Adding allows to handle boot and runtime denials

Denials dealt with:
denied { search } for pid=811 comm="cnd" name="soc0" dev="sysfs"
ino=49100 scontext=u:r:cnd:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=dir

denied { fsetid } for pid=811 comm="cnd" capability=4
scontext=u:r:cnd:s0 tcontext=u:r:cnd:s0 tclass=capability

denied { chown } for pid=811 comm="cnd" capability=0 scontext=u:r:cnd:s0
tcontext=u:r:cnd:s0 tclass=capability

denied { read write } for pid=794 comm="android.hardwar" name="video3"
dev="tmpfs" ino=10129 scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:video_device:s0 tclass=chr_file

denied { open } for pid=794 comm="android.hardwar" path="/dev/video3"
dev="tmpfs" ino=10129 scontext=u:r:hal_graphics_composer_default:s0
tcontext=u:object_r:video_device:s0 tclass=chr_file

denied { sendto } for pid=811 comm="cnd" path="/dev/socket/wpa_wlan0"
scontext=u:r:cnd:s0 tcontext=u:r:hal_wifi_supplicant_default:s0
tclass=unix_dgram_socket

denied { sendto } for pid=6516 comm="wpa_supplicant"
path="/data/misc/wifi/sockets/wpa_ctrl_811-1"
scontext=u:r:hal_wifi_supplicant_default:s0 tcontext=u:r:cnd:s0
tclass=unix_dgram_socket

denied { ioctl } for pid=811 comm="cnd" path="socket:[108403]"
dev="sockfs" ino=108403 ioctlcmd=8921 scontext=u:r:cnd:s0
tcontext=u:r:cnd:s0 tclass=udp_socket

denied { create } for pid=811 comm="cnd" scontext=u:r:cnd:s0
tcontext=u:r:cnd:s0 tclass=udp_socket

denied { create } for pid=811 comm="cnd" name="wpa_ctrl_811-1"
scontext=u:r:cnd:s0 tcontext=u:object_r:wpa_socket:s0 tclass=sock_file

denied { add_name } for pid=811 comm="cnd" name="wpa_ctrl_811-1"
scontext=u:r:cnd:s0 tcontext=u:object_r:wpa_socket:s0 tclass=dir

denied { write } for pid=811 comm="cnd" name="sockets" dev="sda45"
ino=638992 scontext=u:r:cnd:s0 tcontext=u:object_r:wpa_socket:s0
tclass=dir

denied { search } for pid=811 comm="cnd" name="sockets" dev="sda45"
ino=638992 scontext=u:r:cnd:s0 tcontext=u:object_r:wpa_socket:s0
tclass=dir

denied { search } for pid=811 comm="cnd" name="wifi" dev="sda45"
ino=638991 scontext=u:r:cnd:s0 tcontext=u:object_r:wifi_data_file:s0
tclass=dir

denied { write } for pid=1551 comm="HwBinder:790_1" name="perfd"
dev="tmpfs" ino=23062 scontext=u:r:hal_camera_default:s0
tcontext=u:object_r:perfd_socket:s0 tclass=sock_file

denied { write } for pid=810 comm="imsqmidaemon" name="property_service"
dev="tmpfs" ino=18259 scontext=u:r:ims:s0
tcontext=u:object_r:property_socket:s0 tclass=sock_file

denied { connectto } for pid=810 comm="imsqmidaemon"
path="/dev/socket/property_service" scontext=u:r:ims:s0
tcontext=u:r:init:s0 tclass=unix_stream_socket

denied { set } for property=sys.ims.QMI_DAEMON_STATUS pid=810 uid=1000
gid=1001 scontext=u:r:ims:s0 tcontext=u:object_r:system_prop:s0
tclass=property_service

denied { ioctl } for pid=1114 comm="lowi-server" path="socket:[25101]"
dev="sockfs" ino=25101 ioctlcmd=8927 scontext=u:r:location:s0
tcontext=u:r:location:s0 tclass=udp_socket

denied { ioctl } for pid=1114 comm="lowi-server" path="socket:[25101]"
dev="sockfs" ino=25101 ioctlcmd=8be5 scontext=u:r:location:s0
tcontext=u:r:location:s0 tclass=udp_socket

denied { ioctl } for pid=6504 comm="lowi-server" path="socket:[90743]"
dev="sockfs" ino=90743 ioctlcmd=c304 scontext=u:r:location:s0
tcontext=u:r:location:s0 tclass=socket

denied { search } for pid=812 comm="netmgrd" name="soc0" dev="sysfs"
ino=49100 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=dir

denied { read } for pid=3684 comm="csbootstraputil"
name="u:object_r:ims_prop:s0" dev="tmpfs" ino=10082
scontext=u:r:radio:s0 tcontext=u:object_r:ims_prop:s0 tclass=file

denied { open } for pid=3684 comm="csbootstraputil"
path="/dev/__properties__/u:object_r:ims_prop:s0" dev="tmpfs" ino=10082
scontext=u:r:radio:s0 tcontext=u:object_r:ims_prop:s0 tclass=file

denied { getattr } for pid=3684 comm="csbootstraputil"
path="/dev/__properties__/u:object_r:ims_prop:s0" dev="tmpfs" ino=10082
scontext=u:r:radio:s0 tcontext=u:object_r:ims_prop:s0 tclass=file

denied { write } for pid=669 comm="ramdump" name="property_service"
dev="tmpfs" ino=18259 scontext=u:r:ramdump:s0
tcontext=u:object_r:property_socket:s0 tclass=sock_file

denied { connectto } for pid=669 comm="ramdump"
path="/dev/socket/property_service" scontext=u:r:ramdump:s0
tcontext=u:r:init:s0 tclass=unix_stream_socket

denied { set } for property=debug.htc.hrdump pid=669 uid=0 gid=0
scontext=u:r:ramdump:s0 tcontext=u:object_r:debug_prop:s0
tclass=property_service

denied { setattr } for pid=688 comm="tftp_server" name="rfs" dev="sdd3"
ino=17 scontext=u:r:rfs_access:s0 tcontext=u:object_r:persist_file:s0
tclass=dir

denied { search } for pid=931 comm="thermal-engine"
name="0.qcom,rmtfs_sharedmem" dev="sysfs" ino=18392
scontext=u:r:thermal-engine:s0 tcontext=u:object_r:sysfs_rmtfs:s0
tclass=dir

Bug: 34784662
Test: The above denials are no longer present
Change-Id: I6977fc0bf94bc68cdbc081ca7771ff6c91cc9805

sepolicy/cnd.te

@@ -3,14 +3,23 @@ type cnd_exec, exec_type, file_type;
 
 file_type_auto_trans(cnd, socket_device, cnd_socket);
 
-allow cnd self:capability { setgid setuid };
+allow cnd self:capability { chown fsetid setgid setuid };
+
+allow cnd self:udp_socket create_socket_perms;
+allowxperm cnd self:udp_socket ioctl SIOCGIFMTU;
+
+allow cnd wpa_socket:dir w_dir_perms;
+allow cnd wpa_socket:sock_file create_file_perms;
+
+allow cnd sysfs_soc:dir search;
+allow cnd sysfs_soc:file r_file_perms;
 
 allow cnd proc_meminfo:file r_file_perms;
 
 r_dir_file(cnd, sysfs_msm_subsys)
 
 allow cnd self:socket create_socket_perms;
-allowxperm cnd self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER;
+allowxperm cnd self:socket ioctl msm_sock_ipc_ioctls;
 
 init_daemon_domain(cnd)
 

sepolicy/hal_camera.te

@@ -12,6 +12,8 @@ allow hal_camera self:capability sys_nice;
 
 allow hal_camera gpu_device:chr_file rw_file_perms;
 
+allow hal_camera perfd_socket:sock_file w_file_perms;
+
 # access to /dev/input/event{5,10}
 allow hal_camera input_device:dir r_dir_perms;
 allow hal_camera input_device:chr_file r_file_perms;

sepolicy/ims.te

@@ -4,6 +4,8 @@ type ims_exec, exec_type, file_type;
 init_daemon_domain(ims)
 net_domain(ims)
 
+set_prop(ims, ims_prop)
+
 allow ims sysfs_soc:dir search;
 allow ims sysfs_soc:file r_file_perms;
 

sepolicy/location.te

@@ -22,7 +22,9 @@ allow location self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow location self:netlink_socket create_socket_perms_no_ioctl;
 allow location self:socket create_socket_perms;
 allow location self:udp_socket create_socket_perms;
-allowxperm location self:socket ioctl IPC_ROUTER_IOCTL_LOOKUP_SERVER;
+allow location self:udp_socket create_socket_perms;
+allowxperm location self:udp_socket ioctl { SIOCGIFHWADDR SIOCIWFIRSTPRIV_05 };
+allowxperm location self:socket ioctl msm_sock_ipc_ioctls;
 
 # files in /sys
 r_dir_file(location, sysfs_type)

sepolicy/netmgrd.te

@@ -19,8 +19,9 @@ allow netmgrd self:socket create_socket_perms;
 allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;
 allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
 
-allow netmgrd sysfs_net:file rw_file_perms;
 allow netmgrd sysfs_net:dir r_dir_perms;
+allow netmgrd sysfs_net:file rw_file_perms;
+allow netmgrd sysfs_soc:dir search;
 allow netmgrd sysfs_soc:file r_file_perms;
 allow netmgrd sysfs_msm_subsys:dir r_dir_perms;
 allow netmgrd sysfs_msm_subsys:file r_file_perms;

sepolicy/property.te

@@ -1,5 +1,7 @@
-type wc_prop, property_type;
 type camera_prop, property_type;
+type ims_prop, property_type;
+type keymaster_prop, property_type;
+type ramdump_prop, property_type;
 type ssr_prop, property_type;
 type tee_listener_prop, property_type;
-type keymaster_prop, property_type;
+type wc_prop, property_type;

sepolicy/property_contexts

@@ -1,6 +1,8 @@
-wc_transport.              u:object_r:wc_prop:s0
 persist.camera.            u:object_r:camera_prop:s0
-persist.net.doxlat         u:object_r:net_radio_prop:s0
-sys.listeners.registered   u:object_r:tee_listener_prop:s0
+sys.ims.                   u:object_r:ims_prop:s0
 sys.keymaster.loaded       u:object_r:keymaster_prop:s0
+persist.net.doxlat         u:object_r:net_radio_prop:s0
+debug.htc.hrdump           u:object_r:ramdump_prop:s0
 debug.ssrdump              u:object_r:ssr_prop:s0
+sys.listeners.registered   u:object_r:tee_listener_prop:s0
+wc_transport.              u:object_r:wc_prop:s0

sepolicy/radio.te

@@ -1 +1,3 @@
+get_prop(radio, ims_prop)
+
 r_dir_file(radio, sysfs_msm_subsys)

sepolicy/ramdump.te

@@ -4,6 +4,8 @@ userdebug_or_eng(`
   type ramdump, domain;
   init_daemon_domain(ramdump)
 
+  set_prop(ramdump, ramdump_prop)
+
   allow ramdump self:capability sys_rawio;
 
   allow ramdump sda_block_device:blk_file rw_file_perms;

sepolicy/rfs_access.te

@@ -9,10 +9,10 @@ allow rfs_access self:capability { chown setgid setpcap setuid net_bind_service
 wakelock_use(rfs_access)
 
 # For tftp server file access
-allow rfs_access firmware_file:file r_file_perms;
 allow rfs_access firmware_file:dir search;
+allow rfs_access firmware_file:file r_file_perms;
+allow rfs_access persist_file:dir { rw_dir_perms setattr };
 allow rfs_access persist_file:file create_file_perms;
-allow rfs_access persist_file:dir rw_dir_perms;
 
 allow rfs_access self:socket create_socket_perms_no_ioctl;
 

sepolicy/thermal-engine.te

@@ -8,13 +8,13 @@ allow thermal-engine self:capability2 block_suspend;
 # to read /sys/devices
 allow thermal-engine sysfs:dir r_dir_perms;
 
-allow thermal-engine sysfs_msm_subsys:file r_file_perms;
+allow thermal-engine sysfs_msm_subsys:dir r_dir_perms;
 allow thermal-engine sysfs_msm_subsys:file rw_file_perms;
 allow thermal-engine sysfs_soc:dir search;
 allow thermal-engine sysfs_soc:file r_file_perms;
 allow thermal-engine sysfs_thermal:dir r_dir_perms;
 allow thermal-engine sysfs_thermal:file rw_file_perms;
-
+allow thermal-engine sysfs_rmtfs:dir search;
 allow thermal-engine sysfs_rmtfs:file r_file_perms;
 
 allow thermal-engine audio_device:chr_file rw_file_perms;