,0 @@
-binder_call(radio, gpuservice)
diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te
index c2f9307..8c78f29 100644
--- a/sepolicy/vendor/rild.te
+++ b/sepolicy/vendor/rild.te
@@ -1,30 +1,5 @@
-allow rild proc_net:file write;
-allow rild vendor_data_file:file create_file_perms;
-
-# /dev/umts_ipc0
-allow rild radio_device:chr_file ioctl;
-
-allow rild bin_nv_data_efs_file:file create_file_perms;
-
-allow rild radio_vendor_data_file:file create_file_perms;
-allow rild radio_vendor_data_file:dir rw_dir_perms;
-
-allow rild proc_qtaguid_stat:file read;
-
-allow rild factoryprop_efs_file:file rw_file_perms;
-
-allow rild init:file getattr;
-
-# binder
-allow rild hal_radio_default:binder call;
-
-# audio
-allow rild hal_audio_default:dir search;
-allow rild hal_audio_default:file r_file_perms;
-
-# hwservice
add_hwservice(rild, hal_sec_radio_hwservice)
add_hwservice(rild, hal_sec_radio_bridge_hwservice)
add_hwservice(rild, hal_sec_radio_channel_hwservice)
-dontaudit rild default_prop:file read;
+dontaudit rild default_prop:file r_file_perms;
diff --git a/sepolicy/vendor/secril_config_svc.te b/sepolicy/vendor/secril_config_svc.te
index 5b0fcd0..04296e3 100644
--- a/sepolicy/vendor/secril_config_svc.te
+++ b/sepolicy/vendor/secril_config_svc.te
@@ -1,2 +1 @@
-dontaudit secril_config_svc radio_control_prop:property_service set;
-dontaudit secril_config_svc default_prop:property_service set;
+dontaudit secril_config_svc property_type:property_service set;
diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te
deleted file mode 100644
index 19a6b58..0000000
--- a/sepolicy/vendor/surfaceflinger.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# /dev/mali0
-allow surfaceflinger gpu_device:chr_file rw_file_perms;
-
-# libion_exynos
-allow surfaceflinger same_process_hal_file:file rx_file_perms;
diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
deleted file mode 100644
index 373b1cc..0000000
--- a/sepolicy/vendor/system_app.te
+++ /dev/null
@@ -1,5 +0,0 @@
-# /dev/mali0
-allow system_app gpu_device:chr_file rw_file_perms;
-
-allow system_app proc_pagetypeinfo:file r_file_perms;
-allow system_app sysfs_virtual:dir search;
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
deleted file mode 100644
index 932cc81..0000000
--- a/sepolicy/vendor/system_server.te
+++ /dev/null
@@ -1,21 +0,0 @@
-# /dev/mali0
-allow system_server gpu_device:chr_file rw_file_perms;
-
-# memtrack HAL
-allow system_server debugfs_mali:dir r_dir_perms;
-allow system_server debugfs_mali:file r_file_perms;
-allow system_server debugfs_ion:file r_file_perms;
-allow system_server debugfs_mali_mem:file r_file_perms;
-
-allow system_server frp_block_device:blk_file rw_file_perms;
-
-allow system_server sysfs_rtc:file r_file_perms;
-
-r_dir_file(system_server, sysfs_virtual)
-
-get_prop(system_server, exported_camera_prop)
-get_prop(system_server, userspace_reboot_config_prop)
-get_prop(system_server, userspace_reboot_exported_prop)
-get_prop(system_server, vendor_security_patch_level_prop)
-
-# allow system_server unlabeled:file { write setattr };
diff --git a/sepolicy/vendor/tee.te b/sepolicy/vendor/tee.te
index 163ebd1..4a71674 100644
--- a/sepolicy/vendor/tee.te
+++ b/sepolicy/vendor/tee.te
@@ -1,7 +1,5 @@
-allow tee efs_file:dir r_dir_perms;
-allow tee efs_file:file rw_file_perms;
+allow tee efs_file:dir { open read };
allow tee mnt_vendor_file:dir search;
dontaudit tee system_prop:property_service set;
dontaudit tee shell_data_file:dir search;
-dontaudit tee unlabeled:dir search;
diff --git a/sepolicy/vendor/toolbox.te b/sepolicy/vendor/toolbox.te
deleted file mode 100644
index 9da247e..0000000
--- a/sepolicy/vendor/toolbox.te
+++ /dev/null
@@ -1 +0,0 @@
-allow toolbox ram_device:blk_file rw_file_perms;
diff --git a/sepolicy/vendor/ueventd.te b/sepolicy/vendor/ueventd.te
index ae98f62..275d227 100644
--- a/sepolicy/vendor/ueventd.te
+++ b/sepolicy/vendor/ueventd.te
@@ -1 +1,2 @@
-allow ueventd self:capability sys_nice;
+allow ueventd gsi_metadata_file:dir search;
+allow ueventd metadata_file:dir search;
diff --git a/sepolicy/vendor/vendor_init.te b/sepolicy/vendor/vendor_init.te
index 589e31f..1814be3 100644
--- a/sepolicy/vendor/vendor_init.te
+++ b/sepolicy/vendor/vendor_init.te
@@ -1,15 +1,12 @@
typeattribute vendor_init data_between_core_and_vendor_violators;
-set_prop(vendor_init, tee_prop);
-get_prop(vendor_init, vendor_radio_prop);
+set_prop(vendor_init, tee_prop)
+get_prop(vendor_init, vendor_radio_prop)
-allow vendor_init proc_swapiness:file rw_file_perms;
-allow vendor_init cgroup:file getattr;
+allow vendor_init proc_swapiness:file write;
+allow vendor_init system_data_file:dir { ioctl open read add_name };
allow vendor_init tmpfs:dir { add_name write };
-allow vendor_init wifi_data_file:dir { getattr setattr };
+allow vendor_init wifi_data_file:dir { getattr search setattr };
allow vendor_init wpa_socket:dir getattr;
-allow vendor_init wifi_data_file:dir search;
-# mkdir /data/hostapd
-allow vendor_init system_data_file:dir create_dir_perms;
-# mkdir /data/camera/*
allow vendor_init camera_data_file:dir create_dir_perms;
+allow vendor_init hostapd_data_file:dir create_dir_perms;
diff --git a/sepolicy/vendor/vold.te b/sepolicy/vendor/vold.te
index 91c1afc..7e3bc9b 100644
--- a/sepolicy/vendor/vold.te
+++ b/sepolicy/vendor/vold.te
@@ -1,4 +1 @@
-# /efs
-allow vold efs_file:dir r_dir_perms;
-
-allow vold sysfs_virtual:file write;
+allow vold efs_file:dir { ioctl open read };
diff --git a/sepolicy/vendor/zygote.te b/sepolicy/vendor/zygote.te
deleted file mode 100644
index e852beb..0000000
--- a/sepolicy/vendor/zygote.te
+++ /dev/null
@@ -1,3 +0,0 @@
-get_prop(zygote, exported_camera_prop)
-
-allow zygote proc_cmdline:file r_file_perms;