RMX3031:Sepolicy: Address neverallows

* Also remove ignore neverallows flag now

Signed-off-by: Nishant Kumar <www.rajsonu13@gmail.com>

BoardConfig.mk

@@ -176,7 +176,6 @@ include device/mediatek/sepolicy_vndr/SEPolicy.mk
 SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/private
 SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/public
 BOARD_SEPOLICY_DIRS  += $(DEVICE_PATH)/sepolicy/vendor
-SELINUX_IGNORE_NEVERALLOWS := true
 
 # Touch
 SOONG_CONFIG_NAMESPACES += OPLUS_LINEAGE_TOUCH_HAL

sepolicy/private/audioserver.te

@@ -1,3 +0,0 @@
-allow audioserver audioserver_tmpfs:file { read write execute };
-allow audioserver system_file:file { execmod };
-allow audioserver unlabeled:file { read write execute open getattr };

sepolicy/private/init.te

@@ -1,2 +0,0 @@
-allow init vtservice_service:service_manager { find add };
-allow init vtservice_hidl_service:service_manager { find add };

sepolicy/private/mediaserver.te

@@ -1,4 +1,2 @@
-allow mediaserver mediaserver_tmpfs:file { read write execute };
-allow mediaserver system_file:file { execmod };
 allow mediaserver opluscamera_app_data_file:file rw_file_perms;
 allow mediaserver package_native_service:service_manager find;

sepolicy/private/opluscamera_app.te

@@ -37,7 +37,6 @@ binder_call(opluscamera_app, gpuservice)
 allow opluscamera_app media_session_service:service_manager find;
 allow opluscamera_app osense_service:service_manager find;
 allow opluscamera_app oplus_resource_manager_service:service_manager find;
-allow opluscamera_app oplus_exsystem_service_app:service_manager find;
 allow opluscamera_app OPLUSExService_service:service_manager find;
 allow opluscamera_app app_compatibility_service:service_manager find;
 allow opluscamera_app game_service:service_manager find;

sepolicy/private/property.te

@@ -1,2 +0,0 @@
-type cabc_prop, property_type;
-type vib_strength_prop, property_type;

sepolicy/private/property_contexts

@@ -6,6 +6,7 @@ demo.hole                    u:object_r:exported_system_prop:s0
 demo.near                    u:object_r:exported_system_prop:s0
 demo.far                     u:object_r:exported_system_prop:s0
 demo.fb                      u:object_r:exported_system_prop:s0
+oplus.debug.nvram.enable     u:object_r:exported_system_prop:s0
 ro.oplus.camera.             u:object_r:system_oplus_camera_prop:s0
 ro.oplus.market.name         u:object_r:system_oplus_camera_prop:s0
 ro.oplus.system.camera.      u:object_r:system_oplus_camera_prop:s0
@@ -25,5 +26,5 @@ ro.oplus.version.     u:object_r:system_oplus_project_prop:s0
 ro.oplus.image.       u:object_r:system_oplus_project_prop:s0
 
 # Realme Parts
-persist.cabc_profile        u:object_r:cabc_prop:s0
-persist.vib_strength        u:object_r:vib_strength_prop:s0
+persist.cabc_profile        u:object_r:system_cabc_prop:s0
+persist.vib_strength        u:object_r:system_vib_strength_prop:s0

sepolicy/private/system_app.te

@@ -1,5 +1,5 @@
 # Allow system app to set vibration prop
-set_prop(system_app, vib_strength_prop)
+set_prop(system_app, system_vib_strength_prop)
 
 # Allow system_app to set cabc props
-set_prop(system_app, cabc_prop)
+set_prop(system_app, system_cabc_prop)

sepolicy/private/vtservice.te

@@ -1,3 +1 @@
 allow vtservice radio_service:service_manager find;
-allow vtservice vtservice_service:service_manager add;
-get_prop(vtservice, vendor_default_prop)

sepolicy/public/property.te

@@ -9,3 +9,7 @@ system_public_prop(system_fingerprint_prop)
 
 # Version
 system_vendor_config_prop(system_oplus_project_prop)
+
+# Realme Parts
+system_public_prop(system_vib_strength_prop)
+system_public_prop(system_cabc_prop)

sepolicy/vendor/audioserver.te

@@ -1 +0,0 @@
-allow audioserver vendor_default_prop:file rw_file_perms;

sepolicy/vendor/cameraserver.te

@@ -1 +1 @@
-set_prop(cameraserver, vendor_oplus_prop)
+get_prop(cameraserver, vendor_oplus_prop)

sepolicy/vendor/ccci_rpcd.te

@@ -1 +0,0 @@
-allow ccci_rpcd default_prop:file rw_file_perms;

sepolicy/vendor/file_contexts

@@ -3,6 +3,12 @@
 /mnt/vendor/persist/camera(/.*)?                                                                                       u:object_r:persist_camera_file:s0
 /(odm|vendor/odm)/bin/hw/vendor\.oplus\.hardware\.engcamera@1\.0-service                                               u:object_r:mtk_hal_camera_exec:s0
 /(odm|vendor/odm)/bin/hw/vendor\.oplus\.hardware\.cammidasservice@1\.0-service                                         u:object_r:mtk_hal_camera_exec:s0
+/(vendor|odm)/lib(64)?/android\.hardware\.graphics\.allocator@2\.0\.so       u:object_r:same_process_hal_file:s0
+/(vendor|odm)/lib(64)?/android\.hardware\.graphics\.allocator@3\.0\.so       u:object_r:same_process_hal_file:s0
+/(vendor|odm)/lib(64)?/android\.hardware\.graphics\.allocator@4\.0\.so       u:object_r:same_process_hal_file:s0
+/(vendor|odm)/lib(64)?/android\.hardware\.graphics\.common-V2-ndk_platform\.so       u:object_r:same_process_hal_file:s0
+/(vendor|odm)/lib(64)?/android\.hardware\.graphics\.common-V2-ndk\.so        u:object_r:same_process_hal_file:s0
+/(vendor|odm)/lib(64)?/vendor\.oplus\.hardware\.ormsHalService-V1-ndk_platform\.so        u:object_r:same_process_hal_file:s0
 /(vendor|odm)/lib(64)?/libAlgoProcess\.so                                    u:object_r:same_process_hal_file:s0
 /(vendor|odm)/lib(64)?/libapsjpeg\.so                                        u:object_r:same_process_hal_file:s0
 /(vendor|odm)/lib(64)?/libapsexif\.so                                        u:object_r:same_process_hal_file:s0

sepolicy/vendor/fsck.te

@@ -1,4 +1 @@
-allow fsck mnt_vendor_file:dir { search };
-allow fsck nvdata_file:dir { getattr };
-allow fsck nvcfg_file:dir { getattr };
 allow fsck oplus_block_device:blk_file rw_file_perms;

sepolicy/vendor/hal_audio_default.te

@@ -1,5 +1,4 @@
 allow hal_audio_default hal_audio_default:process { execmem };
-allow hal_audio_default audio_data_file:dir { search };
 allow hal_audio_default mtk_hal_power_hwservice:hwservice_manager find;
 binder_call(hal_audio_default, mtk_hal_power)
 

sepolicy/vendor/hal_charger_oplus.te

@@ -1,10 +1,11 @@
 type hal_charger_oplus, domain;
 type hal_charger_oplus_exec, exec_type, vendor_file_type, file_type;
 
+add_hwservice(hal_charger_oplus, hal_charger_oplus_hwservice)
+
 init_daemon_domain(hal_charger_oplus)
 
 hwbinder_use(hal_charger_oplus)
-add_hwservice(hal_charger_oplus, hal_charger_oplus_hwservice)
 allow hal_charger_oplus fwk_sensor_hwservice:hwservice_manager find;
 
 allow hal_charger_oplus hal_charger_oplus:netlink_kobject_uevent_socket { read create bind getopt setopt };
@@ -40,7 +41,7 @@ r_dir_file(hal_charger_oplus, sysfs_batteryinfo)
 
 get_prop(hal_charger_oplus, hwservicemanager_prop)
 
-allow hal_charger_oplus vendor_sysfs_ac_supply:dir rw_dir_perms;
+allow hal_charger_oplus vendor_sysfs_ac_supply:dir r_dir_perms;
 allow hal_charger_oplus vendor_sysfs_ac_supply:file rw_file_perms;
 allow hal_charger_oplus oplus_block_device:dir search;
 allow hal_charger_oplus oplus_block_device:file r_file_perms;

sepolicy/vendor/hal_fingerprint_default.te

@@ -1,5 +1,7 @@
 binder_call(hal_fingerprint_default, hal_fingerprint_default)
 
+add_hwservice(hal_fingerprint_default, hal_fingerprint_oplus_hwservice)
+
 allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
 allow hal_fingerprint_default oplus_fingerprint_file:dir { create_dir_perms rw_dir_perms };
 allow hal_fingerprint_default oplus_fingerprint_file:file { create_file_perms rw_file_perms };
@@ -28,11 +30,10 @@ allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
 allow hal_fingerprint_default vendor_sysfs_battery_supply:dir r_dir_perms;
 allow hal_fingerprint_default vendor_sysfs_battery_supply:file r_file_perms;
 
-add_hwservice(hal_fingerprint_default, hal_commondcs_oplus_hwservice)
-add_hwservice(hal_fingerprint_default, oplus_hal_ormsHal_hwservice)
-add_hwservice(hal_fingerprint_default, hal_performance_oplus_hwservice)
-add_hwservice(hal_fingerprint_default, hal_osense_oplus_hwservice)
-add_hwservice(hal_fingerprint_default, hal_fingerprint_oplus_hwservice)
+allow hal_fingerprint_default hal_commondcs_oplus_hwservice:hwservice_manager find;
+allow hal_fingerprint_default oplus_hal_ormsHal_hwservice:hwservice_manager find;
+allow hal_fingerprint_default hal_performance_oplus_hwservice:hwservice_manager find;
+allow hal_fingerprint_default hal_osense_oplus_hwservice:hwservice_manager find;
 
 get_prop(hal_fingerprint_default, system_oplus_project_prop)
 set_prop(hal_fingerprint_default, system_fingerprint_prop)

sepolicy/vendor/hal_nfc_default.te

@@ -1,2 +1 @@
-allow hal_nfc_default device:chr_file rw_file_perms;
 allow hal_nfc_default device:chr_file ioctl;

sepolicy/vendor/hal_performance_oplus.te

@@ -1,18 +1,18 @@
 type hal_performance_oplus, domain;
 type hal_performance_oplus_exec, exec_type, vendor_file_type, file_type;
+add_hwservice(hal_performance_oplus, hal_performance_oplus_hwservice)
 
 init_daemon_domain(hal_performance_oplus)
 
 hwbinder_use(hal_performance_oplus)
-add_hwservice(hal_performance_oplus, hal_performance_oplus_hwservice)
+
 get_prop(hal_performance_oplus, hwservicemanager_prop)
 set_prop(hal_performance_oplus, hwservicemanager_prop)
-allow hal_performance_oplus hwservicemanager_prop:file rw_file_perms;
+allow hal_performance_oplus hwservicemanager_prop:file { read getattr open };
 allow hal_performance_oplus hal_fingerprint_default:dir search;
 allow hal_performance_oplus mtk_hal_audio:dir search;
 allow hal_performance_oplus hal_audio_default:dir search;
 allow hal_performance_oplus vendor_proc_oplus_version:file r_file_perms;
 allow hal_performance_oplus proc_version:file r_file_perms;
-allow hal_performance_oplus system_prop:file r_file_perms;
 allow hal_performance_oplus mtk_hal_audio:file rw_file_perms;
 allow hal_performance_oplus hal_fingerprint_default:file rw_file_perms;

sepolicy/vendor/hwservicemanager.te

@@ -1 +0,0 @@
-allow hwservicemanager init:binder { transfer };

sepolicy/vendor/init.te

@@ -1,36 +1,26 @@
-binder_use(init)
-hwbinder_use(init)
 allow proc_perfmgr proc:filesystem associate ;
 allow proc_cpufreq proc:filesystem associate ;
 allow vendor_proc_display proc:filesystem associate ;
-allow init vendor_shell_exec:file rx_file_perms;
-allow init vendor_toolbox_exec:file rx_file_perms;
+allow init vendor_shell_exec:file {r_file_perms execute};
+allow init vendor_toolbox_exec:file {r_file_perms execute};
 allow init proc:file rw_file_perms;
 allow init proc_swappiness:file rw_file_perms;
 allow init proc_watermark_scale_factor:file rw_file_perms;
-allow init privapp_data_file:dir rw_dir_perms;
-allow init app_data_file:dir rw_dir_perms;
-allow init system_app_data_file:dir rw_dir_perms;
 allow init sysfs_devices_block:file rw_file_perms;
 allow init sysfs_leds:file create_file_perms;
-allow init mtk_hal_camera_exec:file rx_file_perms;
+allow init mtk_hal_camera_exec:file {r_file_perms execute};
 allow init vendor_sysfs_otg_switch:file create_file_perms;
 allow init vendor_sysfs_usb_supply:file create_file_perms;
 allow init vendor_sysfs_graphics:file create_file_perms;
 allow init vendor_proc_display:file create_file_perms;
-allow init ccci_device:chr_file create_file_perms;
-binder_call(init, vtservice_hidl)
-binder_call(init, surfaceflinger)
-binder_call(init, radio)
+allow init ccci_device:chr_file r_file_perms;
 allow init vtservice_hidl:fd { use };
-allow init shell_exec:file rx_file_perms;
+allow init shell_exec:file {r_file_perms execute};
 allow init mtk_hal_audio:file rw_file_perms;
-allow init system_file:file rx_file_perms;
-allow init hal_performance_oplus_exec:file rx_file_perms;
-add_hwservice(init, hal_performance_oplus_hwservice)
-add_hwservice(init, mtk_hal_videotelephony_hwservice)
-allow init surfaceflinger_service:service_manager find;
-allow init radio_service:service_manager find;
+allow init system_file:file {r_file_perms execute};
+allow init hal_performance_oplus_exec:file {r_file_perms execute};
+allow init hal_performance_oplus_hwservice:hwservice_manager find;
+allow init mtk_hal_videotelephony_hwservice:hwservice_manager find;
 allow init oplus_block_device:lnk_file relabelto;
-allow init oplus_orms_aidl_service_exec:file rx_file_perms;
+allow init oplus_orms_aidl_service_exec:file {r_file_perms execute};
 allow init sysfs_vibrator:file rw_file_perms;

sepolicy/vendor/mnld.te

@@ -0,0 +1 @@
+r_dir_file(mnld, vendor_proc_oplus_version)

sepolicy/vendor/mobicore.te

@@ -1,2 +1 @@
-allow mobicore system_prop:file rw_file_perms;
-allow mobicore system_oplus_project_prop:file rw_file_perms;
+allow mobicore system_oplus_project_prop:file { read getattr open map };

sepolicy/vendor/mtk_hal_audio.te

@@ -1,11 +1,7 @@
 type mtk_hal_audio_tmpfs, fs_type;
 
-allow mtk_hal_audio mtk_hal_audio_tmpfs:file rx_file_perms;
-allow mtk_hal_audio default_prop:property_service { set };
 allow mtk_hal_audio mtk_hal_audio:process { execmem };
-allow mtk_hal_audio system_prop:file { read };
 allow mtk_hal_audio untrusted_app:fifo_file { write };
-allow mtk_hal_audio vendor_default_prop:property_service { set };
 
 r_dir_file(mtk_hal_audio, vendor_proc_oplus_version)
 get_prop(mtk_hal_audio, system_oplus_audio_prop)
@@ -13,6 +9,5 @@ set_prop(mtk_hal_audio, system_oplus_audio_prop)
 set_prop(mtk_hal_audio, vendor_audio_tuning_prop)
 
 allow mtk_hal_audio persist_data_file:dir r_dir_perms;
-allow mtk_hal_audio init:binder { call };
-add_hwservice(mtk_hal_audio, hal_performance_oplus_hwservice)
 binder_call(mtk_hal_audio, hal_performance_oplus)
+allow mtk_hal_audio hal_performance_oplus_hwservice:hwservice_manager find;

sepolicy/vendor/mtk_hal_camera.te

@@ -1,17 +1,14 @@
 add_hwservice(mtk_hal_camera, hal_camera_oplus_hwservice)
-add_hwservice(mtk_hal_camera, oplus_hal_ormsHal_hwservice)
-add_hwservice(mtk_hal_camera, hal_performance_oplus_hwservice)
-add_hwservice(mtk_hal_camera, hal_osense_oplus_hwservice)
-add_hwservice(mtk_hal_camera, mtk_hal_mmagent_hwservice)
+
+allow mtk_hal_camera oplus_hal_ormsHal_hwservice:hwservice_manager find;
+allow mtk_hal_camera hal_performance_oplus_hwservice:hwservice_manager find;
+allow mtk_hal_camera hal_osense_oplus_hwservice:hwservice_manager find;
 
 r_dir_file(mtk_hal_camera, proc_boost_pool)
 r_dir_file(mtk_hal_camera, proc_sched_assist)
 r_dir_file(mtk_hal_camera, proc_version)
-r_dir_file(mtk_hal_camera, system_data_file)
 r_dir_file(mtk_hal_camera, vendor_proc_oplus_version)
 
-get_prop(mtk_hal_camera, default_prop)
-get_prop(mtk_hal_camera, system_prop)
 set_prop(mtk_hal_camera, vendor_oplus_prop)
 get_prop(mtk_hal_camera, system_oplus_camera_prop)
 
@@ -25,4 +22,3 @@ allow mtk_hal_camera proc_boost_pool:file rw_file_perms;
 binder_call(mtk_hal_camera, mtk_hal_mmagent)
 binder_call(mtk_hal_camera, opluscamera_app)
 allow mtk_hal_camera opluscamera_app:fd use;
-r_dir_file(mtk_hal_camera, system_data_file)

sepolicy/vendor/network_stack.te

@@ -0,0 +1 @@
+allow network_stack proc_net:file r_file_perms;

sepolicy/vendor/oplus_hal_ormsHal.te

@@ -8,13 +8,12 @@ get_prop(oplus_hal_ormsHal, hwservicemanager_prop)
 set_prop(oplus_hal_ormsHal, hwservicemanager_prop)
 
 allow oplus_hal_ormsHal oplus_hal_ormsHal_exec:file rx_file_perms;
-allow oplus_hal_ormsHal hwservicemanager_prop:file rw_file_perms;
+allow oplus_hal_ormsHal hwservicemanager_prop:file { read getattr open };
 allow oplus_hal_ormsHal hal_fingerprint_default:dir search;
 allow oplus_hal_ormsHal mtk_hal_audio:dir search;
 allow oplus_hal_ormsHal hal_audio_default:dir search;
 allow oplus_hal_ormsHal vendor_proc_oplus_version:file r_file_perms;
 allow oplus_hal_ormsHal proc_version:file r_file_perms;
-allow oplus_hal_ormsHal system_prop:file r_file_perms;
 allow oplus_hal_ormsHal mtk_hal_audio:file rw_file_perms;
 allow oplus_hal_ormsHal hal_fingerprint_default:file rw_file_perms;
 binder_call(oplus_hal_ormsHal, servicemanager)

sepolicy/vendor/opluscamera_app.te

@@ -1,27 +1,25 @@
-hal_client_domain(opluscamera_app, hal_camera)
 
 r_dir_file(opluscamera_app, vendor_sysfs_graphics)
 r_dir_file(opluscamera_app, persist_camera_file)
 r_dir_file(opluscamera_app, persist_data_file)
-r_dir_file(opluscamera_app, mnt_vendor_file)
-r_dir_file(opluscamera_app, vendor_file)
-r_dir_file(opluscamera_app, shell_data_file)
+allow opluscamera_app shell_data_file:file r_file_perms;
+allow opluscamera_app shell_data_file:dir r_dir_perms;
 
 allow opluscamera_app hal_osense_oplus_hwservice:hwservice_manager find;
 allow opluscamera_app hal_performance_oplus_hwservice:hwservice_manager find;
-allow opluscamera_app mtk_hal_bgs_hwservice:hwservice_manager find;
-allow opluscamera_app hal_camera_hwservice:hwservice_manager find;
 
-get_prop(opluscamera_app, vendor_oplus_prop)
+hal_client_domain(opluscamera_app, hal_mtk_bgs)
+hal_client_domain(opluscamera_app, hal_mtk_mmagent)
+
 binder_call(opluscamera_app, mtk_hal_camera)
 binder_call(opluscamera_app, hal_performance_oplus)
 binder_call(opluscamera_app, mtk_hal_camera)
 binder_call(opluscamera_app, hal_performance_oplus)
 binder_call(opluscamera_app, mtk_hal_neuralnetworks)
 
-allow opluscamera_app vendor_file:file x_file_perms;
 allow opluscamera_app system_data_file:file r_file_perms;
 allow opluscamera_app apusys_device:chr_file { ioctl read write open };
 allow opluscamera_app mtk_hal_neuralnetworks:fd use;
 allow opluscamera_app mtk_hal_camera:fd use;
 allow opluscamera_app vpu_device:chr_file { ioctl read open };
+get_prop(opluscamera_app, vendor_oplus_prop)

sepolicy/vendor/platform_app.te

@@ -1,9 +1,8 @@
 r_dir_file(platform_app, vendor_sysfs_graphics)
-add_hwservice(platform_app, hal_osense_oplus_hwservice)
-add_hwservice(platform_app, hal_performance_oplus_hwservice)
-add_hwservice(platform_app, mtk_hal_bgs_hwservice)
 
-get_prop(platform_app, vendor_oplus_prop)
+allow platform_app hal_performance_oplus_hwservice:hwservice_manager find;
+allow platform_app hal_osense_oplus_hwservice:hwservice_manager find;
+
 binder_call(platform_app, mtk_hal_camera)
 binder_call(platform_app, hal_performance_oplus)
 binder_call(platform_app, mtk_hal_camera)
@@ -11,10 +10,9 @@ binder_call(platform_app, hal_performance_oplus)
 
 r_dir_file(platform_app, persist_camera_file)
 r_dir_file(platform_app, persist_data_file)
-r_dir_file(platform_app, mnt_vendor_file)
-r_dir_file(platform_app, vendor_file)
-r_dir_file(platform_app, shell_data_file)
+allow platform_app shell_data_file:file r_file_perms;
+allow platform_app shell_data_file:dir r_dir_perms;
 
-allow platform_app vendor_file:file x_file_perms;
 allow platform_app system_data_file:file r_file_perms;
 allow platform_app apusys_device:chr_file { ioctl read write open };
+get_prop(platform_app, vendor_oplus_prop)

sepolicy/vendor/property.te

@@ -1,4 +1,4 @@
 vendor_internal_prop(vendor_fingerprint_prop)
-vendor_internal_prop(vendor_oplus_prop)
+vendor_public_prop(vendor_oplus_prop)
 vendor_internal_prop(vendor_audio_tuning_prop)
 vendor_internal_prop(vendor_audio_prop)

sepolicy/vendor/radio.te

@@ -1,4 +1 @@
-allow radio vendor_default_prop:file rw_file_perms;
-allow radio init:binder call;
-allow radio vendor_mtk_radio_prop:property_service { set };
-binder_call(radio, init)
+get_prop(radio, vendor_mtk_radio_prop)

sepolicy/vendor/rild.te

@@ -3,5 +3,3 @@ set_prop(rild, vendor_mtk_telephony_addon_prop)
 set_prop(rild, vendor_mtk_mdrsra_v2_support_prop)
 set_prop(rild, vendor_mtk_xfrm_support_prop)
 set_prop(rild, vendor_mtk_md_prop)
-allow rild vendor_default_prop:property_service { set };
-allow rild default_prop:file rw_file_perms;

sepolicy/vendor/servicemanager.te

@@ -1,3 +1,2 @@
-binder_call(servicemanager, init)
 binder_call(servicemanager, oplus_orms_aidl_service)
 r_dir_file(servicemanager, oplus_orms_aidl_service)

sepolicy/vendor/surfaceflinger.te

@@ -1,3 +1 @@
-allow surfaceflinger vendor_default_prop:file rw_file_perms;
-allow surfaceflinger mtk_hal_mmagent_hwservice:hwservice_manager find;
 binder_call(surfaceflinger, mtk_hal_mmagent)

sepolicy/vendor/system_app.te

@@ -1,9 +1,7 @@
 r_dir_file(system_app, vendor_sysfs_graphics)
 r_dir_file(system_app, vendor_sysfs_usb_supply)
-r_dir_file(system_app, sysfs_batteryinfo)
 allow system_app vendor_sysfs_graphics:file rw_file_perms;
 allow system_app vendor_sysfs_usb_supply:file rw_file_perms;
-allow system_app sysfs_batteryinfo:file rw_file_perms;
 allow system_app vendor_sysfs_otg_switch:file rw_file_perms;
 allow system_app vendor_sysfs_battery_supply:dir r_dir_perms;
 allow system_app vendor_sysfs_battery_supply:file rw_file_perms;

sepolicy/vendor/vendor_init.te

@@ -11,6 +11,6 @@ allow vendor_init vendor_sysfs_otg_switch:file w_file_perms;
 
 allow vendor_init vendor_proc_display:file w_file_perms;
 
-allow vendor_init vts_status_prop:file rw_file_perms;
-allow vendor_init system_prop:file rw_file_perms;
+allow vendor_init vts_status_prop:file { read getattr open };
+allow vendor_init system_prop:file { read getattr open };
 allow vendor_init proc_swappiness:file rw_file_perms;

sepolicy/vendor/zygote.te

@@ -1,2 +1,2 @@
-set_prop(zygote, vendor_mtk_gpu_prop)
-set_prop(zygote, vendor_mtk_sec_video_path_support_prop)
+get_prop(zygote, vendor_mtk_gpu_prop)
+get_prop(zygote, vendor_mtk_sec_video_path_support_prop)