From 29834799301bab89c2570461fb7f93ac03501cfd Mon Sep 17 00:00:00 2001
From: sreeshankark <sreeshankar0910@gmail.com>
Date: Fri, 27 Oct 2023 19:07:45 +0530
Subject: [PATCH] sepolicy: qti: Fix many denials

avc:  denied  { sys_admin } for  capability=21  scontext=u:r:hal_bootctl_default:s0 tcontext=u:r:hal_bootctl_default:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:fsverity_init:s0 tcontext=u:r:fsverity_init:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:vendor_modprobe:s0 tcontext=u:r:vendor_modprobe:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:vendor_boringssl_self_test:s0 tcontext=u:r:vendor_boringssl_self_test:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:netutils_wrapper:s0 tcontext=u:r:netutils_wrapper:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:vendor_msm_irqbalanced:s0 tcontext=u:r:vendor_msm_irqbalanced:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:vold_prepare_subdirs:s0 tcontext=u:r:vold_prepare_subdirs:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:art_boot:s0 tcontext=u:r:art_boot:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:otapreopt_slot:s0 tcontext=u:r:otapreopt_slot:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:remount:s0 tcontext=u:r:remount:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:update_verifier:s0 tcontext=u:r:update_verifier:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:vendor_rfs_access:s0 tcontext=u:r:vendor_rfs_access:s0 tclass=capability
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:vendor_hal_usb_qti:s0 tcontext=u:r:vendor_hal_usb_qti:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:vendor_irsc_util:s0 tcontext=u:r:vendor_irsc_util:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:vendor_hal_perf_default:s0 tcontext=u:r:vendor_hal_perf_default:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:vendor_rmt_storage:s0 tcontext=u:r:vendor_rmt_storage:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:profcollectd:s0 tcontext=u:r:profcollectd:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:adbd:s0 tcontext=u:r:adbd:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:vendor_netmgrd:s0 tcontext=u:r:vendor_netmgrd:s0 tclass=capability permissive=0
avc:  denied  { sys_admin } for  capability=21  scontext=u:r:vendor_dpmd:s0 tcontext=u:r:vendor_dpmd:s0 tclass=capability permissive=0
---
 sepolicy/qti/private/art_boot.te                   | 1 +
 sepolicy/qti/private/fsverity_init.te              | 1 +
 sepolicy/qti/private/otapreopt_slot.te             | 1 +
 sepolicy/qti/private/profcollectd.te               | 1 +
 sepolicy/qti/private/remount.te                    | 1 +
 sepolicy/qti/private/update_verifier.te            | 1 +
 sepolicy/qti/private/vendor_boringssl_self_test.te | 1 +
 sepolicy/qti/public/adbd.te                        | 1 +
 sepolicy/qti/public/netutils_wrapper.te            | 1 +
 sepolicy/qti/public/vendor_dpmd.te                 | 1 +
 sepolicy/qti/public/vold_prepare_subdirs.te        | 1 +
 sepolicy/qti/vendor/hal_bootctl_default.te         | 1 +
 sepolicy/qti/vendor/vendor_hal_perf_default.te     | 2 ++
 sepolicy/qti/vendor/vendor_hal_usb_qti.te          | 1 +
 sepolicy/qti/vendor/vendor_irsc_util.te            | 1 +
 sepolicy/qti/vendor/vendor_modprobe.te             | 1 +
 sepolicy/qti/vendor/vendor_msm_irqbalanced.te      | 1 +
 sepolicy/qti/vendor/vendor_netmgrd.te              | 1 +
 sepolicy/qti/vendor/vendor_rfs_access.te           | 1 +
 sepolicy/qti/vendor/vendor_rmt_storage.te          | 2 ++
 20 files changed, 22 insertions(+)
 create mode 100644 sepolicy/qti/private/art_boot.te
 create mode 100644 sepolicy/qti/private/fsverity_init.te
 create mode 100644 sepolicy/qti/private/otapreopt_slot.te
 create mode 100644 sepolicy/qti/private/profcollectd.te
 create mode 100644 sepolicy/qti/private/remount.te
 create mode 100644 sepolicy/qti/private/update_verifier.te
 create mode 100644 sepolicy/qti/private/vendor_boringssl_self_test.te
 create mode 100644 sepolicy/qti/public/adbd.te
 create mode 100644 sepolicy/qti/public/netutils_wrapper.te
 create mode 100644 sepolicy/qti/public/vendor_dpmd.te
 create mode 100644 sepolicy/qti/public/vold_prepare_subdirs.te
 create mode 100644 sepolicy/qti/vendor/hal_bootctl_default.te
 create mode 100644 sepolicy/qti/vendor/vendor_hal_usb_qti.te
 create mode 100644 sepolicy/qti/vendor/vendor_irsc_util.te
 create mode 100644 sepolicy/qti/vendor/vendor_modprobe.te
 create mode 100644 sepolicy/qti/vendor/vendor_msm_irqbalanced.te
 create mode 100644 sepolicy/qti/vendor/vendor_netmgrd.te
 create mode 100644 sepolicy/qti/vendor/vendor_rfs_access.te

diff --git a/sepolicy/qti/private/art_boot.te b/sepolicy/qti/private/art_boot.te
new file mode 100644
index 0000000..493fa34
--- /dev/null
+++ b/sepolicy/qti/private/art_boot.te
@@ -0,0 +1 @@
+allow art_boot self:capability sys_admin;
diff --git a/sepolicy/qti/private/fsverity_init.te b/sepolicy/qti/private/fsverity_init.te
new file mode 100644
index 0000000..2f91e0a
--- /dev/null
+++ b/sepolicy/qti/private/fsverity_init.te
@@ -0,0 +1 @@
+allow fsverity_init self:capability sys_admin;
diff --git a/sepolicy/qti/private/otapreopt_slot.te b/sepolicy/qti/private/otapreopt_slot.te
new file mode 100644
index 0000000..3acbaf0
--- /dev/null
+++ b/sepolicy/qti/private/otapreopt_slot.te
@@ -0,0 +1 @@
+allow otapreopt_slot self:capability sys_admin;
diff --git a/sepolicy/qti/private/profcollectd.te b/sepolicy/qti/private/profcollectd.te
new file mode 100644
index 0000000..e1c920e
--- /dev/null
+++ b/sepolicy/qti/private/profcollectd.te
@@ -0,0 +1 @@
+allow profcollectd self:capability sys_admin;
diff --git a/sepolicy/qti/private/remount.te b/sepolicy/qti/private/remount.te
new file mode 100644
index 0000000..910bcaa
--- /dev/null
+++ b/sepolicy/qti/private/remount.te
@@ -0,0 +1 @@
+allow remount self:capability sys_admin;
diff --git a/sepolicy/qti/private/update_verifier.te b/sepolicy/qti/private/update_verifier.te
new file mode 100644
index 0000000..a0da084
--- /dev/null
+++ b/sepolicy/qti/private/update_verifier.te
@@ -0,0 +1 @@
+allow update_verifier self:capability sys_admin;
diff --git a/sepolicy/qti/private/vendor_boringssl_self_test.te b/sepolicy/qti/private/vendor_boringssl_self_test.te
new file mode 100644
index 0000000..20b2810
--- /dev/null
+++ b/sepolicy/qti/private/vendor_boringssl_self_test.te
@@ -0,0 +1 @@
+allow vendor_boringssl_self_test self:capability sys_admin;
diff --git a/sepolicy/qti/public/adbd.te b/sepolicy/qti/public/adbd.te
new file mode 100644
index 0000000..83efdb9
--- /dev/null
+++ b/sepolicy/qti/public/adbd.te
@@ -0,0 +1 @@
+allow adbd self:capability sys_admin;
diff --git a/sepolicy/qti/public/netutils_wrapper.te b/sepolicy/qti/public/netutils_wrapper.te
new file mode 100644
index 0000000..98c6143
--- /dev/null
+++ b/sepolicy/qti/public/netutils_wrapper.te
@@ -0,0 +1 @@
+dontaudit netutils_wrapper self:capability sys_admin;
diff --git a/sepolicy/qti/public/vendor_dpmd.te b/sepolicy/qti/public/vendor_dpmd.te
new file mode 100644
index 0000000..e4722fb
--- /dev/null
+++ b/sepolicy/qti/public/vendor_dpmd.te
@@ -0,0 +1 @@
+allow vendor_dpmd self:capability sys_admin;
diff --git a/sepolicy/qti/public/vold_prepare_subdirs.te b/sepolicy/qti/public/vold_prepare_subdirs.te
new file mode 100644
index 0000000..41e98fe
--- /dev/null
+++ b/sepolicy/qti/public/vold_prepare_subdirs.te
@@ -0,0 +1 @@
+allow vold_prepare_subdirs self:capability sys_admin;
diff --git a/sepolicy/qti/vendor/hal_bootctl_default.te b/sepolicy/qti/vendor/hal_bootctl_default.te
new file mode 100644
index 0000000..d2e1f75
--- /dev/null
+++ b/sepolicy/qti/vendor/hal_bootctl_default.te
@@ -0,0 +1 @@
+allow hal_bootctl_default self:capability sys_admin;
diff --git a/sepolicy/qti/vendor/vendor_hal_perf_default.te b/sepolicy/qti/vendor/vendor_hal_perf_default.te
index ace5118..50859b4 100644
--- a/sepolicy/qti/vendor/vendor_hal_perf_default.te
+++ b/sepolicy/qti/vendor/vendor_hal_perf_default.te
@@ -1 +1,3 @@
+allow vendor_hal_perf_default self:capability sys_admin;
+
 r_dir_file(vendor_hal_perf_default, vendor_sysfs_usb_supply)
diff --git a/sepolicy/qti/vendor/vendor_hal_usb_qti.te b/sepolicy/qti/vendor/vendor_hal_usb_qti.te
new file mode 100644
index 0000000..7199450
--- /dev/null
+++ b/sepolicy/qti/vendor/vendor_hal_usb_qti.te
@@ -0,0 +1 @@
+allow vendor_hal_usb_qti self:capability sys_admin;
diff --git a/sepolicy/qti/vendor/vendor_irsc_util.te b/sepolicy/qti/vendor/vendor_irsc_util.te
new file mode 100644
index 0000000..9aaccae
--- /dev/null
+++ b/sepolicy/qti/vendor/vendor_irsc_util.te
@@ -0,0 +1 @@
+allow vendor_irsc_util self:capability sys_admin;
diff --git a/sepolicy/qti/vendor/vendor_modprobe.te b/sepolicy/qti/vendor/vendor_modprobe.te
new file mode 100644
index 0000000..3f3c5c4
--- /dev/null
+++ b/sepolicy/qti/vendor/vendor_modprobe.te
@@ -0,0 +1 @@
+allow vendor_modprobe self:capability sys_admin;
diff --git a/sepolicy/qti/vendor/vendor_msm_irqbalanced.te b/sepolicy/qti/vendor/vendor_msm_irqbalanced.te
new file mode 100644
index 0000000..0bf0856
--- /dev/null
+++ b/sepolicy/qti/vendor/vendor_msm_irqbalanced.te
@@ -0,0 +1 @@
+allow vendor_msm_irqbalanced self:capability sys_admin;
diff --git a/sepolicy/qti/vendor/vendor_netmgrd.te b/sepolicy/qti/vendor/vendor_netmgrd.te
new file mode 100644
index 0000000..d78fdb2
--- /dev/null
+++ b/sepolicy/qti/vendor/vendor_netmgrd.te
@@ -0,0 +1 @@
+allow vendor_netmgrd self:capability sys_admin;
diff --git a/sepolicy/qti/vendor/vendor_rfs_access.te b/sepolicy/qti/vendor/vendor_rfs_access.te
new file mode 100644
index 0000000..523c9dd
--- /dev/null
+++ b/sepolicy/qti/vendor/vendor_rfs_access.te
@@ -0,0 +1 @@
+allow vendor_rfs_access self:capability sys_admin;
diff --git a/sepolicy/qti/vendor/vendor_rmt_storage.te b/sepolicy/qti/vendor/vendor_rmt_storage.te
index b7283d0..e0fb552 100644
--- a/sepolicy/qti/vendor/vendor_rmt_storage.te
+++ b/sepolicy/qti/vendor/vendor_rmt_storage.te
@@ -2,6 +2,8 @@ allow vendor_rmt_storage vendor_reserve_partition:blk_file rw_file_perms;
 
 allow vendor_rmt_storage sysfs:file read;
 
+allow vendor_rmt_storage self:capability sys_admin;
+
 get_prop(vendor_rmt_storage, vendor_radio_prop)
 
 rw_dir_file(vendor_rmt_storage, vendor_proc_engineer)