Adding allow rules and file contexts to handle denials.

Added lines address following denials:
denied { search } for pid=1184 comm="thermal-engine" name="uio"
dev="sysfs" ino=38350 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_uio:s0 tclass=dir

denied { open } for pid=1184 comm="thermal-engine" path="/sys/class/uio"
dev="sysfs" ino=38350 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_uio:s0 tclass=dir

denied { read } for pid=1184 comm="thermal-engine" name="uio"
dev="sysfs" ino=38350 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_uio:s0 tclass=dir

denied { write } for pid=977 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_generic_socket

denied { ioctl } for pid=778 comm="port-bridge" path="/dev/at_mdm0"
dev="tmpfs" ino=22203 ioctlcmd=c300 scontext=u:r:port-bridge:s0
tcontext=u:object_r:at_device:s0 tclass=chr_file

denied { open } for pid=689 comm="Binder:669_1"
path="/firmware/image/modem.b13" dev="sda7" ino=51
scontext=u:r:per_mgr:s0 tcontext=u:object_r:firmware_file:s0 tclass=file

denied { read } for pid=689 comm="Binder:669_1" name="modem.b13"
dev="sda7" ino=51 scontext=u:r:per_mgr:s0
tcontext=u:object_r:firmware_file:s0 tclass=file

denied { read } for pid=670 comm="sensors.qcom" name="subsys0"
dev="sysfs" ino=33249 scontext=u:r:sensors:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file

denied { open } for pid=670 comm="sensors.qcom"
path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=16197
scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs_msm_subsys:s0
tclass=dir

denied { read } for pid=670 comm="sensors.qcom" name="devices"
dev="sysfs" ino=16197 scontext=u:r:sensors:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { search } for pid=670 comm="sensors.qcom" name="msm_subsys"
dev="sysfs" ino=16195 scontext=u:r:sensors:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { setpcap } for pid=673 comm="tftp_server" capability=8
scontext=u:r:rfs_access:s0 tcontext=u:r:rfs_access:s0 tclass=capability

denied { read } for pid=669 comm="pm-service" name="subsys0" dev="sysfs"
ino=33249 scontext=u:r:per_mgr:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=lnk_file

denied { open } for pid=669 comm="pm-service"
path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=16197
scontext=u:r:per_mgr:s0 tcontext=u:object_r:sysfs_msm_subsys:s0
tclass=dir

denied { read } for pid=669 comm="pm-service" name="devices" dev="sysfs"
ino=16197 scontext=u:r:per_mgr:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { search } for pid=669 comm="pm-service" name="msm_subsys"
dev="sysfs" ino=16195 scontext=u:r:per_mgr:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { net_bind_service } for pid=688 comm="pm-service" capability=10
scontext=u:r:per_mgr:s0 tcontext=u:r:per_mgr:s0 tclass=capability

denied { search } for pid=918 comm="loc_launcher" name="mq" dev="sda43"
ino=622663 scontext=u:r:location:s0
tcontext=u:object_r:location_data_file:s0 tclass=dir

denied { write } for pid=918 comm="loc_launcher" name="mq" dev="sda43"
ino=622663 scontext=u:r:location:s0
tcontext=u:object_r:location_data_file:s0 tclass=dir

denied { add_name } for pid=918 comm="loc_launcher" name="location-mq-s"
scontext=u:r:location:s0 tcontext=u:object_r:location_data_file:s0
tclass=dir

denied { create } for pid=918 comm="loc_launcher" name="location-mq-s"
scontext=u:r:location:s0 tcontext=u:object_r:location_data_file:s0
tclass=sock_file

denied { setattr } for pid=918 comm="loc_launcher" name="location-mq-s"
dev="sda43" ino=622681 scontext=u:r:location:s0
tcontext=u:object_r:location_data_file:s0 tclass=sock_file

denied { read } for pid=680 comm="android.hardwar" name="u:obj
ect_r:keymaster_prop:s0" dev="tmpfs" ino=22587
scontext=u:r:hal_gatekeeper_default:s0 tcontext=u:object_r:keymaster_
prop:s0 tclass=file

denied { read } for pid=654 comm="sensors.qcom" name="name" dev="sysfs"
ino=33243 scontext=u:r:sensors:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { open } for pid=654 comm="sensors.qcom"
path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name"
dev="sysfs" ino=33243 scontext=u:r:sensors:s0 tcontext=u:object_r:sys
fs:s0 tclass=file

denied  { mounton } for  pid=560 comm="init" path="/firmware"
dev="sda21" ino=25 scontext=u:r:init:s0
tcontext=u:object_r:firmware_file:s0 tclass=dir

denied { read } for pid=766 comm="gatekeeperd"
name="u:object_r:keymaster_prop:s0" dev="tmpfs" ino=22203
scontext=u:r:gatekeeperd:s0 tcontext=u:object_r:keymaster_prop:s0
tclass=file

denied { search } for pid=1156 comm="rild" name="netmgr" dev="tmpfs"
ino=22676 scontext=u:r:rild:s0 tcontext=u:object_r:netmgrd_socket:s0
tclass=dir

denied { search } for pid=1156 comm="rild" name="netmgr" dev="tmpfs"
ino=22704 scontext=u:r:rild:s0 tcontext=u:object_r:netmgrd_socket:s0
tclass=dir

denied { open } for pid=795 comm="gatekeeperd"
path="/dev/__properties__/u:object_r:keymaster_prop:s0" dev="tmpfs"
ino=18420 scontext=u:r:gatekeeperd:s0
tcontext=u:object_r:keymaster_prop:s0 tclass=file

denied  { write } for  pid=549 comm="ueventd" name="uevent" dev="sysfs"
ino=17842 scontext=u:r:ueventd:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { open } for pid=661 comm="sensors.qcom"
path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name"
dev="sysfs" ino=33243 scontext=u:r:sensors:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { read } for pid=661 comm="sensors.qcom" name="name" dev="sysfs"
ino=33243 scontext=u:r:sensors:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { read } for pid=732 comm="netmgrd" name="name" dev="sysfs"
ino=33243 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { open } for pid=732 comm="netmgrd"
path="/sys/devices/soc/soc:qcom,ipa_fws@1e08000/subsys0/name"
dev="sysfs" ino=33243 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=file

denied { open } for pid=732 comm="netmgrd"
path="/sys/devices/soc/cce0000.qcom,venus/subsys1/name" dev="sysfs"
ino=33290 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { create } for pid=732 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_generic_socket

denied { bind } for pid=732 comm="netmgrd" scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=netlink_generic_socket

Bug: 34784662
Test: The above denials are no longer present during boot
Change-Id: I6bccebf51e4b9e6cefda6bbe2331d7216632d1e3

sepolicy/file_contexts

@@ -49,6 +49,8 @@
 /sys/class/uio(/.*)?                                                u:object_r:sysfs_uio:s0
 /sys/devices/soc/c900000.qcom,mdss_mdp/c900000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0
 /sys/devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pmi8998@3:qcom,leds@d000/leds(/.*)? u:object_r:sysfs_leds:s0
+/sys/devices/soc/soc:qcom,ipa_fws@1e08000(/.*)?                     u:object_r:sysfs_msm_subsys:s0
+/sys/devices/soc/cce0000\.qcom,venus(/.*)?                          u:object_r:sysfs_msm_subsys:s0
 /sys/devices/soc/0\.qcom,rmtfs_sharedmem(/.*)?                      u:object_r:sysfs_rmtfs:s0
 /sys/devices/soc/soc:fp_fpc1020(/.*)?                               u:object_r:sysfs_fingerprint:s0
 /sys/devices/virtual/thermal(/.*)?                                  u:object_r:sysfs_thermal:s0

sepolicy/gatekeeperd.te

@@ -0,0 +1 @@
+set_prop(gatekeeperd, keymaster_prop)

sepolicy/hal_gatekeeper.te

@@ -0,0 +1 @@
+set_prop(hal_gatekeeper, keymaster_prop)

sepolicy/init.te

@@ -3,7 +3,7 @@ allow init tmpfs:lnk_file create;
 
 allow init self:capability sys_module;
 allow init system_file:system module_load;
-
+allow init firmware_file:dir mounton;
 allow init configfs:file w_file_perms;
 allow init tty_device:chr_file rw_file_perms;
 

sepolicy/location.te

@@ -14,7 +14,8 @@ allow location self:capability { setgid setuid };
 
 allow location proc_net:file r_file_perms;
 allow location location_data_file:file w_file_perms;
-allow location location_data_file:sock_file w_file_perms;
+allow location location_data_file:dir w_dir_perms;
+allow location location_data_file:sock_file create_file_perms;
 
 allow location self:netlink_route_socket create_socket_perms_no_ioctl;
 allow location self:udp_socket create_socket_perms;

sepolicy/netmgrd.te

@@ -11,6 +11,7 @@ unix_socket_connect(netmgrd, netd, netd)
 
 allow netmgrd netmgrd_socket:dir w_dir_perms;
 allow netmgrd netmgrd_socket:sock_file { create setattr };
+allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl;
 allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
 allow netmgrd self:socket create_socket_perms;
 allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;
@@ -18,11 +19,11 @@ allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
 
 allow netmgrd sysfs_net:file rw_file_perms;
 allow netmgrd sysfs_net:dir r_dir_perms;
-allow netmgrd proc_net:file rw_file_perms;
 allow netmgrd sysfs_soc:file r_file_perms;
 allow netmgrd sysfs_msm_subsys:dir r_dir_perms;
+allow netmgrd sysfs_msm_subsys:file r_file_perms;
 
-allow netmgrd proc_net:file w_file_perms;
+allow netmgrd proc_net:file rw_file_perms;
 allow netmgrd net_data_file:dir r_dir_perms;
 allow netmgrd netmgr_data_file:file rw_file_perms;
 allow netmgrd system_file:file execute_no_trans;

sepolicy/per_mgr.te

@@ -9,6 +9,13 @@ add_service(per_mgr, per_mgr_service)
 binder_use(per_mgr)
 binder_call(per_mgr, per_proxy)
 
+allow per_mgr self:capability net_bind_service;
+
+allow per_mgr firmware_file:file r_file_perms;
+allow per_mgr firmware_file:dir search;
+allow per_mgr sysfs_msm_subsys:lnk_file r_file_perms;
+allow per_mgr sysfs_msm_subsys:dir r_dir_perms;
+
 allow per_mgr self:socket create_socket_perms;
 allowxperm per_mgr self:socket ioctl msm_sock_ipc_ioctls;
 allow per_mgr ssr_device:chr_file { open read };

sepolicy/port-bridge.te

@@ -3,6 +3,8 @@ type port-bridge_exec, exec_type, file_type;
 
 init_daemon_domain(port-bridge)
 
+allowxperm port-bridge at_device:chr_file ioctl IPC_ROUTER_IOCTL_GET_VERSION;
+
 userdebug_or_eng(`
 permissive port-bridge;
 ')

sepolicy/rfs_access.te

@@ -6,7 +6,7 @@ init_daemon_domain(rfs_access)
 allow rfs_access persist_file:file rw_file_perms;
 allow rfs_access persist_file:dir { getattr setattr remove_name add_name search };
 
-allow rfs_access self:capability { chown };
+allow rfs_access self:capability { chown setpcap };
 allow rfs_access self:capability2 { block_suspend };
 
 allow rfs_access self:socket create_socket_perms_no_ioctl;

sepolicy/sensors.te

@@ -6,6 +6,8 @@ init_daemon_domain(sensors)
 
 allow sensors self:socket rw_socket_perms_no_ioctl;
 
+r_dir_file(sensors, sysfs_msm_subsys)
+
 userdebug_or_eng(`
 permissive sensors;
 ')

sepolicy/thermal-engine.te

@@ -9,6 +9,7 @@ allow thermal-engine sysfs_thermal:dir r_dir_perms;
 allow thermal-engine sysfs_thermal:file rw_file_perms;
 allow thermal-engine sysfs_rmtfs:file r_file_perms;
 allow thermal-engine sysfs_uio:lnk_file r_file_perms;
+allow thermal-engine sysfs_uio:dir r_dir_perms;
 
 allow thermal-engine self:socket create_socket_perms;
 allowxperm thermal-engine self:socket ioctl msm_sock_ipc_ioctls;

sepolicy/ueventd.te

@@ -5,3 +5,4 @@ allow ueventd sysfs_fingerprint:file w_file_perms;
 allow ueventd sysfs_rmtfs:file w_file_perms;
 allow ueventd sysfs_soc:file w_file_perms;
 allow ueventd sysfs_net:file w_file_perms;
+allow ueventd sysfs_msm_subsys:file w_file_perms;