From: Henrik Grimler <henrik@grimler.se>
Date: Thu, 3 Sep 2020 18:35:10 +0000 (+0200)
Subject: Sepolicy: clean-up and use macros where suitable
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=ad8e59c231120c0f8118e9a844e05517aa41d5d3;p=GitHub%2Fexynos8895%2Fandroid_device_samsung_universal8895-common.git

Sepolicy: clean-up and use macros where suitable

Following suggestions by Stricted.
---

diff --git a/sepolicy/adbd.te b/sepolicy/adbd.te
index 29571b7..9becff0 100644
--- a/sepolicy/adbd.te
+++ b/sepolicy/adbd.te
@@ -1 +1 @@
-allow adbd proc_last_kmsg:file { getattr read open };
+allow adbd proc_last_kmsg:file r_file_perms;
diff --git a/sepolicy/apexd.te b/sepolicy/apexd.te
index f4ba197..25801cb 100644
--- a/sepolicy/apexd.te
+++ b/sepolicy/apexd.te
@@ -1 +1 @@
-allow apexd sysfs_virtual:file { read write open };
+allow apexd sysfs_virtual:file rw_file_perms;
diff --git a/sepolicy/cbd.te b/sepolicy/cbd.te
index f366e02..f1e3d01 100644
--- a/sepolicy/cbd.te
+++ b/sepolicy/cbd.te
@@ -1,2 +1,2 @@
-allow cbd factoryprop_efs_file:file { open read };
-allow cbd sysfs_info:file { open read };
+allow cbd factoryprop_efs_file:file r_file_perms;
+allow cbd sysfs_info:file r_file_perms;
diff --git a/sepolicy/hal_audio_default.te b/sepolicy/hal_audio_default.te
index 5e48823..bb5794c 100644
--- a/sepolicy/hal_audio_default.te
+++ b/sepolicy/hal_audio_default.te
@@ -3,11 +3,11 @@ allow hal_audio_default rild:unix_stream_socket connectto;
 allow hal_audio_default system_suspend_hwservice:hwservice_manager find;
 
 # /efs/maxim/rdc_cal
-allow hal_audio_default efs_file:file { read open };
+allow hal_audio_default efs_file:file r_file_perms;
 allow hal_audio_default efs_file:dir search;
 
 allow hal_audio_default imei_efs_file:dir search;
-allow hal_audio_default imei_efs_file:file { getattr open read };
+allow hal_audio_default imei_efs_file:file r_file_perms;
 allow hal_audio_default vendor_radio_prop:file { getattr open read };
 
 allow hal_audio_default init:unix_stream_socket connectto;
diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te
index 337ad33..0f0af54 100644
--- a/sepolicy/hal_bluetooth_default.te
+++ b/sepolicy/hal_bluetooth_default.te
@@ -1,2 +1,2 @@
 allow hal_bluetooth_default vendor_default_prop:property_service set;
-allow hal_bluetooth_default vendor_firmware_file:dir { open read };
+allow hal_bluetooth_default vendor_firmware_file:dir r_dir_perms;
diff --git a/sepolicy/hal_camera_default.te b/sepolicy/hal_camera_default.te
index d88db48..7311f67 100644
--- a/sepolicy/hal_camera_default.te
+++ b/sepolicy/hal_camera_default.te
@@ -1,17 +1,14 @@
 vndbinder_use(hal_camera_default)
 
-allow hal_camera_default vndbinder_device:chr_file { ioctl open write read };
+allow hal_camera_default vndbinder_device:chr_file r_file_perms;
 allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
 allow hal_camera_default hal_graphics_composer_default:fd use;
 allow hal_camera_default sysfs_virtual:dir search;
-allow hal_camera_default sysfs_virtual:file { getattr open read write };
+allow hal_camera_default sysfs_virtual:file rw_file_perms;
 allow hal_camera_default sysfs_camera:dir search;
-allow hal_camera_default sysfs_camera:file { getattr open read write };
+allow hal_camera_default sysfs_camera:file rw_file_perms;
 allow hal_camera_default exported_camera_prop:file { getattr open read };
 allow hal_camera_default camera_data_file:dir search;
 
-# add_hwservice(hal_camera_default, hal_vendor_multiframeprocessing_hwservice)
-# add_hwservice(hal_camera_default, hal_vendor_iva_hwservice)
-
 binder_call(hal_camera_default, system_server)
 binder_call(system_server, hal_camera_default)
diff --git a/sepolicy/hal_drm_widevine.te b/sepolicy/hal_drm_widevine.te
index 210fdb7..97c6652 100644
--- a/sepolicy/hal_drm_widevine.te
+++ b/sepolicy/hal_drm_widevine.te
@@ -15,10 +15,10 @@ allow hal_drm_widevine hal_allocator_server:fd use;
 allow hal_drm_widevine mediadrm_data_file:dir create_dir_perms;
 allow hal_drm_widevine mediadrm_data_file:file create_file_perms;
 allow hal_drm_widevine media_data_file:dir search;
-allow hal_drm_widevine vendor_data_file:dir { write create add_name } ;
-allow hal_drm_widevine vendor_data_file:file { create open read write getattr } ;
+allow hal_drm_widevine vendor_data_file:dir create_dir_perms;
+allow hal_drm_widevine vendor_data_file:file create_file_perms;
 
-allow hal_drm_widevine cpk_efs_file:file { open read getattr };
+allow hal_drm_widevine cpk_efs_file:file r_file_perms;
 allow hal_drm_widevine efs_file:dir search;
 
-allow hal_drm_widevine secmem_device:chr_file { open read write ioctl };
+allow hal_drm_widevine secmem_device:chr_file rw_file_perms;
diff --git a/sepolicy/hal_fingerprint_default.te b/sepolicy/hal_fingerprint_default.te
index 76497fd..e35929b 100644
--- a/sepolicy/hal_fingerprint_default.te
+++ b/sepolicy/hal_fingerprint_default.te
@@ -1,5 +1,5 @@
 allow hal_fingerprint_default fingerprintd_data_file:dir write;
-allow hal_fingerprint_default tee_device:chr_file { ioctl open read write };
-allow hal_fingerprint_default fingerprint_device:chr_file { ioctl open read write };
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
 allow hal_fingerprint_default sysfs_virtual:dir search;
-allow hal_fingerprint_default sysfs_virtual:file { open read };
+allow hal_fingerprint_default sysfs_virtual:file r_file_perms;
diff --git a/sepolicy/hal_gatekeeper_default.te b/sepolicy/hal_gatekeeper_default.te
index 8ccc09c..be9e93e 100644
--- a/sepolicy/hal_gatekeeper_default.te
+++ b/sepolicy/hal_gatekeeper_default.te
@@ -1,4 +1,4 @@
-allow hal_gatekeeper_default gatekeeper_efs_file:file { write open read };
+allow hal_gatekeeper_default gatekeeper_efs_file:file rw_file_perms;
 allow hal_gatekeeper_default gatekeeper_efs_file:dir search;
-allow hal_gatekeeper_default tee_device:chr_file { open read write };
+allow hal_gatekeeper_default tee_device:chr_file rw_file_perms;
 allow hal_gatekeeper_default efs_file:dir search;
diff --git a/sepolicy/hal_health_default.te b/sepolicy/hal_health_default.te
index 6d9c273..d8b9c55 100644
--- a/sepolicy/hal_health_default.te
+++ b/sepolicy/hal_health_default.te
@@ -1,8 +1,8 @@
 r_dir_file(hal_health_default, sysfs_charger)
 
 allow hal_health_default sysfs_charger:file rw_file_perms;
-allow hal_health_default sysfs_battery:dir { open read search };
-allow hal_health_default sysfs_battery:file { getattr open read };
+allow hal_health_default sysfs_battery:dir r_dir_perms;
+allow hal_health_default sysfs_battery:file r_file_perms;
 allow hal_health_default sysfs_battery_writable:dir search;
-allow hal_health_default sysfs_battery_writable:file { getattr open read };
+allow hal_health_default sysfs_battery_writable:file r_file_perms;
 allow hal_health_default sysfs_batteryinfo_charger_writable:dir search;
diff --git a/sepolicy/hal_light_default.te b/sepolicy/hal_light_default.te
index c1200d1..8fc3fe3 100644
--- a/sepolicy/hal_light_default.te
+++ b/sepolicy/hal_light_default.te
@@ -1,3 +1,3 @@
-allow hal_light_default sysfs_graphics:file { getattr open read write };
+allow hal_light_default sysfs_graphics:file rw_file_perms;
 allow hal_light_default sysfs_virtual:dir search;
-allow hal_light_default sysfs_virtual:file { open write getattr };
+allow hal_light_default sysfs_virtual:file rw_file_perms;
diff --git a/sepolicy/hal_lineage_livedisplay_sysfs.te b/sepolicy/hal_lineage_livedisplay_sysfs.te
index 1f4db7b..cef5b99 100644
--- a/sepolicy/hal_lineage_livedisplay_sysfs.te
+++ b/sepolicy/hal_lineage_livedisplay_sysfs.te
@@ -1,6 +1,7 @@
 # Allow LiveDisplay to store files under /data/vendor/display and access them
 allow hal_lineage_livedisplay_sysfs display_vendor_data_file:dir rw_dir_perms;
 allow hal_lineage_livedisplay_sysfs display_vendor_data_file:file create_file_perms;
+
 # Allow LiveDisplay to read and write to files in sysfs_graphics, sysfs_mdnie
 allow hal_lineage_livedisplay_sysfs sysfs_mdnie:dir search;
 allow hal_lineage_livedisplay_sysfs sysfs_mdnie:file rw_file_perms;
diff --git a/sepolicy/hal_power_default.te b/sepolicy/hal_power_default.te
index 975d3c8..dbc59b0 100644
--- a/sepolicy/hal_power_default.te
+++ b/sepolicy/hal_power_default.te
@@ -1,8 +1,7 @@
-allow hal_power_default sysfs_graphics:file { getattr open read };
-allow hal_power_default sysfs_input:file { getattr open read };
-allow hal_power_default sysfs_virtual:dir { open read search };
-allow hal_power_default sysfs_virtual:file { getattr open read };
-allow hal_power_default sysfs_spi_writeable:dir { open read search };
+allow hal_power_default sysfs_graphics:file r_file_perms;
+allow hal_power_default sysfs_input:file r_file_perms;
+allow hal_power_default sysfs_virtual:dir r_dir_perms;
+allow hal_power_default sysfs_virtual:file r_file_perms;
+allow hal_power_default sysfs_spi_writeable:dir r_dir_perms;
 allow hal_power_default sysfs_spi_writeable:file rw_file_perms;
-allow hal_power_default sysfs_touchscreen_writable:dir { open read search };
-# allow hal_power_default sysfs_touchscreen_writeable:file rw_file_perms;
+allow hal_power_default sysfs_touchscreen_writable:dir r_dir_perms;
diff --git a/sepolicy/hal_sensors_default.te b/sepolicy/hal_sensors_default.te
index 7df26ae..ac1475d 100644
--- a/sepolicy/hal_sensors_default.te
+++ b/sepolicy/hal_sensors_default.te
@@ -1,9 +1,9 @@
-allow hal_sensors_default sysfs_iio:file { getattr open read };
+allow hal_sensors_default sysfs_iio:file r_file_perms;
 allow hal_sensors_default sysfs_iio:lnk_file read;
-allow hal_sensors_default sysfs_virtual:dir { open read search };
-allow hal_sensors_default sysfs_virtual:file { read write open getattr };
+allow hal_sensors_default sysfs_virtual:dir r_dir_perms;
+allow hal_sensors_default sysfs_virtual:file rw_file_perms;
 allow hal_sensors_default sysfs_virtual:lnk_file read;
-allow hal_sensors_default sysfs_lcd:file { open read };
-allow hal_sensors_default baro_delta_factoryapp_efs_file:file { open read };
+allow hal_sensors_default sysfs_lcd:file r_file_perms;
+allow hal_sensors_default baro_delta_factoryapp_efs_file:file r_file_perms;
 allow hal_sensors_default sysfs_input:file read;
-allow hal_sensors_default sysfs_spi_writeable:file { read open write };
+allow hal_sensors_default sysfs_spi_writeable:file rw_file_perms;
diff --git a/sepolicy/init.te b/sepolicy/init.te
index 438154f..e5ca5f0 100644
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@@ -1,6 +1,6 @@
 allow init rild:unix_stream_socket connectto;
-allow init self:netlink_kobject_uevent_socket { create setopt };
-allow init socket_device:sock_file { create setattr unlink };
+allow init self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow init socket_device:sock_file create_file_perms;
 allow init sysfs_devices_system_cpu:file write;
 allow init vendor_data_file:fifo_file write;
 allow init vendor_data_file:file append;
@@ -15,7 +15,7 @@ allow init efs_file:dir mounton;
 allow init efs_block_device:lnk_file relabelto;
 allow init tmpfs:lnk_file create;
 
-allow init sysfs_virtual:file { open write setattr read };
+allow init sysfs_virtual:file create_file_perms;
 allow init sysfs_virtual:lnk_file { read };
 allow init sysfs:file setattr;
 allow init sysfs_multipdp:file setattr;
@@ -24,24 +24,24 @@ allow init sysfs_charger:file setattr;
 allow init sysfs_input:file setattr;
 allow init sysfs_lcd:file setattr;
 allow init sysfs_mdnie:file setattr;
-allow init sysfs_modem:file { open write };
+allow init sysfs_modem:file w_file_perms;
 allow init sysfs_battery_writable:file setattr;
 allow init sysfs_mmc_host_writable:file setattr;
 allow init sysfs_scsi_host_writable:file setattr;
 allow init sysfs_power_writable:file setattr;
 allow init sysfs_bt_writable:file setattr;
-allow init sysfs_graphics:file { setattr open read write };
+allow init sysfs_graphics:file create_file_perms;
 allow init sysfs_touchscreen_writable:file setattr;
 
 allow init system_server:binder { transfer call };
-allow init tee_device:chr_file { ioctl open read write };
+allow init tee_device:chr_file rw_file_perms;
 allow init device:chr_file ioctl;
-allow init self:tcp_socket { getopt create bind connect };
+allow init self:tcp_socket create_socket_perms;
 allow init node:tcp_socket node_bind;
 allow init port:tcp_socket { name_bind name_connect };
 allow init gps_vendor_data_file:fifo_file write;
 allow init gps_vendor_data_file:file lock;
-allow init socket_device:sock_file { setattr unlink };
+allow init socket_device:sock_file create_file_perms;
 allow init kernel:system module_request;
 
 allow init proc:file setattr;
diff --git a/sepolicy/kernel.te b/sepolicy/kernel.te
index 61182ed..a544b68 100644
--- a/sepolicy/kernel.te
+++ b/sepolicy/kernel.te
@@ -4,5 +4,5 @@ allow kernel sensor_factoryapp_efs_file:file open;
 allow kernel efs_file:dir search;
 
 allow kernel device:chr_file { getattr setattr unlink create };
-allow kernel device:dir { add_name remove_name rmdir write };
+allow kernel device:dir create_dir_perms;
 allow kernel self:capability { mknod };
diff --git a/sepolicy/lhd.te b/sepolicy/lhd.te
index d6594b0..b959cf7 100644
--- a/sepolicy/lhd.te
+++ b/sepolicy/lhd.te
@@ -1,4 +1,4 @@
 allow lhd sysfs_virtual:dir search;
-allow lhd sysfs_virtual:file { open read write };
+allow lhd sysfs_virtual:file rw_file_perms;
 allow lhd sysfs_virtual:lnk_file read;
 allow lhd efs_file:dir search;
diff --git a/sepolicy/mediacodec.te b/sepolicy/mediacodec.te
index 090ac16..c07136f 100644
--- a/sepolicy/mediacodec.te
+++ b/sepolicy/mediacodec.te
@@ -1,4 +1,4 @@
 # /sys/class/video4linux/video6/name
-allow mediacodec sysfs_v4l:dir { search open read };
+allow mediacodec sysfs_v4l:dir r_dir_perms;
 allow mediacodec sysfs_v4l_mfc:dir search;
-allow mediacodec sysfs_v4l_mfc:file { getattr open read };
+allow mediacodec sysfs_v4l_mfc:file r_file_perms;
diff --git a/sepolicy/netd.te b/sepolicy/netd.te
index 0b8df2c..1e3fdb6 100644
--- a/sepolicy/netd.te
+++ b/sepolicy/netd.te
@@ -1,5 +1,5 @@
 allow netd self:capability sys_module;
-allow netd init:tcp_socket { setopt getopt read write };
+allow netd init:tcp_socket rw_socket_perms_no_ioctl;
 
 allow netd sysfs_virtual:dir search;
-allow netd sysfs_virtual:file { write open };
+allow netd sysfs_virtual:file w_file_perms;
diff --git a/sepolicy/platform_app.te b/sepolicy/platform_app.te
index 8a50549..69e0abd 100644
--- a/sepolicy/platform_app.te
+++ b/sepolicy/platform_app.te
@@ -1,2 +1,2 @@
 # /dev/mali0
-allow platform_app gpu_device:chr_file { ioctl read write };
+allow platform_app gpu_device:chr_file rw_file_perms;
diff --git a/sepolicy/priv_app.te b/sepolicy/priv_app.te
index bb7268d..85dbf18 100644
--- a/sepolicy/priv_app.te
+++ b/sepolicy/priv_app.te
@@ -1,8 +1,8 @@
 # /dev/mali0
-allow priv_app gpu_device:chr_file { ioctl read write };
+allow priv_app gpu_device:chr_file rw_file_perms;
 
 allow priv_app debugfs_ion:dir search;
 allow priv_app debugfs_mali:dir search;
 allow priv_app debugfs_mali_mem:dir search;
 
-allow priv_app sysfs_zram:file { getattr open read };
+allow priv_app sysfs_zram:file r_file_perms;
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
index e5fde14..eef06d8 100644
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@@ -1,19 +1,19 @@
 allow rild proc_net:file write;
-allow rild vendor_data_file:file { getattr setattr read write open };
+allow rild vendor_data_file:file create_file_perms;
 
 # /dev/umts_ipc0
 allow rild radio_device:chr_file ioctl;
 
-allow rild bin_nv_data_efs_file:file { setattr getattr read open write };
+allow rild bin_nv_data_efs_file:file create_file_perms;
 
-allow rild radio_vendor_data_file:file { create ioctl lock getattr read write open unlink };
-allow rild radio_vendor_data_file:dir { add_name write open read remove_name };
-allow rild radio_data_file:file { open read getattr write };
+allow rild radio_vendor_data_file:file create_file_perms;
+allow rild radio_vendor_data_file:dir rw_dir_perms;
+allow rild radio_data_file:file rw_file_perms;
 allow rild radio_data_file:dir search;
 
 allow rild proc_qtaguid_stat:file read;
 
-allow rild factoryprop_efs_file:file { open read write };
+allow rild factoryprop_efs_file:file rw_file_perms;
 
 allow rild init:file getattr;
 
diff --git a/sepolicy/surfaceflinger.te b/sepolicy/surfaceflinger.te
index c4dd4ad..04ef544 100644
--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@@ -1,2 +1,2 @@
 # /dev/mali0
-allow surfaceflinger gpu_device:chr_file { ioctl read write };
+allow surfaceflinger gpu_device:chr_file rw_file_perms;
diff --git a/sepolicy/system_app.te b/sepolicy/system_app.te
index 5c9f47d..373b1cc 100644
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@@ -1,5 +1,5 @@
 # /dev/mali0
-allow system_app gpu_device:chr_file { ioctl read write };
+allow system_app gpu_device:chr_file rw_file_perms;
 
-allow system_app proc_pagetypeinfo:file { getattr open read };
+allow system_app proc_pagetypeinfo:file r_file_perms;
 allow system_app sysfs_virtual:dir search;
diff --git a/sepolicy/system_server.te b/sepolicy/system_server.te
index 9c18b71..1d0bc5c 100644
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@@ -1,11 +1,11 @@
 # /dev/mali0
-allow system_server gpu_device:chr_file { ioctl read write };
+allow system_server gpu_device:chr_file rw_file_perms;
 
 # memtrack HAL
 allow system_server debugfs_mali:dir r_dir_perms;
 allow system_server debugfs_mali:file r_file_perms;
-allow system_server debugfs_ion:file { getattr open read };
-allow system_server debugfs_mali_mem:file { getattr open read };
+allow system_server debugfs_ion:file r_file_perms;
+allow system_server debugfs_mali_mem:file r_file_perms;
 
-allow system_server frp_block_device:blk_file { getattr ioctl open read write };
+allow system_server frp_block_device:blk_file rw_file_perms;
 allow system_server vendor_radio_prop:file { getattr open read };
diff --git a/sepolicy/tee.te b/sepolicy/tee.te
index d56f72c..667c8be 100644
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@@ -1,7 +1,7 @@
 allow tee efs_file:dir { search getattr };
-allow tee efs_file:file { getattr open read };
-allow tee gatekeeper_efs_file:dir { search open read };
-allow tee gatekeeper_efs_file:file { getattr open read };
+allow tee efs_file:file r_file_perms;
+allow tee gatekeeper_efs_file:dir r_dir_perms;
+allow tee gatekeeper_efs_file:file r_file_perms;
 allow tee init:unix_stream_socket connectto;
 allow tee property_socket:sock_file write;
 allow tee prov_efs_file:dir search;
@@ -9,7 +9,7 @@ allow tee system_prop:property_service set;
 allow tee tee_prop:property_service set;
 
 # /dev/t-base-tui
-allow tee tee_device:chr_file { ioctl open read };
+allow tee tee_device:chr_file r_file_perms;
 
-allow tee mobicore_vendor_data_file:dir { search open read };
+allow tee mobicore_vendor_data_file:dir r_dir_perms;
 allow tee mobicore_vendor_data_file:file rw_file_perms;
diff --git a/sepolicy/toolbox.te b/sepolicy/toolbox.te
index 57dec0a..9da247e 100644
--- a/sepolicy/toolbox.te
+++ b/sepolicy/toolbox.te
@@ -1 +1 @@
-allow toolbox ram_device:blk_file { open read write };
\ No newline at end of file
+allow toolbox ram_device:blk_file rw_file_perms;