From f540803573f9fba3a3372bb7b19dffbf19f90d8c Mon Sep 17 00:00:00 2001
From: Ashwin R C <ashwin2001achu@gmail.com>
Date: Fri, 7 Jun 2019 06:13:41 -0400
Subject: [PATCH] sanders: update sepolicy.

-Fix Neverallows.
-Fix missing type.
-Fix type attributes.

Signed-off-by: Ashwin R C <ashwin2001achu@gmail.com>
Signed-off-by: ronaxdevil <pratabidya.007@gmail.com>
---
 sepolicy/vendor/cameraserver.te            |  5 ---
 sepolicy/vendor/charge_only.te             |  6 +--
 sepolicy/vendor/cnd.te                     |  2 +-
 sepolicy/vendor/file.te                    | 43 ++++++++++++----------
 sepolicy/vendor/hal_fingerprint_default.te |  3 --
 sepolicy/vendor/hal_gnss_qti.te            |  2 -
 sepolicy/vendor/hal_sensors_default.te     |  3 +-
 sepolicy/vendor/init.te                    |  2 -
 sepolicy/vendor/init_wifi.te               |  1 -
 sepolicy/vendor/logd.te                    |  1 -
 sepolicy/vendor/mediaserver.te             |  2 -
 sepolicy/vendor/mm-qcamerad.te             |  6 +--
 sepolicy/vendor/mmi_boot.te                |  5 ---
 sepolicy/vendor/netmgrd.te                 | 12 +++---
 sepolicy/vendor/perfd.te                   |  4 --
 sepolicy/vendor/priv_app.te                |  1 +
 sepolicy/vendor/qti_init_shell.te          |  2 -
 sepolicy/vendor/radio.te                   |  1 +
 sepolicy/vendor/rild.te                    |  9 -----
 sepolicy/vendor/rmt_storage.te             |  2 -
 sepolicy/vendor/surfaceflinger.te          |  2 -
 sepolicy/vendor/system_app.te              |  6 ++-
 sepolicy/vendor/system_server.te           |  8 ++--
 sepolicy/vendor/thermal-engine.te          |  1 -
 sepolicy/vendor/toolbox.te                 | 11 +-----
 sepolicy/vendor/untrusted_app.te           |  5 ---
 sepolicy/vendor/untrusted_app_25.te        |  5 ++-
 27 files changed, 51 insertions(+), 99 deletions(-)
 delete mode 100644 sepolicy/vendor/logd.te
 delete mode 100644 sepolicy/vendor/mediaserver.te

diff --git a/sepolicy/vendor/cameraserver.te b/sepolicy/vendor/cameraserver.te
index 08c77c5..7a956eb 100644
--- a/sepolicy/vendor/cameraserver.te
+++ b/sepolicy/vendor/cameraserver.te
@@ -11,8 +11,6 @@ allow cameraserver sdcardfs:dir { read write open getattr add_name remove_name r
 allow cameraserver sdcardfs:file { create open read write unlink getattr };
 allow cameraserver storage_file:dir search;
 
-allow cameraserver persist_file:file { read write open create getattr create_file_perms rw_file_perms };
-allow cameraserver persist_file:dir { read write open create_file_perms rw_file_perms search add_name create };
 allow cameraserver fuse:file { read write open create getattr create_file_perms rw_file_perms };
 allow cameraserver fuse:dir { read write open create_file_perms rw_file_perms search add_name create };
 allow cameraserver tmpfs:file { read write open create getattr create_file_perms rw_file_perms };
@@ -24,8 +22,6 @@ allow cameraserver mnt_user_file:lnk_file r_file_perms;
 allow cameraserver media_rw_data_file:dir { open read search write add_name };
 allow cameraserver media_rw_data_file:file { create read write open };
 
-allow cameraserver sysfs:file { open write };
-
 allow cameraserver cameraserver:process { execmem };
 
 ####
@@ -39,7 +35,6 @@ allow cameraserver shell_exec:file { read open execute };
 allow cameraserver self:socket create;
 allow cameraserver camera_prop:property_service set;
 allow cameraserver init:unix_stream_socket connectto;
-allow cameraserver sensors_persist_file:file { open read };
 allow cameraserver property_socket:sock_file write;
 #allow cameraserver cameraserver:socket { { getattr read ioctl lock } { append write lock } };
 allow cameraserver shell_exec:file { execute getattr };
diff --git a/sepolicy/vendor/charge_only.te b/sepolicy/vendor/charge_only.te
index 3d2f517..24ebe81 100644
--- a/sepolicy/vendor/charge_only.te
+++ b/sepolicy/vendor/charge_only.te
@@ -2,9 +2,6 @@ type charge_only, domain;
 type charge_only_exec, exec_type, file_type, vendor_file_type;
 init_daemon_domain(charge_only)
 
-allow charge_only chargeonly_data_file:dir rw_dir_perms;
-allow charge_only chargeonly_data_file:file rw_file_perms;
-
 # Write to /dev/kmsg
 allow charge_only kmsg_device:chr_file rw_file_perms;
 
@@ -13,7 +10,7 @@ r_dir_file(charge_only, sysfs_type)
 r_dir_file(charge_only, rootfs)
 r_dir_file(charge_only, cgroup)
 
-allow charge_only self:capability { dac_override net_admin sys_tty_config sys_boot };
+allow charge_only self:capability { net_admin sys_tty_config sys_boot };
 allow charge_only self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 
 wakelock_use(charge_only)
@@ -24,7 +21,6 @@ allow charge_only sysfs:dir { read open };
 allow charge_only sysfs:file { read open write };
 
 allow charge_only sysfs_wake_lock:file rw_file_perms;
-allow charge_only system_data_file:dir { write add_name };
 
 allow charge_only sysfs_batteryinfo:file r_file_perms;
 
diff --git a/sepolicy/vendor/cnd.te b/sepolicy/vendor/cnd.te
index 35913b1..4ea18a1 100644
--- a/sepolicy/vendor/cnd.te
+++ b/sepolicy/vendor/cnd.te
@@ -1,2 +1,2 @@
-# allow cnd system_wpa_socket:sock_file { unlink };
 allow cnd diag_device:chr_file { read write };
+allow cnd self:capability { net_raw };
diff --git a/sepolicy/vendor/file.te b/sepolicy/vendor/file.te
index 7c3aac6..d700d28 100644
--- a/sepolicy/vendor/file.te
+++ b/sepolicy/vendor/file.te
@@ -1,37 +1,38 @@
 # ADSP
-type adspd_data_file, file_type, data_file_type;
+type adspd_data_file, file_type, data_file_type, core_data_file_type;
 
 # charge_only_mode
-type chargeonly_data_file, file_type, data_file_type;
+type chargeonly_data_file, file_type, data_file_type, core_data_file_type;
 
 # FSG
 type fsg_file, fs_type, contextmount_type;
 
 # Modem
-type persist_modem_file, file_type, data_file_type;
+type persist_modem_file, file_type, data_file_type, core_data_file_type;
 
-type persist_omadm_file, file_type, data_file_type;
-type sds_data_file, file_type, data_file_type;
-type pds_public_file, file_type, data_file_type;
-type persist_camera_file, file_type, data_file_type;
-type persist_antcap_file, file_type, data_file_type;
-type pds_telephony_file, file_type, data_file_type;
-type pds_omadm_file, file_type, data_file_type;
-type persist_audio_file, file_type, data_file_type;
+type persist_omadm_file, file_type, data_file_type, core_data_file_type;
+type sds_data_file, file_type, data_file_type, core_data_file_type;
+type pds_public_file, file_type, data_file_type, core_data_file_type;
+type persist_camera_file, file_type, data_file_type, core_data_file_type;
+type persist_antcap_file, file_type, data_file_type, core_data_file_type;
+type pds_telephony_file, file_type, data_file_type, core_data_file_type;
+type pds_omadm_file, file_type, data_file_type, core_data_file_type;
+type persist_audio_file, file_type, data_file_type, core_data_file_type;
 
-type moodle_data_file, file_type, data_file_type;
-type cutback_data_file, file_type, data_file_type;
+type moodle_data_file, file_type, data_file_type, core_data_file_type;
+type cutback_data_file, file_type, data_file_type, core_data_file_type;
 
-type dbvc_data_file, file_type, data_file_type;
+type dbvc_data_file, file_type, data_file_type, core_data_file_type;
 
-type akmd_data_file, file_type, data_file_type;
+type akmd_data_file, file_type, data_file_type, core_data_file_type;
 
-type wapi_supplicant_data_file, file_type, data_file_type;
+type wapi_supplicant_data_file, file_type, data_file_type, core_data_file_type;
 
 # RIL
-type netmgr_data_file, file_type, data_file_type;
+type netmgr_data_file, file_type, data_file_type, core_data_file_type;
 
 # sysfs
+#type sysfs_adsp, fs_type, sysfs_type;
 type sysfs_homebutton, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_mmi_fp, fs_type, sysfs_type;
 
@@ -40,17 +41,19 @@ type sysfs_batt, fs_type, sysfs_type;
 type sysfs_cnss, fs_type, sysfs_type;
 type sysfs_fpc, fs_type, sysfs_type;
 
-type fpc_socket, file_type, data_file_type;
+type fpc_socket, file_type, data_file_type, core_data_file_type;
 type fpc_data_file, file_type;
 
 type sysfs_wcnsscore, fs_type, sysfs_type;
 
-type nv_data_file, file_type, data_file_type;
+type nv_data_file, file_type, data_file_type, core_data_file_type;
 type sysfs_rmt_storage, fs_type, sysfs_type;
 type debugfs_rmt_storage, debugfs_type, fs_type;
 type debugfs_wlan, debugfs_type, fs_type;
-type perfd_data_file, file_type, data_file_type;
+type perfd_data_file, file_type, data_file_type, core_data_file_type;
 type proc_kernel_sched, fs_type;
 type sysfs_power_management, sysfs_type, fs_type;
 type proc_touchpanel, fs_type;
 
+type camera_socket, file_type, data_file_type, core_data_file_type;
+type sysfs_screen_off_gestures, fs_type, sysfs_type, mlstrustedobject;
diff --git a/sepolicy/vendor/hal_fingerprint_default.te b/sepolicy/vendor/hal_fingerprint_default.te
index a6d5bef..a0c6b5b 100644
--- a/sepolicy/vendor/hal_fingerprint_default.te
+++ b/sepolicy/vendor/hal_fingerprint_default.te
@@ -4,11 +4,8 @@ allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms;
 allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
 allow hal_fingerprint_default firmware_file:dir search;
 allow hal_fingerprint_default firmware_file:file r_file_perms;
-allow hal_fingerprint_default fpc_data_file:sock_file { create unlink rw_file_perms };
 allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms;
 allow hal_fingerprint_default sysfs_graphics:file r_file_perms;
 allow hal_fingerprint_default sysfs_leds:dir r_dir_perms;
 allow hal_fingerprint_default sysfs_leds:file r_file_perms;
-# allow hal_fingerprint_default fingerprintd_data_file:sock_file { create unlink };
 allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
-allow hal_fingerprint_default fpc_socket:sock_file unlink;
diff --git a/sepolicy/vendor/hal_gnss_qti.te b/sepolicy/vendor/hal_gnss_qti.te
index 78f43b3..a819020 100644
--- a/sepolicy/vendor/hal_gnss_qti.te
+++ b/sepolicy/vendor/hal_gnss_qti.te
@@ -1,6 +1,4 @@
-# binder_call(hal_gnss_qti, servicemanager);
 get_prop(hal_gnss_qti, diag_prop);
-# allow hal_gnss_qti per_mgr_service_old:service_manager find;
 allow hal_gnss_qti debug_prop:file read;
 allow hal_gnss_qti property_socket:sock_file write;
 
diff --git a/sepolicy/vendor/hal_sensors_default.te b/sepolicy/vendor/hal_sensors_default.te
index 73d6fe8..830257c 100644
--- a/sepolicy/vendor/hal_sensors_default.te
+++ b/sepolicy/vendor/hal_sensors_default.te
@@ -8,10 +8,9 @@ binder_call(hal_sensors_default, system_app)
 binder_call(hal_sensors_default, priv_app)
 binder_call(hal_sensors_default, platform_app)
 
-allow hal_sensors_default self:capability { dac_override };
 allow hal_sensors_default sensors_device:chr_file { ioctl open read };
 allow hal_sensors_default sysfs:file { open read write };
-allow hal_sensors_default system_data_file:file { getattr open read };
+allow hal_sensors_default system_data_file:file { getattr read };
 
 allow hal_sensors_default proc_net:file { getattr open read };
 allow hal_sensors_default sysfs_capsense:dir search;
diff --git a/sepolicy/vendor/init.te b/sepolicy/vendor/init.te
index f2688ec..8fd1ea9 100644
--- a/sepolicy/vendor/init.te
+++ b/sepolicy/vendor/init.te
@@ -6,8 +6,6 @@ allow init hwservicemanager:binder call;
 allow init mm-qcamerad:binder transfer;
 allow init platform_app:binder transfer;
 
-allow init sysfs_devices_system_cpu:dir write;
-allow init sysfs_lowmemorykiller:dir write;
 allow init system_app:binder transfer;
 allow init system_data_file:file lock;
 
diff --git a/sepolicy/vendor/init_wifi.te b/sepolicy/vendor/init_wifi.te
index 3afa404..98cb49a 100644
--- a/sepolicy/vendor/init_wifi.te
+++ b/sepolicy/vendor/init_wifi.te
@@ -12,4 +12,3 @@ allow init_wifi vendor_toolbox_exec:file rx_file_perms;
 allow init_wifi vendor_shell_exec:file entrypoint;
 
 allow init_wifi sysfs_wcnsscore:file rw_file_perms;
-allow init_wifi sysfs_wcnsscore:dir rw_dir_perms;
diff --git a/sepolicy/vendor/logd.te b/sepolicy/vendor/logd.te
deleted file mode 100644
index 604c7dd..0000000
--- a/sepolicy/vendor/logd.te
+++ /dev/null
@@ -1 +0,0 @@
-allow logd self:capability dac_override;
diff --git a/sepolicy/vendor/mediaserver.te b/sepolicy/vendor/mediaserver.te
deleted file mode 100644
index 252b0ef..0000000
--- a/sepolicy/vendor/mediaserver.te
+++ /dev/null
@@ -1,2 +0,0 @@
-allow mediaserver persist_file:dir search;
-allow mediaserver persist_file:file { read getattr open };
diff --git a/sepolicy/vendor/mm-qcamerad.te b/sepolicy/vendor/mm-qcamerad.te
index b717642..37f8a52 100644
--- a/sepolicy/vendor/mm-qcamerad.te
+++ b/sepolicy/vendor/mm-qcamerad.te
@@ -1,3 +1,6 @@
+type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket1";
+type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket2";
+
 # binder_call(mm-qcamerad, servicemanager);
 # binder_use(mm-qcamerad);
 # binder_call(mm-qcamerad, binderservicedomain);
@@ -15,9 +18,6 @@ allow servicemanager mm-qcamerad:process { getattr };
 allow mm-qcamerad vendor_camera_data_file:file rw_file_perms;
 # allow mm-qcamerad permission_service:service_manager find;
 allow mm-qcamerad debug_prop:property_service set;
-allow mm-qcamerad persist_file:dir search;
-allow mm-qcamerad persist_file:file { read getattr open };
-allow mm-qcamerad system_data_file:dir read;
 
 allow mm-qcamerad init:unix_stream_socket { read write };
 
diff --git a/sepolicy/vendor/mmi_boot.te b/sepolicy/vendor/mmi_boot.te
index 7cd25c3..c7391a5 100644
--- a/sepolicy/vendor/mmi_boot.te
+++ b/sepolicy/vendor/mmi_boot.te
@@ -11,11 +11,6 @@ allow mmi_boot vendor_shell_exec:file rx_file_perms;
 allow mmi_boot vendor_toolbox_exec:file rx_file_perms;
 allow mmi_boot vendor_shell_exec:file entrypoint;
 
-allow mmi_boot radio_data_file:dir { add_name search write };
-allow mmi_boot radio_data_file:file { create setattr };
-allow mmi_boot radio_data_file:file rw_file_perms;
-allow mmi_boot self:capability chown;
-allow mmi_boot self:capability dac_override;
 allow mmi_boot sysfs_socinfo:file write;
 
 set_prop(mmi_boot, hw_rev_prop);
diff --git a/sepolicy/vendor/netmgrd.te b/sepolicy/vendor/netmgrd.te
index 621f192..1a12add 100644
--- a/sepolicy/vendor/netmgrd.te
+++ b/sepolicy/vendor/netmgrd.te
@@ -1,8 +1,6 @@
-allow netmgrd netmgr_data_file:dir { add_name search write };
-allow netmgrd netmgr_data_file:file create;
-allow netmgrd netmgr_data_file:file rw_file_perms;
-allow netmgrd self:capability dac_override;
-allow netmgrd net_data_file:dir r_dir_perms;
 allow netmgrd netd_socket:sock_file write;
-# allow netmgrd toolbox_exec:file { execute getattr execute_no_trans read open };
-r_dir_file(netmgrd, net_data_file)
+allow netmgrd toolbox_exec:file { getattr read open };
+
+allow netmgrd init:unix_stream_socket connectto;
+allow netmgrd property_socket:sock_file write;
+allow netmgrd system_file:file lock;
diff --git a/sepolicy/vendor/perfd.te b/sepolicy/vendor/perfd.te
index 2189bfd..a26766b 100644
--- a/sepolicy/vendor/perfd.te
+++ b/sepolicy/vendor/perfd.te
@@ -6,10 +6,6 @@ allow perfd cgroup:file r_file_perms;
 
 allow perfd cameraserver:process signull;
 
-# files in /data/misc/perfd and /data/system/perfd
-allow perfd perfd_data_file:dir create_dir_perms;
-allow perfd perfd_data_file:{ file sock_file } create_file_perms;
-
 allow perfd proc_kernel_sched:file r_file_perms;
 
 # read access /sys
diff --git a/sepolicy/vendor/priv_app.te b/sepolicy/vendor/priv_app.te
index 7198d1a..0048d28 100644
--- a/sepolicy/vendor/priv_app.te
+++ b/sepolicy/vendor/priv_app.te
@@ -3,3 +3,4 @@ allow priv_app persist_file:filesystem getattr;
 allow priv_app proc_interrupts:file { open read getattr };
 allow priv_app proc_modules:file { open read getattr };
 get_prop(priv_app, adspd_prop);
+allow priv_app sysfs:dir open;
diff --git a/sepolicy/vendor/qti_init_shell.te b/sepolicy/vendor/qti_init_shell.te
index b2d8bbe..6e426ef 100644
--- a/sepolicy/vendor/qti_init_shell.te
+++ b/sepolicy/vendor/qti_init_shell.te
@@ -1,6 +1,4 @@
 set_prop(qti_init_shell, hw_rev_prop);
-allow qti_init_shell apk_data_file:dir { write add_name create };
-allow qti_init_shell apk_data_file:file { create write setattr };
 allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl };
 
 allow qti_init_shell kmsg_device:chr_file write;
diff --git a/sepolicy/vendor/radio.te b/sepolicy/vendor/radio.te
index dadb2cb..1687352 100644
--- a/sepolicy/vendor/radio.te
+++ b/sepolicy/vendor/radio.te
@@ -1,2 +1,3 @@
 allow radio system_app_data_file:dir getattr;
 allow radio qmuxd_socket:sock_file write;
+allow radio vendor_file:file { getattr open read };
diff --git a/sepolicy/vendor/rild.te b/sepolicy/vendor/rild.te
index 5fba559..e773757 100644
--- a/sepolicy/vendor/rild.te
+++ b/sepolicy/vendor/rild.te
@@ -1,19 +1,10 @@
-# binder_call(rild, servicemanager);
 binder_call(rild, audioserver_service);
 binder_call(rild, system_server);
-# allow rild per_mgr_service_old:service_manager find;
 set_prop(rild, diag_prop);
-allow rild nv_data_file:dir rw_dir_perms;
-allow rild nv_data_file:file create_file_perms;
-allow rild radio_data_file:dir rw_dir_perms;
-allow rild radio_data_file:file create_file_perms;
 allow rild fsg_file:file { getattr open read };
 allow rild fsg_file:dir { search open read };
 allow rild fsg_file:lnk_file read;
 
-allow rild cutback_data_file:dir rw_dir_perms;
-allow rild cutback_data_file:sock_file create_file_perms;
-
 allow rild rild_exec:file execute_no_trans;
 
 allow rild fwk_sensor_hwservice:hwservice_manager find;
diff --git a/sepolicy/vendor/rmt_storage.te b/sepolicy/vendor/rmt_storage.te
index b4a132d..c28fa64 100644
--- a/sepolicy/vendor/rmt_storage.te
+++ b/sepolicy/vendor/rmt_storage.te
@@ -7,6 +7,4 @@ allow rmt_storage debugfs_rmt_storage:dir search;
 allow rmt_storage debugfs_rmt_storage:file w_file_perms;
 
 allow rmt_storage fsg_file:file { open read };
-allow rmt_storage self:capability dac_override;
-
 allow rmt_storage fsg_file:dir search;
diff --git a/sepolicy/vendor/surfaceflinger.te b/sepolicy/vendor/surfaceflinger.te
index 9abdfd8..18fd98a 100644
--- a/sepolicy/vendor/surfaceflinger.te
+++ b/sepolicy/vendor/surfaceflinger.te
@@ -1,7 +1,5 @@
 get_prop(surfaceflinger, diag_prop);
 allow surfaceflinger perfd_data_file:sock_file write;
-allow surfaceflinger perfd_data_file:dir search;
-# allow surfaceflinger perfd:unix_stream_socket connectto;
 allow surfaceflinger diag_device:chr_file { read write };
 
 binder_call(surfaceflinger, hwservicemanager)
diff --git a/sepolicy/vendor/system_app.te b/sepolicy/vendor/system_app.te
index fac1f83..c20db5a 100644
--- a/sepolicy/vendor/system_app.te
+++ b/sepolicy/vendor/system_app.te
@@ -6,7 +6,6 @@ allow system_app sysfs_graphics:dir search;
 allow system_app proc_touchpanel:file rw_file_perms;
 allow system_app sysfs_fpc:file rw_file_perms;
 allow system_app fuse_device:filesystem getattr;
-# allow system_app time_daemon:unix_stream_socket connectto;
 
 allow system_app init:unix_stream_socket { read write };
 allow system_app sysfs_homebutton:file write;
@@ -16,3 +15,8 @@ binder_call(system_app, qtitetherservice_service);
 binder_call(system_app, wificond);
 
 get_prop(system_app, spectrum_prop);
+
+allow system_app hidl_base_hwservice:hwservice_manager add;
+allow system_app sysfs_homebutton:dir search;
+allow system_app sysfs_homebutton:file { getattr open };
+
diff --git a/sepolicy/vendor/system_server.te b/sepolicy/vendor/system_server.te
index f6fc2e5..ad030e9 100644
--- a/sepolicy/vendor/system_server.te
+++ b/sepolicy/vendor/system_server.te
@@ -2,17 +2,17 @@ binder_call(system_server, rild);
 
 allow system_server sysfs_homebutton:file rw_file_perms;
 allow system_server sysfs_homebutton:dir r_dir_perms;
-allow system_server persist_file:dir create_dir_perms;
-allow system_server persist_file:file create_file_perms;
 allow system_server rild:binder transfer;
 allow system_server sysfs_capsense:dir search;
 allow system_server sysfs_capsense:file rw_file_perms;
 allow system_server init:unix_stream_socket { read };
-# allow system_server dalvikcache_data_file:file { execute };
 
 allow system_server qti_debugfs:file { getattr open read };
 allow system_server init:unix_stream_socket write;
 
 allow system_server sensors_device:chr_file { ioctl open read };
 
-allow system_server vendor_file:file { getattr open read execute };
+allow system_server vendor_file:file { getattr read };
+
+allow system_server sysfs:file getattr;
+allow system_server thermal_service:service_manager find;
diff --git a/sepolicy/vendor/thermal-engine.te b/sepolicy/vendor/thermal-engine.te
index 0725a71..ca164ca 100644
--- a/sepolicy/vendor/thermal-engine.te
+++ b/sepolicy/vendor/thermal-engine.te
@@ -6,4 +6,3 @@ allow thermal-engine sysfs_uio:file r_file_perms;
 allow thermal-engine sysfs_uio:dir { read open search };
 allow thermal-engine sysfs_uio:lnk_file { read };
 allow thermal-engine sysfs_vadc_dev:lnk_file { read open };
-allow thermal-engine sysfs_vadc_dev:dir rw_dir_perms;
diff --git a/sepolicy/vendor/toolbox.te b/sepolicy/vendor/toolbox.te
index 1259396..2371116 100644
--- a/sepolicy/vendor/toolbox.te
+++ b/sepolicy/vendor/toolbox.te
@@ -1,14 +1,7 @@
 set_prop(toolbox, diag_prop);
 set_prop(toolbox, hw_rev_prop);
 set_prop(toolbox, touch_prop);
-allow toolbox init:fifo_file { write getattr };
+allow toolbox init:fifo_file { write getattr read ioctl };
 
-allow toolbox self:capability { chown dac_override };
-
-allow toolbox proc:file rw_file_perms;
 allow toolbox radio_data_file:file rw_file_perms;
-allow toolbox firmware_file:file getattr;
-allow toolbox init:fifo_file ioctl;
-allow toolbox sysfs:dir rw_dir_perms;
-allow toolbox sysfs:file rw_file_perms;
-allow toolbox init:fifo_file read;
+allow toolbox firmware_file:file getattr;
\ No newline at end of file
diff --git a/sepolicy/vendor/untrusted_app.te b/sepolicy/vendor/untrusted_app.te
index 1d5eb60..73ca783 100644
--- a/sepolicy/vendor/untrusted_app.te
+++ b/sepolicy/vendor/untrusted_app.te
@@ -3,10 +3,5 @@ get_prop(untrusted_app_25, camera_prop);
 allow untrusted_app sysfs_zram:dir { search read };
 allow untrusted_app sysfs_zram:file { open read getattr };
 
-get_prop(untrusted_app, net_dns_prop);
-
 allow untrusted_app firmware_file:dir read;
 allow untrusted_app fsg_file:dir read;
-allow untrusted_app net_dns_prop:file read;
-allow untrusted_app persist_file:dir getattr;
-allow untrusted_app persist_file:filesystem getattr;
diff --git a/sepolicy/vendor/untrusted_app_25.te b/sepolicy/vendor/untrusted_app_25.te
index 3ced74b..7b6135d 100644
--- a/sepolicy/vendor/untrusted_app_25.te
+++ b/sepolicy/vendor/untrusted_app_25.te
@@ -4,6 +4,9 @@
 
 allow untrusted_app_25 init:unix_stream_socket { read write };
 
-allow untrusted_app_25 proc_stat:file read;
 allow untrusted_app_25 self:udp_socket ioctl;
 allow untrusted_app_25 vold_exec:file read;
+
+allow untrusted_app_25 device:dir read;
+allow untrusted_app_25 rootfs:dir { open read };
+allow untrusted_app_25 unlabeled:dir getattr;