Sanders : Android Q move to dirty sepolicy[TEMP]

Signed-off-by: ronaxdevil <pratabidya.007@gmail.com>

BoardConfig.mk

@@ -243,7 +243,7 @@ TARGET_PROVIDES_QTI_TELEPHONY_JAR := true
 
 # SELinux
 #include device/qcom/sepolicy/sepolicy.mk
-#BOARD_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor
+BOARD_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor
 
 #Soong
 PRODUCT_SOONG_NAMESPACES += $(LOCAL_PATH)

sepolicy/vendor/cameraserver.te

@@ -33,7 +33,7 @@ allow cameraserver debug_prop:property_service set;
 #allow cameraserver persist_file:file setattr;
 allow cameraserver shell_exec:file { read open execute };
 allow cameraserver self:socket create;
-allow cameraserver camera_prop:property_service set;
+#allow cameraserver camera_prop:property_service set;
 allow cameraserver init:unix_stream_socket connectto;
 allow cameraserver property_socket:sock_file write;
 #allow cameraserver cameraserver:socket { { getattr read ioctl lock } { append write lock } };
@@ -45,9 +45,9 @@ allow cameraserver debugfs:dir { read open };
 allow cameraserver nfc_data_file:file { open write };
 allow cameraserver socket_device:sock_file write;
 
-allow cameraserver hal_perf_default:binder call;
+#allow cameraserver hal_perf_default:binder call;
 
-allow cameraserver sysfs_battery_supply:dir search;
+#allow cameraserver sysfs_battery_supply:dir search;
-allow cameraserver sysfs_battery_supply:file { getattr open read };
+#allow cameraserver sysfs_battery_supply:file { getattr open read };
 
-allow cameraserver camera_bgproc_service:service_manager { add find };
+allow cameraserver camera_bgproc_service:service_manager { add find };

sepolicy/vendor/cnd.te

@@ -1,2 +1,2 @@
-allow cnd diag_device:chr_file { read write };
+#allow cnd diag_device:chr_file { read write };
-allow cnd self:capability { net_raw };
+#allow cnd self:capability { net_raw };

sepolicy/vendor/energyawareness.te

@@ -1,2 +1,2 @@
-allow energyawareness sysfs_uio:file r_file_perms;
+#allow energyawareness sysfs_uio:file r_file_perms;
-allow energyawareness sysfs_rmt_storage:file r_file_perms;
+#allow energyawareness sysfs_rmt_storage:file r_file_perms;

sepolicy/vendor/file_contexts

@@ -1,12 +1,12 @@
-/dev/block/platform/soc/7824900.sdhci/mmcblk0p19         u:object_r:modem_efs_partition_device:s0
+#/dev/block/platform/soc/7824900.sdhci/mmcblk0p19         u:object_r:modem_efs_partition_device:s0
-/dev/block/platform/soc/7824900.sdhci/mmcblk0p27         u:object_r:modem_efs_partition_device:s0
+#/dev/block/platform/soc/7824900.sdhci/mmcblk0p27         u:object_r:modem_efs_partition_device:s0
-/dev/block/platform/soc/7824900.sdhci/mmcblk0p28         u:object_r:modem_efs_partition_device:s0
+#/dev/block/platform/soc/7824900.sdhci/mmcblk0p28         u:object_r:modem_efs_partition_device:s0
 
 # FSG
 /fsg                                                     u:object_r:fsg_file:s0
 
 # ADSP
-/sys/kernel/aov(/.*)?                                    u:object_r:sysfs_adsp:s0
+#/sys/kernel/aov(/.*)?                                    u:object_r:sysfs_adsp:s0
 /data/adspd(/.*)?                                        u:object_r:adspd_data_file:s0
 
 # AMPS
@@ -16,7 +16,7 @@
 /vendor/bin/charge_only_mode                             u:object_r:charge_only_exec:s0
 /vendor/bin/init\.mmi\.boot\.sh                          u:object_r:mmi_boot_exec:s0
 /vendor/bin/wlan_carrier_bin\.sh                         u:object_r:init_wifi_exec:s0
-/vendor/bin/init\.qti\.fm\.sh		u:object_r:qti_init_shell_exec:s0
+#/vendor/bin/init\.qti\.fm\.sh		u:object_r:qti_init_shell_exec:s0
 
 # CMActions
 /sys/homebutton(/.*)?                                    u:object_r:sysfs_homebutton:s0
@@ -35,7 +35,7 @@
 /persist/mdm(/.*)?                                       u:object_r:persist_modem_file:s0
 
 /persist/prop(/.*)?                                      u:object_r:persist_omadm_file:s0
-/persist/prov(/.*)?                                      u:object_r:persist_drm_file:s0
+#/persist/prov(/.*)?                                      u:object_r:persist_drm_file:s0
 /persist/omadm(/.*)?                                     u:object_r:persist_omadm_file:s0
 /persist/omadm_database(/.*)?                            u:object_r:persist_omadm_file:s0
 /persist/omadm_cust_database(/.*)?                       u:object_r:persist_omadm_file:s0
@@ -62,9 +62,9 @@
 /sys/module/qpnp_bms(/.*)?                               u:object_r:sysfs_batt:s0
 /sys/module/cnss_pci(/.*)?                               u:object_r:sysfs_cnss:s0
 
-/sys/devices/iio_sysfs_trigger(/.*)?                     u:object_r:sysfs_sensors:s0
+#/sys/devices/iio_sysfs_trigger(/.*)?                     u:object_r:sysfs_sensors:s0
-/sys/devices/virtual/stm401/stm401_ms(/.*)?              u:object_r:sysfs_sensors:s0
+#/sys/devices/virtual/stm401/stm401_ms(/.*)?              u:object_r:sysfs_sensors:s0
-/sys/devices/virtual/stm401/stm401_as(/.*)?              u:object_r:sysfs_sensors:s0
+#/sys/devices/virtual/stm401/stm401_as(/.*)?              u:object_r:sysfs_sensors:s0
 
 /sys/devices/platform/msm_ssbi.0/pm8921-core/pm8921-charger(/.*)? u:object_r:sysfs_batt:s0
 
@@ -94,7 +94,7 @@
 /dev/block/bootdevice/by-name/hw                         u:object_r:hw_block_device:s0
 /dev/block/bootdevice/by-name/metadata                   u:object_r:metadata_block_device:s0
 /dev/block/mmcblk0p35                                    u:object_r:metadata_block_device:s0
-/dev/block/bootdevice/by-name/persist                    u:object_r:persist_block_device:s0
+#/dev/block/bootdevice/by-name/persist                    u:object_r:persist_block_device:s0
 /dev/block/bootdevice/by-name/utagsBackup                u:object_r:utags_block_device:s0
 /dev/block/bootdevice/by-name/utags                      u:object_r:utags_block_device:s0
 
@@ -102,7 +102,7 @@
 /data/misc/netmgr(/.*)?                                  u:object_r:netmgr_data_file:s0
 
 # Sensors
-/dev/mmi_sys_temp                                        u:object_r:thermal_device:s0
+#/dev/mmi_sys_temp                                        u:object_r:thermal_device:s0
 /dev/motosh                                              u:object_r:sensors_device:s0
 /dev/motosh_as                                           u:object_r:sensors_device:s0
 /dev/motosh_ms                                           u:object_r:sensors_device:s0

sepolicy/vendor/fingerprintd.te

@@ -1,5 +1,5 @@
-allow fingerprintd firmware_file:dir search;
+#allow fingerprintd firmware_file:dir search;
-allow fingerprintd firmware_file:file { getattr open read };
+#allow fingerprintd firmware_file:file { getattr open read };
 allow fingerprintd fingerprintd_data_file:dir { add_name getattr remove_name write };
 allow fingerprintd fingerprintd_data_file:file { append create getattr open setattr unlink };
 allow fingerprintd fingerprintd_data_file:sock_file { create unlink };

sepolicy/vendor/firmware_file.te

@@ -1,2 +1,2 @@
-allow firmware_file rootfs:filesystem associate;
+#allow firmware_file rootfs:filesystem associate;
 

sepolicy/vendor/hal_drm_default.te

@@ -1,2 +1,2 @@
-allow hal_drm_default firmware_file:lnk_file read;
+#allow hal_drm_default firmware_file:lnk_file read;
-allow hal_drm_default debug_prop:file read;
+#allow hal_drm_default debug_prop:file read;

sepolicy/vendor/hal_fingerprint_default.te

@@ -2,10 +2,10 @@ allow hal_fingerprint_default sysfs_fpc:file rw_file_perms;
 allow hal_fingerprint_default sysfs_fpc:dir r_dir_perms;
 allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms;
 allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
-allow hal_fingerprint_default firmware_file:dir search;
+#allow hal_fingerprint_default firmware_file:dir search;
-allow hal_fingerprint_default firmware_file:file r_file_perms;
+#allow hal_fingerprint_default firmware_file:file r_file_perms;
-allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms;
+#allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms;
-allow hal_fingerprint_default sysfs_graphics:file r_file_perms;
+#allow hal_fingerprint_default sysfs_graphics:file r_file_perms;
 allow hal_fingerprint_default sysfs_leds:dir r_dir_perms;
 allow hal_fingerprint_default sysfs_leds:file r_file_perms;
 allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;

sepolicy/vendor/hal_gnss_qti.te

@@ -1,6 +1,6 @@
-get_prop(hal_gnss_qti, diag_prop);
+#get_prop(hal_gnss_qti, diag_prop);
-allow hal_gnss_qti debug_prop:file read;
+#allow hal_gnss_qti debug_prop:file read;
-allow hal_gnss_qti property_socket:sock_file write;
+#allow hal_gnss_qti property_socket:sock_file write;
 
 # Most HALs are not allowed to use network sockets. Qcom library
 # libqdi is used across multiple processes which are clients of
@@ -14,4 +14,4 @@ allow hal_gnss_qti property_socket:sock_file write;
 # libqdi and have all its clients use netlink route
 # sockets.
 # Taken from device/google/wahoo
-dontaudit hal_gnss_qti self:udp_socket create;
+#dontaudit hal_gnss_qti self:udp_socket create;

sepolicy/vendor/hal_sensors_default.te

@@ -1,7 +1,7 @@
 binder_call(hal_sensors_default, hwservicemanager)
 # binder_call(hal_sensors_default, servicemanager)
 
-binder_call(hal_sensors_default, mm-qcamerad)
+#binder_call(hal_sensors_default, mm-qcamerad)
 binder_call(hal_sensors_default, system_server)
 
 binder_call(hal_sensors_default, system_app)

sepolicy/vendor/ims.te

@@ -1,4 +1,4 @@
-allow ims debug_prop:property_service set;
+#allow ims debug_prop:property_service set;
-get_prop(ims, debug_prop);
+#get_prop(ims, debug_prop);
-allow ims self:capability net_raw;
+#allow ims self:capability net_raw;
-allow ims diag_device:chr_file { read write };
+#allow ims diag_device:chr_file { read write };

sepolicy/vendor/init.te

@@ -2,9 +2,9 @@
 #binder_call(init, hwservicemanager);
 # binder_call(init, servicemanager);
 
-allow init hwservicemanager:binder call;
+#allow init hwservicemanager:binder call;
-allow init mm-qcamerad:binder transfer;
+#allow init mm-qcamerad:binder transfer;
-allow init platform_app:binder transfer;
+#allow init platform_app:binder transfer;
 
 allow init system_app:binder transfer;
 allow init system_data_file:file lock;
@@ -20,10 +20,10 @@ allow init system_server:binder { transfer call };
 allow init property_socket:sock_file write;
 allow init socket_device:sock_file { create setattr unlink };
 
-allow init system_data_file:file { rename append };
+#allow init system_data_file:file { rename append };
-allow init firmware_file:dir mounton;
+#allow init firmware_file:dir mounton;
 
-allow init fm_radio_device:chr_file write;
+#allow init fm_radio_device:chr_file write;
 
 # ptt_socket_app
 allow init dnsproxyd_socket:sock_file write;
@@ -31,12 +31,12 @@ allow init netd:unix_stream_socket connectto;
 allow init self:netlink_socket { read write getattr connect };
 
 allow init debugfs:file write;
-allow init persist_file:filesystem { getattr mount relabelfrom relabelto unmount };
+#allow init persist_file:filesystem { getattr mount relabelfrom relabelto unmount };
 
 allow init self:capability sys_nice;
 
-allow init bt_firmware_file:filesystem { associate };
+#allow init bt_firmware_file:filesystem { associate };
-allow init firmware_file:filesystem { associate };
+#allow init firmware_file:filesystem { associate };
 
 allow init sensors_device:chr_file { rw_file_perms create };
 
@@ -48,6 +48,6 @@ allow init hal_sensors_hwservice:hwservice_manager find;
 
 allow init { domain -lmkd -crash_dump }:process noatsecure;
 
-allow init hal_perf_hwservice:hwservice_manager find;
+#allow init hal_perf_hwservice:hwservice_manager find;
 allow init hidl_base_hwservice:hwservice_manager add;
 

sepolicy/vendor/installd.te

@@ -1,3 +1,4 @@
-allow installd firmware_file:filesystem quotaget;
+#allow installd firmware_file:filesystem quotaget;
-allow installd fsg_file:filesystem quotaget;
+#allow installd fsg_file:filesystem quotaget;
-allow installd persist_file:filesystem quotaget;
+#allow installd persist_file:filesystem quotaget;
+

sepolicy/vendor/mediacodec.te

@@ -1 +1 @@
-allow mediacodec firmware_file:file { open read };
+#allow mediacodec firmware_file:file { open read };

sepolicy/vendor/mediadrmserver.te

@@ -1,2 +1,2 @@
-allow mediadrmserver firmware_file:dir search;
+#allow mediadrmserver firmware_file:dir search;
-allow mediadrmserver firmware_file:file r_file_perms;
+#allow mediadrmserver firmware_file:file r_file_perms;

sepolicy/vendor/mm-qcamerad.te

@@ -1,27 +1,27 @@
-type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket1";
+#type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket1";
-type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket2";
+#type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket2";
 
 # binder_call(mm-qcamerad, servicemanager);
 # binder_use(mm-qcamerad);
 # binder_call(mm-qcamerad, binderservicedomain);
 # binder_call(mm-qcamerad, appdomain);
 # binder_call(mm-qcamerad, hal_sensors_default);
-set_prop(mm-qcamerad, camera_prop);
+#set_prop(mm-qcamerad, camera_prop);
 
-allow servicemanager mm-qcamerad:dir { search };
+#allow servicemanager mm-qcamerad:dir { search };
-allow servicemanager mm-qcamerad:file { read open };
+#allow servicemanager mm-qcamerad:file { read open };
-allow servicemanager mm-qcamerad:process { getattr };
+#allow servicemanager mm-qcamerad:process { getattr };
 
 # allow mm-qcamerad camera_data_file:sock_file { create unlink write };
 # allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms;
 #allow mm-qcamerad sensorservice_service:service_manager find;
-allow mm-qcamerad vendor_camera_data_file:file rw_file_perms;
+#allow mm-qcamerad vendor_camera_data_file:file rw_file_perms;
 # allow mm-qcamerad permission_service:service_manager find;
-allow mm-qcamerad debug_prop:property_service set;
+#allow mm-qcamerad debug_prop:property_service set;
 
-allow mm-qcamerad init:unix_stream_socket { read write };
+#allow mm-qcamerad init:unix_stream_socket { read write };
 
-allow mm-qcamerad hal_sensors_default:unix_stream_socket { read write };
+#allow mm-qcamerad hal_sensors_default:unix_stream_socket { read write };
 
-allow mm-qcamerad hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+#allow mm-qcamerad hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-allow mm-qcamerad hal_configstore_default:binder call;
+#allow mm-qcamerad hal_configstore_default:binder call;

sepolicy/vendor/mmi_boot.te

@@ -11,6 +11,6 @@ allow mmi_boot vendor_shell_exec:file rx_file_perms;
 allow mmi_boot vendor_toolbox_exec:file rx_file_perms;
 allow mmi_boot vendor_shell_exec:file entrypoint;
 
-allow mmi_boot sysfs_socinfo:file write;
+#allow mmi_boot sysfs_socinfo:file write;
 
 set_prop(mmi_boot, hw_rev_prop);

sepolicy/vendor/netmgrd.te

@@ -1,5 +1,5 @@
-allow netmgrd toolbox_exec:file { getattr read open };
+#allow netmgrd toolbox_exec:file { getattr read open };
 
-allow netmgrd init:unix_stream_socket connectto;
+#allow netmgrd init:unix_stream_socket connectto;
-allow netmgrd property_socket:sock_file write;
+#allow netmgrd property_socket:sock_file write;
-allow netmgrd system_file:file lock;
+#allow netmgrd system_file:file lock;

sepolicy/vendor/per_mgr.te

@@ -1 +1 @@
-allow vendor_per_mgr self:capability net_raw;
+#allow vendor_per_mgr self:capability net_raw;

sepolicy/vendor/perfd.te

@@ -16,13 +16,13 @@ r_dir_file(perfd, sysfs_type)
 # they are created with the default label "sysfs". For robustness,
 # allow perfd to write to "sysfs" to ensure it can optimally
 # tune the power/cpu settings.
-allow perfd sysfs:file write;
+#allow perfd sysfs:file write;
-allow perfd sysfs_msm_perf:file write;
+#allow perfd sysfs_msm_perf:file write;
-allow perfd sysfs_ssr:file write;
+#allow perfd sysfs_ssr:file write;
 allow perfd sysfs_devices_system_cpu:file write;
-allow perfd sysfs_power_management:file write;
+#allow perfd sysfs_power_management:file write;
-allow perfd sysfs_devfreq:file write;
+#allow perfd sysfs_devfreq:file write;
-allow perfd sysfs_lib:file write;
+#allow perfd sysfs_lib:file write;
 
 allow perfd proc_kernel_sched:file w_file_perms;
 allow perfd gpu_device:chr_file rw_file_perms;
@@ -35,4 +35,4 @@ dontaudit perfd self:capability kill;
 allow perfd surfaceflinger:process signull;
 allow perfd hal_graphics_composer_default:process signull;
 
-get_prop(perfd, freq_prop);
+#get_prop(perfd, freq_prop);

sepolicy/vendor/persist_file.te

@@ -1 +1 @@
-allow persist_file self:filesystem associate;
+#allow persist_file self:filesystem associate;

sepolicy/vendor/platform_app.te

@@ -1,4 +1,4 @@
-get_prop(platform_app, camera_prop);
+#get_prop(platform_app, camera_prop);
 binder_call(platform_app, hal_sensors_default);
 
 allow platform_app rootfs:dir getattr;

sepolicy/vendor/priv_app.te

@@ -1,6 +1,6 @@
 allow priv_app device:dir r_dir_perms;
-allow priv_app persist_file:filesystem getattr;
+#allow priv_app persist_file:filesystem getattr;
-allow priv_app proc_interrupts:file { open read getattr };
+#allow priv_app proc_interrupts:file { open read getattr };
 allow priv_app proc_modules:file { open read getattr };
 get_prop(priv_app, adspd_prop);
 allow priv_app sysfs:dir open;

sepolicy/vendor/qseeproxy.te

@@ -1,3 +1,3 @@
 # binder_call(qseeproxy, servicemanager);
-allow qseeproxy self:process getattr;
+#allow qseeproxy self:process getattr;
 # allow qseeproxy qseeproxy_service_old:service_manager { add find };

sepolicy/vendor/qtelephony.te

@@ -1 +1 @@
-allow qtelephony radio_service:service_manager find;
+#allow qtelephony radio_service:service_manager find;

sepolicy/vendor/qti.te

@@ -1,2 +1,2 @@
-get_prop(qti, diag_prop)
+#get_prop(qti, diag_prop)
-allow qti diag_device:chr_file { read write };
+#allow qti diag_device:chr_file { read write };

sepolicy/vendor/qti_init_shell.te

@@ -1,7 +1,7 @@
-set_prop(qti_init_shell, hw_rev_prop);
+#set_prop(qti_init_shell, hw_rev_prop);
-allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl };
+#allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl };
 
-allow qti_init_shell kmsg_device:chr_file write;
+#allow qti_init_shell kmsg_device:chr_file write;
-allow qti_init_shell sysfs_wcnsscore:file write;
+#allow qti_init_shell sysfs_wcnsscore:file write;
 
-allow qti_init_shell kmsg_device:chr_file open;
+#allow qti_init_shell kmsg_device:chr_file open;

sepolicy/vendor/radio.te

@@ -1,3 +1,3 @@
 allow radio system_app_data_file:dir getattr;
-allow radio qmuxd_socket:sock_file write;
+#allow radio qmuxd_socket:sock_file write;
 allow radio vendor_file:file { getattr open read };

sepolicy/vendor/rfs_access.te

@@ -1,4 +1,4 @@
-allow rfs_access self:capability net_raw;
+#allow rfs_access self:capability net_raw;
-allow rfs_access persist_file:file { getattr open read rename setattr unlink write };
+#allow rfs_access persist_file:file { getattr open read rename setattr unlink write };
-allow rfs_access vendor_tombstone_data_file:dir search;
+#allow rfs_access vendor_tombstone_data_file:dir search;
 

sepolicy/vendor/rfs_file.te

@@ -1 +1 @@
-allow rfs_file persist_file:filesystem associate;
+#allow rfs_file persist_file:filesystem associate;

sepolicy/vendor/rmt_storage.te

@@ -1,24 +1,24 @@
-allow rmt_storage {
+#allow rmt_storage {
-    modem_efs_partition_device
+#    modem_efs_partition_device
-}:blk_file rw_file_perms;
+#}:blk_file rw_file_perms;
 
-r_dir_file(rmt_storage fsg_file)
+#r_dir_file(rmt_storage fsg_file)
-r_dir_file(rmt_storage, persist_file)
+#r_dir_file(rmt_storage, persist_file)
 
-allow rmt_storage sysfs_rmt_storage:file rw_file_perms;
+#allow rmt_storage sysfs_rmt_storage:file rw_file_perms;
-allow rmt_storage sysfs_rmt_storage:dir { search open };
+#allow rmt_storage sysfs_rmt_storage:dir { search open };
-allow rmt_storage sysfs_uio:file r_file_perms;
+#allow rmt_storage sysfs_uio:file r_file_perms;
-allow rmt_storage sysfs_uio:dir { read open search };
+#allow rmt_storage sysfs_uio:dir { read open search };
-allow rmt_storage sysfs_uio:lnk_file { read };
+#allow rmt_storage sysfs_uio:lnk_file { read };
 
-allow rmt_storage debugfs_rmt_storage:dir r_dir_perms;
+#allow rmt_storage debugfs_rmt_storage:dir r_dir_perms;
-allow rmt_storage debugfs_rmt_storage:file rw_file_perms;
+#allow rmt_storage debugfs_rmt_storage:file rw_file_perms;
 
-allow rmt_storage fsg_file:file { open read };
+#allow rmt_storage fsg_file:file { open read };
-allow rmt_storage fsg_file:dir search;
+#allow rmt_storage fsg_file:dir search;
-allow rmt_storage fsg_file:lnk_file read;
+#allow rmt_storage fsg_file:lnk_file read;
 
-allow rmt_storage persist_file:dir r_dir_perms;
+#allow rmt_storage persist_file:dir r_dir_perms;
 
-allow rmt_storage vendor_radio_prop:file { getattr open read };
+#allow rmt_storage vendor_radio_prop:file { getattr open read };
-allow rmt_storage vendor_file:dir search;
+#allow rmt_storage vendor_file:dir search;

sepolicy/vendor/servicemanager.te

@@ -1,15 +1,15 @@
 allow servicemanager init:dir search;
 allow servicemanager init:file { open read };
 allow servicemanager init:process getattr;
-allow servicemanager qseeproxy:dir search;
+#allow servicemanager qseeproxy:dir search;
-allow servicemanager qseeproxy:file { open read };
+#allow servicemanager qseeproxy:file { open read };
 allow servicemanager rild:dir search;
 allow servicemanager rild:file { open read };
 allow servicemanager rild:process getattr;
 
 allow servicemanager hal_fingerprint_default:dir search;
 allow servicemanager hal_fingerprint_default:file read;
-allow servicemanager qseeproxy:process getattr;
+#allow servicemanager qseeproxy:process getattr;
 
 
 allow servicemanager hal_camera_default:dir search;
@@ -19,27 +19,27 @@ allow servicemanager hal_camera_default:process getattr;
 allow servicemanager hal_fingerprint_default:file open;
 allow servicemanager hal_fingerprint_default:process getattr;
 
-allow servicemanager wcnss_service:dir search;
+#allow servicemanager wcnss_service:dir search;
-allow servicemanager wcnss_service:file { open read };
+#allow servicemanager wcnss_service:file { open read };
 
-allow servicemanager esepmdaemon:dir search;
+#allow servicemanager esepmdaemon:dir search;
-allow servicemanager esepmdaemon:file { open read };
+#allow servicemanager esepmdaemon:file { open read };
-allow servicemanager esepmdaemon:process getattr;
+#allow servicemanager esepmdaemon:process getattr;
 
-allow servicemanager vendor_per_mgr:dir search;
+#allow servicemanager vendor_per_mgr:dir search;
-allow servicemanager vendor_per_mgr:file { open read };
+#allow servicemanager vendor_per_mgr:file { open read };
-allow servicemanager vendor_per_mgr:process getattr;
+#allow servicemanager vendor_per_mgr:process getattr;
-allow servicemanager wcnss_service:process getattr;
+#allow servicemanager wcnss_service:process getattr;
 
-allow servicemanager hal_gnss_qti:dir search;
+#allow servicemanager hal_gnss_qti:dir search;
-allow servicemanager hal_gnss_qti:file { open read };
+#allow servicemanager hal_gnss_qti:file { open read };
-allow servicemanager hal_gnss_qti:process getattr;
+#allow servicemanager hal_gnss_qti:process getattr;
 
 allow servicemanager hal_sensors_default:dir search;
 allow servicemanager hal_sensors_default:file { open read };
 allow servicemanager hal_sensors_default:process getattr;
 
-allow servicemanager sensors:dir search;
+#allow servicemanager sensors:dir search;
-allow servicemanager sensors:file { open read };
+#allow servicemanager sensors:file { open read };
-allow servicemanager sensors:process getattr;
+#allow servicemanager sensors:process getattr;
 

sepolicy/vendor/surfaceflinger.te

@@ -1,6 +1,6 @@
 get_prop(surfaceflinger, diag_prop);
-allow surfaceflinger perfd_data_file:sock_file write;
+#allow surfaceflinger perfd_data_file:sock_file write;
-allow surfaceflinger diag_device:chr_file { read write };
+#allow surfaceflinger diag_device:chr_file { read write };
 
 binder_call(surfaceflinger, hwservicemanager)
 

sepolicy/vendor/system_app.te

@@ -1,8 +1,8 @@
 allow system_app proc_touchpanel:dir search;
 allow system_app sysfs_vibrator:file rw_file_perms;
-allow system_app sysfs_vibrator:dir search;
+#allow system_app sysfs_vibrator:dir search;
-allow system_app sysfs_graphics:file rw_file_perms;
+#allow system_app sysfs_graphics:file rw_file_perms;
-allow system_app sysfs_graphics:dir search;
+#allow system_app sysfs_graphics:dir search;
 allow system_app proc_touchpanel:file rw_file_perms;
 allow system_app sysfs_fpc:file rw_file_perms;
 allow system_app fuse_device:filesystem getattr;
@@ -12,7 +12,7 @@ allow system_app init:unix_stream_socket { read write };
 allow system_app sysfs_homebutton:file write;
 
 get_prop(system_app, diag_prop);
-binder_call(system_app, qtitetherservice_service);
+#binder_call(system_app, qtitetherservice_service);
 binder_call(system_app, wificond);
 
 get_prop(system_app, spectrum_prop);

sepolicy/vendor/system_server.te

@@ -7,7 +7,7 @@ allow system_server sysfs_capsense:dir search;
 allow system_server sysfs_capsense:file rw_file_perms;
 allow system_server init:unix_stream_socket { read };
 
-allow system_server qti_debugfs:file { getattr open read };
+#allow system_server qti_debugfs:file { getattr open read };
 allow system_server init:unix_stream_socket write;
 
 allow system_server sensors_device:chr_file { ioctl open read };

sepolicy/vendor/tee.te

@@ -1 +1 @@
-allow tee persist_file:file r_file_perms;
+#allow tee persist_file:file r_file_perms;

sepolicy/vendor/thermal-engine.te

@@ -1,8 +1,8 @@
-get_prop(thermal-engine, diag_prop)
+#get_prop(thermal-engine, diag_prop)
-allow thermal-engine socket_device:sock_file { create setattr };
+#allow thermal-engine socket_device:sock_file { create setattr };
-allow thermal-engine sysfs_rmt_storage:dir search;
+#allow thermal-engine sysfs_rmt_storage:dir search;
-allow thermal-engine sysfs_rmt_storage:file r_file_perms;
+#allow thermal-engine sysfs_rmt_storage:file r_file_perms;
-allow thermal-engine sysfs_uio:file r_file_perms;
+#allow thermal-engine sysfs_uio:file r_file_perms;
-allow thermal-engine sysfs_uio:dir { read open search };
+#allow thermal-engine sysfs_uio:dir { read open search };
-allow thermal-engine sysfs_uio:lnk_file { read };
+#allow thermal-engine sysfs_uio:lnk_file { read };
-allow thermal-engine sysfs_vadc_dev:lnk_file { read open };
+#allow thermal-engine sysfs_vadc_dev:lnk_file { read open };

sepolicy/vendor/time_daemon.te

@@ -1,3 +1,3 @@
-get_prop(time_daemon, diag_prop);
+#get_prop(time_daemon, diag_prop);
 
-allow time_daemon persist_file:file { open read write };
+#allow time_daemon persist_file:file { open read write };

sepolicy/vendor/toolbox.te

@@ -4,4 +4,4 @@ set_prop(toolbox, touch_prop);
 allow toolbox init:fifo_file { write getattr read ioctl };
 
 allow toolbox radio_data_file:file rw_file_perms;
-allow toolbox firmware_file:file getattr;
+#allow toolbox firmware_file:file getattr;

sepolicy/vendor/ueventd.te

@@ -2,4 +2,4 @@ allow ueventd sysfs_mmi_fp:file w_file_perms;
 
 allow ueventd synaptics_rmi_device:chr_file { rw_file_perms relabelfrom relabelto};
 allow ueventd sysfs_fpc:file rw_file_perms;
-allow ueventd sysfs_sensors:file rw_file_perms;
+#allow ueventd sysfs_sensors:file rw_file_perms;

sepolicy/vendor/untrusted_app.te

@@ -1,7 +1,7 @@
-get_prop(untrusted_app, camera_prop);
+#get_prop(untrusted_app, camera_prop);
-get_prop(untrusted_app_25, camera_prop);
+#get_prop(untrusted_app_25, camera_prop);
 allow untrusted_app sysfs_zram:dir { search read };
 allow untrusted_app sysfs_zram:file { open read getattr };
 
-allow untrusted_app firmware_file:dir read;
+#allow untrusted_app firmware_file:dir read;
-allow untrusted_app fsg_file:dir read;
+#allow untrusted_app fsg_file:dir read;

sepolicy/vendor/vold.te

@@ -1,2 +1,2 @@
-allow vold persist_file:dir { ioctl open read };
+#allow vold persist_file:dir { ioctl open read };
 allow vold metadata_block_device:blk_file { rw_file_perms };

sepolicy/vendor/wcnss_filter.te

@@ -1 +1 @@
-get_prop(wcnss_filter, diag_prop);
+#get_prop(wcnss_filter, diag_prop);

sepolicy/vendor/wcnss_service.te

@@ -1,8 +1,8 @@
 # binder_call(wcnss_service, servicemanager);
-set_prop(wcnss_service, wifi_prop);
+#set_prop(wcnss_service, wifi_prop);
-get_prop(wcnss_service, diag_prop);
+#get_prop(wcnss_service, diag_prop);
 # allow wcnss_service toolbox_exec:file { execute getattr execute_no_trans read open };
 # allow wcnss_service shell_exec:file { execute getattr execute_no_trans read open };
-allowxperm wcnss_service self:udp_socket ioctl priv_sock_ioctls;
+#allowxperm wcnss_service self:udp_socket ioctl priv_sock_ioctls;
 
 # allow wcnss_service per_mgr_service_old:service_manager find;