Adding rules and contexts to fix more denials.

Fixing following denials:
denied { getattr } for pid=875 comm="thermal-engine"
path="/sys/devices/soc/0.qcom,rmtfs_sharedmem/uio/uio0/name" dev="sysfs"
ino=38372 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_rmtfs:s0 tclass=file

denied { open } for pid=875 comm="thermal-engine"
path="/sys/devices/soc/0.qcom,rmtfs_sharedmem/uio/uio0/name" dev="sysfs"
ino=38372 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_rmtfs:s0 tclass=file

denied { read } for pid=875 comm="thermal-engine" name="name"
dev="sysfs" ino=38372 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_rmtfs:s0 tclass=file

denied { read } for pid=875 comm="thermal-engine" name="uio0"
dev="sysfs" ino=38371 scontext=u:r:thermal-engine:s0
tcontext=u:object_r:sysfs_uio:s0 tclass=lnk_file

denied { block_suspend } for pid=873 comm="thermal-engine" capability=36
scontext=u:r:thermal-engine:s0 tcontext=u:r:thermal-engine:s0
tclass=capability2

denied { write } for pid=986 comm="rmt_storage"
scontext=u:r:rmt_storage:s0 tcontext=u:r:rmt_storage:s0 tclass=socket

denied { read } for pid=672 comm="rmt_storage"
scontext=u:r:rmt_storage:s0 tcontext=u:r:rmt_storage:s0 tclass=socket

denied { getattr } for pid=791 comm="netmgrd"
path="/sys/module/tcp_cubic/parameters/hystart_detect" dev="sysfs"
ino=25096 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { open } for pid=791 comm="netmgrd"
path="/sys/module/tcp_cubic/parameters/hystart_detect" dev="sysfs"
ino=25096 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs:s0
tclass=file

denied { write } for pid=791 comm="netmgrd" name="hystart_detect"
dev="sysfs" ino=25096 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs:s0 tclass=file

denied { ioctl } for pid=763 comm="netmgrd" path="socket:[1767]"
dev="sockfs" ino=1767 ioctlcmd=c304 scontext=u:r:netmgrd:s0
tcontext=u:r:netmgrd:s0 tclass=socket

denied { ioctl } for pid=908 comm="rild" path="socket:[25980]"
dev="sockfs" ino=25980 ioctlcmd=c304 scontext=u:r:rild:s0
tcontext=u:r:rild:s0 tclass=socket

denied { open } for pid=676 comm="servicemanager"
path="/proc/783/attr/current" dev="proc" ino=25112
scontext=u:r:servicemanager:s0 tcontext=u:r:rild:s0 tclass=file

denied { getattr } for pid=676 comm="servicemanager"
scontext=u:r:servicemanager:s0 tcontext=u:r:rild:s0 tclass=process

denied { read } for pid=676 comm="servicemanager" name="current"
dev="proc" ino=25112 scontext=u:r:servicemanager:s0 tcontext=u:r:rild:s0
tclass=file

denied { call } for pid=783 comm="rild" scontext=u:r:rild:s0
tcontext=u:r:servicemanager:s0 tclass=binder

denied { open } for pid=763 comm="netmgrd"
path="/sys/devices/soc0/soc_id" dev="sysfs" ino=50839
scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_soc:s0 tclass=file

denied { read } for pid=763 comm="netmgrd" name="soc_id" dev="sysfs"
ino=50839 scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_soc:s0
tclass=file

denied { open } for pid=763 comm="netmgrd"
path="/sys/bus/msm_subsys/devices" dev="sysfs" ino=16197
scontext=u:r:netmgrd:s0 tcontext=u:object_r:sysfs_msm_subsys:s0
tclass=dir

denied { read } for pid=763 comm="netmgrd" name="devices" dev="sysfs"
ino=16197 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { search } for pid=763 comm="netmgrd" name="msm_subsys"
dev="sysfs" ino=16195 scontext=u:r:netmgrd:s0
tcontext=u:object_r:sysfs_msm_subsys:s0 tclass=dir

denied { create } for pid=672 comm="rmt_storage"
scontext=u:r:rmt_storage:s0 tcontext=u:r:rmt_storage:s0 tclass=socket

denied { setuid } for pid=672 comm="rmt_storage" capability=7
scontext=u:r:rmt_storage:s0 tcontext=u:r:rmt_storage:s0
tclass=capability

denied { net_bind_service } for pid=672 comm="rmt_storage" capability=10
scontext=u:r:rmt_storage:s0 tcontext=u:r:rmt_storage:s0
tclass=capability

denied { setpcap } for pid=672 comm="rmt_storage" capability=8
scontext=u:r:rmt_storage:s0 tcontext=u:r:rmt_storage:s0
tclass=capability

denied { open } for pid=672 comm="rmt_storage"
path="/sys/kernel/debug/rmt_storage/rmts" dev="debugfs" ino=19673
scontext=u:r:rmt_storage:s0 tcontext=u:object_r:debugfs:s0 tclass=file

denied { write } for pid=672 comm="rmt_storage" name="rmts"
dev="debugfs" ino=19673 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:debugfs:s0 tclass=file

denied { open } for pid=672 comm="rmt_storage" path="/dev/block/sdd15"
dev="tmpfs" ino=22639 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:sdd_block_device:s0 tclass=blk_file

denied { read write } for pid=672 comm="rmt_storage" name="sdd15"
dev="tmpfs" ino=22639 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:sdd_block_device:s0 tclass=blk_file

denied { read } for pid=672 comm="rmt_storage" name="uio0" dev="sysfs"
ino=38371 scontext=u:r:rmt_storage:s0 tcontext=u:object_r:sysfs_uio:s0
tclass=lnk_file

denied { ioctl } for pid=671 comm="irsc_util" path="socket:[1213]"
dev="sockfs" ino=1213 ioctlcmd=c305 scontext=u:r:irsc_util:s0
tcontext=u:r:irsc_util:s0 tclass=socket

denied { create } for pid=671 comm="irsc_util" scontext=u:r:irsc_util:s0
tcontext=u:r:irsc_util:s0 tclass=socket

denied { open } for pid=672 comm="rmt_storage" path="/dev/block/sdf3"
dev="tmpfs" ino=22678 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:block_device:s0 tclass=blk_file

denied { read write } for pid=672 comm="rmt_storage" name="sdf3"
dev="tmpfs" ino=22678 scontext=u:r:rmt_storage:s0
tcontext=u:object_r:block_device:s0 tclass=blk_file

Test: The above denials are no longer present
Bug: 34784662
Change-Id: I79caf3bef228a1fd84f0f58d4274c2f6a668d203

sepolicy/device.te

@@ -14,3 +14,4 @@ type ramdump_device, dev_type;
 type hbtp_device, dev_type;
 type sg_device, dev_type;
 type sdd_block_device, dev_type;
+type sdf_block_device, dev_type;

sepolicy/file.te

@@ -4,10 +4,11 @@ type sysfs_soc, sysfs_type, fs_type;
 type sysfs_rmtfs, sysfs_type, fs_type;
 type sysfs_net, sysfs_type, fs_type;
 type sysfs_fingerprint, sysfs_type, fs_type;
-
 type sysfs_msm_subsys, sysfs_type, fs_type;
 type sysfs_msm_subsys_restart, sysfs_type, fs_type;
 
+type debugfs_rmt_storage, debugfs_type, fs_type;
+
 type qmuxd_socket, file_type;
 type netmgrd_socket, file_type;
 type thermal_socket, file_type;

sepolicy/file_contexts

@@ -43,6 +43,8 @@
 
 # dev block nodes
 /dev/block/sdd[0-9]+                            u:object_r:sdd_block_device:s0
+/dev/block/sdf[0-9]+                            u:object_r:sdf_block_device:s0
+
 # files in sysfs
 /sys/class/uio(/.*)?                                                u:object_r:sysfs_uio:s0
 /sys/devices/soc/c900000.qcom,mdss_mdp/c900000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds(/.*)? u:object_r:sysfs_leds:s0
@@ -50,14 +52,16 @@
 /sys/devices/soc/0\.qcom,rmtfs_sharedmem(/.*)?                      u:object_r:sysfs_rmtfs:s0
 /sys/devices/soc/soc:fp_fpc1020(/.*)?                               u:object_r:sysfs_fingerprint:s0
 /sys/devices/virtual/thermal(/.*)?                                  u:object_r:sysfs_thermal:s0
+/sys/kernel/debug/rmt_storage(/.*)?                                 u:object_r:debugfs_rmt_storage:s0
 /sys/module/msm_thermal(/.*)?                                       u:object_r:sysfs_thermal:s0
+/sys/module/tcp_cubic/parameters(/.*)?                              u:object_r:sysfs_net:s0
 /sys/devices/virtual/graphics/fb([0-2])+/idle_time                  u:object_r:sysfs_graphics:s0
 /sys/devices/virtual/net(/.*)?                                      u:object_r:sysfs_net:s0
 /sys/devices/soc/8c0000\.qcom,msm-cam(/.*)?                         u:object_r:sysfs_camera:s0
 /sys/devices/soc0(/.*)?                                             u:object_r:sysfs_soc:s0
 /sys/devices/soc/caa0000\.qcom,jpeg(/.*)?                           u:object_r:sysfs_camera:s0
 /sys/devices/soc/caa4000\.qcom,fd(/.*)?                             u:object_r:sysfs_camera:s0
-/sys/bus/msm_subsys(/.*)?                        		    u:object_r:sysfs_msm_subsys:s0
+/sys/bus/msm_subsys(/.*)?                                           u:object_r:sysfs_msm_subsys:s0
 
 # files in /system
 /system/bin/init\.power\.sh            u:object_r:init_power_exec:s0

sepolicy/irsc_util.te

@@ -3,6 +3,9 @@ type irsc_util_exec, exec_type, file_type;
 
 init_daemon_domain(irsc_util)
 
+allow irsc_util self:socket create_socket_perms;
+allowxperm irsc_util self:socket ioctl msm_sock_ipc_ioctls;
+
 userdebug_or_eng(`
 permissive irsc_util;
 ')

sepolicy/netmgrd.te

@@ -9,15 +9,20 @@ set_prop(netmgrd, net_radio_prop)
 # communicate with netd
 unix_socket_connect(netmgrd, netd, netd)
 
-allow netmgrd self:socket create_socket_perms_no_ioctl;
 allow netmgrd netmgrd_socket:dir w_dir_perms;
 allow netmgrd netmgrd_socket:sock_file { create setattr };
 allow netmgrd self:netlink_socket create_socket_perms_no_ioctl;
+allow netmgrd self:socket create_socket_perms;
+allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;
 allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
 
 allow netmgrd sysfs_net:file rw_file_perms;
 allow netmgrd sysfs_net:dir r_dir_perms;
 allow netmgrd proc_net:file rw_file_perms;
+allow netmgrd sysfs_soc:file r_file_perms;
+allow netmgrd sysfs_msm_subsys:dir r_dir_perms;
+
+allow netmgrd proc_net:file w_file_perms;
 allow netmgrd net_data_file:dir r_dir_perms;
 allow netmgrd netmgr_data_file:file rw_file_perms;
 allow netmgrd system_file:file execute_no_trans;

sepolicy/rild.te

@@ -1,3 +1,4 @@
+binder_use(rild)
 binder_call(rild, per_mgr)
 
 allow rild qmuxd_socket:dir w_dir_perms;
@@ -7,4 +8,4 @@ allow rild socket_device:sock_file write;
 unix_socket_connect(rild, netmgrd, netmgrd)
 
 allow rild self:socket ioctl;
-allowxperm rild self:socket ioctl { IPC_ROUTER_IOCTL_LOOKUP_SERVER };
+allowxperm rild self:socket ioctl msm_sock_ipc_ioctls;

sepolicy/rmt_storage.te

@@ -5,12 +5,20 @@ init_daemon_domain(rmt_storage)
 
 wakelock_use(rmt_storage)
 
-allow rmt_storage self:capability setgid;
+allow rmt_storage self:capability { net_bind_service setgid setpcap setuid };
 
+allow rmt_storage sdd_block_device:blk_file rw_file_perms;
+allow rmt_storage sdf_block_device:blk_file rw_file_perms;
 allow rmt_storage uio_device:chr_file rw_file_perms;
+
 allow rmt_storage sysfs_uio:dir r_dir_perms;
+allow rmt_storage sysfs_uio:lnk_file r_file_perms;
 allow rmt_storage sysfs_rmtfs:file r_file_perms;
 
+allow rmt_storage debugfs_rmt_storage:file w_file_perms;
+
+allow rmt_storage self:socket create_socket_perms_no_ioctl;
+
 userdebug_or_eng(`
 permissive rmt_storage;
 ')

sepolicy/thermal-engine.te

@@ -3,8 +3,12 @@ type thermal-engine_exec, exec_type, file_type;
 
 init_daemon_domain(thermal-engine)
 
+allow thermal-engine self:capability2 block_suspend;
+
 allow thermal-engine sysfs_thermal:dir r_dir_perms;
 allow thermal-engine sysfs_thermal:file rw_file_perms;
+allow thermal-engine sysfs_rmtfs:file r_file_perms;
+allow thermal-engine sysfs_uio:lnk_file r_file_perms;
 
 allow thermal-engine self:socket create_socket_perms;
 allowxperm thermal-engine self:socket ioctl msm_sock_ipc_ioctls;