Sepolicy: clean-up and use macros where suitable

Following suggestions by Stricted.

diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te
index 29571b7c7b955b40d3ac212f0dd97b359baa91c7..9becff0a666c52dd277b23bbef86f82351b92bd1 100644 (file)
--- a/sepolicy/adbd.te
+++ b/sepolicy/adbd.te
@@ -1 +1 @@
-allow adbd proc_last_kmsg:file { getattr read open };
+allow adbd proc_last_kmsg:file r_file_perms;

diff --git a/sepolicy/apexd.te b/sepolicy/apexd.te
index f4ba197c89aa91929cbebce989957cc7b6f250f2..25801cbaf96072a55c9d67b46393074c2ee5d7f8 100644 (file)
--- a/sepolicy/apexd.te
+++ b/sepolicy/apexd.te
@@ -1 +1 @@
-allow apexd sysfs_virtual:file { read write open };
+allow apexd sysfs_virtual:file rw_file_perms;

diff --git a/sepolicy/cbd.te b/sepolicy/cbd.te
index f366e02bc92f89de7bd1a71dcccc4d7491f998a6..f1e3d01014e1426f3a45f2edf152bf0a1fbf0f54 100644 (file)
--- a/sepolicy/cbd.te
+++ b/sepolicy/cbd.te
@@ -1,2 +1,2 @@
-allow cbd factoryprop_efs_file:file { open read };
-allow cbd sysfs_info:file { open read };
+allow cbd factoryprop_efs_file:file r_file_perms;
+allow cbd sysfs_info:file r_file_perms;

diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te
index 5e488231023ec8f52411ed609883566d6b3fa733..bb5794cabe370fc7207382baad7313b6b8ad24e5 100644 (file)
--- a/sepolicy/hal_audio_default.te
+++ b/sepolicy/hal_audio_default.te
@@ -3,11 +3,11 @@ allow hal_audio_default rild:unix_stream_socket connectto;
 allow hal_audio_default system_suspend_hwservice:hwservice_manager find;
 
 # /efs/maxim/rdc_cal
-allow hal_audio_default efs_file:file { read open };
+allow hal_audio_default efs_file:file r_file_perms;
 allow hal_audio_default efs_file:dir search;
 
 allow hal_audio_default imei_efs_file:dir search;
-allow hal_audio_default imei_efs_file:file { getattr open read };
+allow hal_audio_default imei_efs_file:file r_file_perms;
 allow hal_audio_default vendor_radio_prop:file { getattr open read };
 
 allow hal_audio_default init:unix_stream_socket connectto;

diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te
index 337ad33d5b2f311ca0c2220da5345e910bf46b9e..0f0af544786cafd779699a139338577d6fe6296e 100644 (file)
--- a/sepolicy/hal_bluetooth_default.te
+++ b/sepolicy/hal_bluetooth_default.te
@@ -1,2 +1,2 @@
 allow hal_bluetooth_default vendor_default_prop:property_service set;
-allow hal_bluetooth_default vendor_firmware_file:dir { open read };
+allow hal_bluetooth_default vendor_firmware_file:dir r_dir_perms;

diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te
index d88db486e317300e4620af436f1b7be1401985b1..7311f6776f95ce3431a293ce18c0f0af5b2b6d22 100644 (file)
--- a/sepolicy/hal_camera_default.te
+++ b/sepolicy/hal_camera_default.te
@@ -1,17 +1,14 @@
 vndbinder_use(hal_camera_default)
 
-allow hal_camera_default vndbinder_device:chr_file { ioctl open write read };
+allow hal_camera_default vndbinder_device:chr_file r_file_perms;
 allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
 allow hal_camera_default hal_graphics_composer_default:fd use;
 allow hal_camera_default sysfs_virtual:dir search;
-allow hal_camera_default sysfs_virtual:file { getattr open read write };
+allow hal_camera_default sysfs_virtual:file rw_file_perms;
 allow hal_camera_default sysfs_camera:dir search;
-allow hal_camera_default sysfs_camera:file { getattr open read write };
+allow hal_camera_default sysfs_camera:file rw_file_perms;
 allow hal_camera_default exported_camera_prop:file { getattr open read };
 allow hal_camera_default camera_data_file:dir search;
 
-# add_hwservice(hal_camera_default, hal_vendor_multiframeprocessing_hwservice)
-# add_hwservice(hal_camera_default, hal_vendor_iva_hwservice)
-
 binder_call(hal_camera_default, system_server)
 binder_call(system_server, hal_camera_default)

diff --git a/sepolicy/hal_drm_widevine.te b/sepolicy/hal_drm_widevine.te
index 210fdb775eb4a5a22e76148d57d69aa8d459f32d..97c66529727c1b763b1c938769f7e7a9f8b3aad2 100644 (file)
--- a/sepolicy/hal_drm_widevine.te
+++ b/sepolicy/hal_drm_widevine.te
@@ -15,10 +15,10 @@ allow hal_drm_widevine hal_allocator_server:fd use;
 allow hal_drm_widevine mediadrm_data_file:dir create_dir_perms;
 allow hal_drm_widevine mediadrm_data_file:file create_file_perms;
 allow hal_drm_widevine media_data_file:dir search;
-allow hal_drm_widevine vendor_data_file:dir { write create add_name } ;
-allow hal_drm_widevine vendor_data_file:file { create open read write getattr } ;
+allow hal_drm_widevine vendor_data_file:dir create_dir_perms;
+allow hal_drm_widevine vendor_data_file:file create_file_perms;
 
-allow hal_drm_widevine cpk_efs_file:file { open read getattr };
+allow hal_drm_widevine cpk_efs_file:file r_file_perms;
 allow hal_drm_widevine efs_file:dir search;
 
-allow hal_drm_widevine secmem_device:chr_file { open read write ioctl };
+allow hal_drm_widevine secmem_device:chr_file rw_file_perms;

diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te
index 76497fd96facefe0642a94c9030c02c3b389ada7..e35929bbece4f21a307318f6b60bbc967bfde1d1 100644 (file)
--- a/sepolicy/hal_fingerprint_default.te
+++ b/sepolicy/hal_fingerprint_default.te
@@ -1,5 +1,5 @@
 allow hal_fingerprint_default fingerprintd_data_file:dir write;
-allow hal_fingerprint_default tee_device:chr_file { ioctl open read write };
-allow hal_fingerprint_default fingerprint_device:chr_file { ioctl open read write };
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
 allow hal_fingerprint_default sysfs_virtual:dir search;
-allow hal_fingerprint_default sysfs_virtual:file { open read };
+allow hal_fingerprint_default sysfs_virtual:file r_file_perms;

diff --git a/sepolicy/hal_gatekeeper_default.te b/sepolicy/hal_gatekeeper_default.te
index 8ccc09c346c3bcac8939eb98554208757008239d..be9e93ed1aba4130abd5824c50b04490aa41daa0 100644 (file)
--- a/sepolicy/hal_gatekeeper_default.te
+++ b/sepolicy/hal_gatekeeper_default.te
@@ -1,4 +1,4 @@
-allow hal_gatekeeper_default gatekeeper_efs_file:file { write open read };
+allow hal_gatekeeper_default gatekeeper_efs_file:file rw_file_perms;
 allow hal_gatekeeper_default gatekeeper_efs_file:dir search;
-allow hal_gatekeeper_default tee_device:chr_file { open read write };
+allow hal_gatekeeper_default tee_device:chr_file rw_file_perms;
 allow hal_gatekeeper_default efs_file:dir search;

diff --git a/sepolicy/hal_health_default.te b/sepolicy/hal_health_default.te
index 6d9c27303b74b6a4c0f60845e0624d9c3b8198ce..d8b9c55d82b11fd20d238accb18513c9c725bc92 100644 (file)
--- a/sepolicy/hal_health_default.te
+++ b/sepolicy/hal_health_default.te
@@ -1,8 +1,8 @@
 r_dir_file(hal_health_default, sysfs_charger)
 
 allow hal_health_default sysfs_charger:file rw_file_perms;
-allow hal_health_default sysfs_battery:dir { open read search };
-allow hal_health_default sysfs_battery:file { getattr open read };
+allow hal_health_default sysfs_battery:dir r_dir_perms;
+allow hal_health_default sysfs_battery:file r_file_perms;
 allow hal_health_default sysfs_battery_writable:dir search;
-allow hal_health_default sysfs_battery_writable:file { getattr open read };
+allow hal_health_default sysfs_battery_writable:file r_file_perms;
 allow hal_health_default sysfs_batteryinfo_charger_writable:dir search;

diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te
index c1200d14d205ccff6ef661d8fc4526bf819332c9..8fc3fe344f686a75ac8a63dbd86417b3dc8be529 100644 (file)
--- a/sepolicy/hal_light_default.te
+++ b/sepolicy/hal_light_default.te
@@ -1,3 +1,3 @@
-allow hal_light_default sysfs_graphics:file { getattr open read write };
+allow hal_light_default sysfs_graphics:file rw_file_perms;
 allow hal_light_default sysfs_virtual:dir search;
-allow hal_light_default sysfs_virtual:file { open write getattr };
+allow hal_light_default sysfs_virtual:file rw_file_perms;

diff --git a/sepolicy/hal_lineage_livedisplay_sysfs.te b/sepolicy/hal_lineage_livedisplay_sysfs.te
index 1f4db7bf6e501c61527db8f707db117620656a3a..cef5b997d513d955d93e2cb6a8f9635a5b900e07 100644 (file)
--- a/sepolicy/hal_lineage_livedisplay_sysfs.te
+++ b/sepolicy/hal_lineage_livedisplay_sysfs.te
@@ -1,6 +1,7 @@
 # Allow LiveDisplay to store files under /data/vendor/display and access them
 allow hal_lineage_livedisplay_sysfs display_vendor_data_file:dir rw_dir_perms;
 allow hal_lineage_livedisplay_sysfs display_vendor_data_file:file create_file_perms;
+
 # Allow LiveDisplay to read and write to files in sysfs_graphics, sysfs_mdnie
 allow hal_lineage_livedisplay_sysfs sysfs_mdnie:dir search;
 allow hal_lineage_livedisplay_sysfs sysfs_mdnie:file rw_file_perms;

diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te
index 975d3c8383dcda0d75ff54e9823b8816b34bba30..dbc59b0a43c2d3851b50ba01f4e8c40ac154e6d0 100644 (file)
--- a/sepolicy/hal_power_default.te
+++ b/sepolicy/hal_power_default.te
@@ -1,8 +1,7 @@
-allow hal_power_default sysfs_graphics:file { getattr open read };
-allow hal_power_default sysfs_input:file { getattr open read };
-allow hal_power_default sysfs_virtual:dir { open read search };
-allow hal_power_default sysfs_virtual:file { getattr open read };
-allow hal_power_default sysfs_spi_writeable:dir { open read search };
+allow hal_power_default sysfs_graphics:file r_file_perms;
+allow hal_power_default sysfs_input:file r_file_perms;
+allow hal_power_default sysfs_virtual:dir r_dir_perms;
+allow hal_power_default sysfs_virtual:file r_file_perms;
+allow hal_power_default sysfs_spi_writeable:dir r_dir_perms;
 allow hal_power_default sysfs_spi_writeable:file rw_file_perms;
-allow hal_power_default sysfs_touchscreen_writable:dir { open read search };
-# allow hal_power_default sysfs_touchscreen_writeable:file rw_file_perms;
+allow hal_power_default sysfs_touchscreen_writable:dir r_dir_perms;

diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te
index 7df26ae7a247c26db8b560f5f03bfcab6deb2d8f..ac1475d040fee9a5ac5f4cc09c4a2e66cdb80b7e 100644 (file)
--- a/sepolicy/hal_sensors_default.te
+++ b/sepolicy/hal_sensors_default.te
@@ -1,9 +1,9 @@
-allow hal_sensors_default sysfs_iio:file { getattr open read };
+allow hal_sensors_default sysfs_iio:file r_file_perms;
 allow hal_sensors_default sysfs_iio:lnk_file read;
-allow hal_sensors_default sysfs_virtual:dir { open read search };
-allow hal_sensors_default sysfs_virtual:file { read write open getattr };
+allow hal_sensors_default sysfs_virtual:dir r_dir_perms;
+allow hal_sensors_default sysfs_virtual:file rw_file_perms;
 allow hal_sensors_default sysfs_virtual:lnk_file read;
-allow hal_sensors_default sysfs_lcd:file { open read };
-allow hal_sensors_default baro_delta_factoryapp_efs_file:file { open read };
+allow hal_sensors_default sysfs_lcd:file r_file_perms;
+allow hal_sensors_default baro_delta_factoryapp_efs_file:file r_file_perms;
 allow hal_sensors_default sysfs_input:file read;
-allow hal_sensors_default sysfs_spi_writeable:file { read open write };
+allow hal_sensors_default sysfs_spi_writeable:file rw_file_perms;

diff --git a/sepolicy/init.te b/sepolicy/init.te
index 438154fbe87fe9b3158c72399d2f32b9b14a3d98..e5ca5f062a93f938bf9ece5e6ee3891674748067 100644 (file)
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,6 +1,6 @@
 allow init rild:unix_stream_socket connectto;
-allow init self:netlink_kobject_uevent_socket { create setopt };
-allow init socket_device:sock_file { create setattr unlink };
+allow init self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow init socket_device:sock_file create_file_perms;
 allow init sysfs_devices_system_cpu:file write;
 allow init vendor_data_file:fifo_file write;
 allow init vendor_data_file:file append;
@@ -15,7 +15,7 @@ allow init efs_file:dir mounton;
 allow init efs_block_device:lnk_file relabelto;
 allow init tmpfs:lnk_file create;
 
-allow init sysfs_virtual:file { open write setattr read };
+allow init sysfs_virtual:file create_file_perms;
 allow init sysfs_virtual:lnk_file { read };
 allow init sysfs:file setattr;
 allow init sysfs_multipdp:file setattr;
@@ -24,24 +24,24 @@ allow init sysfs_charger:file setattr;
 allow init sysfs_input:file setattr;
 allow init sysfs_lcd:file setattr;
 allow init sysfs_mdnie:file setattr;
-allow init sysfs_modem:file { open write };
+allow init sysfs_modem:file w_file_perms;
 allow init sysfs_battery_writable:file setattr;
 allow init sysfs_mmc_host_writable:file setattr;
 allow init sysfs_scsi_host_writable:file setattr;
 allow init sysfs_power_writable:file setattr;
 allow init sysfs_bt_writable:file setattr;
-allow init sysfs_graphics:file { setattr open read write };
+allow init sysfs_graphics:file create_file_perms;
 allow init sysfs_touchscreen_writable:file setattr;
 
 allow init system_server:binder { transfer call };
-allow init tee_device:chr_file { ioctl open read write };
+allow init tee_device:chr_file rw_file_perms;
 allow init device:chr_file ioctl;
-allow init self:tcp_socket { getopt create bind connect };
+allow init self:tcp_socket create_socket_perms;
 allow init node:tcp_socket node_bind;
 allow init port:tcp_socket { name_bind name_connect };
 allow init gps_vendor_data_file:fifo_file write;
 allow init gps_vendor_data_file:file lock;
-allow init socket_device:sock_file { setattr unlink };
+allow init socket_device:sock_file create_file_perms;
 allow init kernel:system module_request;
 
 allow init proc:file setattr;

diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
index 61182edcb9c754714dafa30c372186fb913cc3e6..a544b68f1b2d8316d7cb6b4223b58521a5ed1f64 100644 (file)
--- a/sepolicy/kernel.te
+++ b/sepolicy/kernel.te
@@ -4,5 +4,5 @@ allow kernel sensor_factoryapp_efs_file:file open;
 allow kernel efs_file:dir search;
 
 allow kernel device:chr_file { getattr setattr unlink create };
-allow kernel device:dir { add_name remove_name rmdir write };
+allow kernel device:dir create_dir_perms;
 allow kernel self:capability { mknod };

diff --git a/sepolicy/lhd.te b/sepolicy/lhd.te
index d6594b058757a5224a4a4c015b7c81e95c848a6f..b959cf76077105f90daddc43d723b9a7af004a38 100644 (file)
--- a/sepolicy/lhd.te
+++ b/sepolicy/lhd.te
@@ -1,4 +1,4 @@
 allow lhd sysfs_virtual:dir search;
-allow lhd sysfs_virtual:file { open read write };
+allow lhd sysfs_virtual:file rw_file_perms;
 allow lhd sysfs_virtual:lnk_file read;
 allow lhd efs_file:dir search;

diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
index 090ac1624caa01a6eb54d9e09c773865b655fd33..c07136f7bbabc38b5f1332c55e7a7739b6953805 100644 (file)
--- a/sepolicy/mediacodec.te
+++ b/sepolicy/mediacodec.te
@@ -1,4 +1,4 @@
 # /sys/class/video4linux/video6/name
-allow mediacodec sysfs_v4l:dir { search open read };
+allow mediacodec sysfs_v4l:dir r_dir_perms;
 allow mediacodec sysfs_v4l_mfc:dir search;
-allow mediacodec sysfs_v4l_mfc:file { getattr open read };
+allow mediacodec sysfs_v4l_mfc:file r_file_perms;

diff --git a/sepolicy/netd.te b/sepolicy/netd.te
index 0b8df2c37b135fe32b3c7e3f1af38cc57df5f40f..1e3fdb68b687555c8ff51288aa8918f20fb1e4c3 100644 (file)
--- a/sepolicy/netd.te
+++ b/sepolicy/netd.te
@@ -1,5 +1,5 @@
 allow netd self:capability sys_module;
-allow netd init:tcp_socket { setopt getopt read write };
+allow netd init:tcp_socket rw_socket_perms_no_ioctl;
 
 allow netd sysfs_virtual:dir search;
-allow netd sysfs_virtual:file { write open };
+allow netd sysfs_virtual:file w_file_perms;

diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index 8a505491b723fcd4015f24f131686bfd70140a4f..69e0abd01eae337037252a7d2208693f21458180 100644 (file)
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -1,2 +1,2 @@
 # /dev/mali0
-allow platform_app gpu_device:chr_file { ioctl read write };
+allow platform_app gpu_device:chr_file rw_file_perms;

diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
index bb7268dd13ace11a78effe05104799c6737a48dd..85dbf181f42af17a750dec64c7052f0749049d93 100644 (file)
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -1,8 +1,8 @@
 # /dev/mali0
-allow priv_app gpu_device:chr_file { ioctl read write };
+allow priv_app gpu_device:chr_file rw_file_perms;
 
 allow priv_app debugfs_ion:dir search;
 allow priv_app debugfs_mali:dir search;
 allow priv_app debugfs_mali_mem:dir search;
 
-allow priv_app sysfs_zram:file { getattr open read };
+allow priv_app sysfs_zram:file r_file_perms;

diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index e5fde141344cb1d326d732e3af336b5ecf0438d8..eef06d87b900dc853eccdb4b0f966f5a35694b6b 100644 (file)
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -1,19 +1,19 @@
 allow rild proc_net:file write;
-allow rild vendor_data_file:file { getattr setattr read write open };
+allow rild vendor_data_file:file create_file_perms;
 
 # /dev/umts_ipc0
 allow rild radio_device:chr_file ioctl;
 
-allow rild bin_nv_data_efs_file:file { setattr getattr read open write };
+allow rild bin_nv_data_efs_file:file create_file_perms;
 
-allow rild radio_vendor_data_file:file { create ioctl lock getattr read write open unlink };
-allow rild radio_vendor_data_file:dir { add_name write open read remove_name };
-allow rild radio_data_file:file { open read getattr write };
+allow rild radio_vendor_data_file:file create_file_perms;
+allow rild radio_vendor_data_file:dir rw_dir_perms;
+allow rild radio_data_file:file rw_file_perms;
 allow rild radio_data_file:dir search;
 
 allow rild proc_qtaguid_stat:file read;
 
-allow rild factoryprop_efs_file:file { open read write };
+allow rild factoryprop_efs_file:file rw_file_perms;
 
 allow rild init:file getattr;
 

diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
index c4dd4adc8198abefbd8845731f9f85b0e46c11e6..04ef544a9c146bc9602cdbbde051731aff73f51f 100644 (file)
--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@@ -1,2 +1,2 @@
 # /dev/mali0
-allow surfaceflinger gpu_device:chr_file { ioctl read write };
+allow surfaceflinger gpu_device:chr_file rw_file_perms;

diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 5c9f47d1051d44b33d89d83f80cd13aede35f2e7..373b1cc64d475e9be01a25d30345af4dbde08226 100644 (file)
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -1,5 +1,5 @@
 # /dev/mali0
-allow system_app gpu_device:chr_file { ioctl read write };
+allow system_app gpu_device:chr_file rw_file_perms;
 
-allow system_app proc_pagetypeinfo:file { getattr open read };
+allow system_app proc_pagetypeinfo:file r_file_perms;
 allow system_app sysfs_virtual:dir search;

diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 9c18b71db04927cb36357aa50c566a34663d2a38..1d0bc5c1cc3b3c9df7632452361886e6ca3acf2e 100644 (file)
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -1,11 +1,11 @@
 # /dev/mali0
-allow system_server gpu_device:chr_file { ioctl read write };
+allow system_server gpu_device:chr_file rw_file_perms;
 
 # memtrack HAL
 allow system_server debugfs_mali:dir r_dir_perms;
 allow system_server debugfs_mali:file r_file_perms;
-allow system_server debugfs_ion:file { getattr open read };
-allow system_server debugfs_mali_mem:file { getattr open read };
+allow system_server debugfs_ion:file r_file_perms;
+allow system_server debugfs_mali_mem:file r_file_perms;
 
-allow system_server frp_block_device:blk_file { getattr ioctl open read write };
+allow system_server frp_block_device:blk_file rw_file_perms;
 allow system_server vendor_radio_prop:file { getattr open read };

diff --git a/sepolicy/tee.te b/sepolicy/tee.te
index d56f72c34e5bea9faa2edc891c90578641032d7b..667c8be4c83e3136d33433236d2d2cd49eefaa2c 100644 (file)
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@@ -1,7 +1,7 @@
 allow tee efs_file:dir { search getattr };
-allow tee efs_file:file { getattr open read };
-allow tee gatekeeper_efs_file:dir { search open read };
-allow tee gatekeeper_efs_file:file { getattr open read };
+allow tee efs_file:file r_file_perms;
+allow tee gatekeeper_efs_file:dir r_dir_perms;
+allow tee gatekeeper_efs_file:file r_file_perms;
 allow tee init:unix_stream_socket connectto;
 allow tee property_socket:sock_file write;
 allow tee prov_efs_file:dir search;
@@ -9,7 +9,7 @@ allow tee system_prop:property_service set;
 allow tee tee_prop:property_service set;
 
 # /dev/t-base-tui
-allow tee tee_device:chr_file { ioctl open read };
+allow tee tee_device:chr_file r_file_perms;
 
-allow tee mobicore_vendor_data_file:dir { search open read };
+allow tee mobicore_vendor_data_file:dir r_dir_perms;
 allow tee mobicore_vendor_data_file:file rw_file_perms;

diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te
index 57dec0aabd82903c2bcc9bd061d31962d489c690..9da247e48dc8ce3db6708c3fa798d4665ef76826 100644 (file)
--- a/sepolicy/toolbox.te
+++ b/sepolicy/toolbox.te
@@ -1 +1 @@
-allow toolbox ram_device:blk_file { open read write };
\ No newline at end of file
+allow toolbox ram_device:blk_file rw_file_perms;