summaryrefslogtreecommitdiff
path: root/sepolicy
diff options
context:
space:
mode:
authorArian <arian.kulmer@web.de>2020-12-11 00:07:18 +0100
committerArian <arian.kulmer@web.de>2020-12-21 19:20:35 +0100
commitf12ef27cb9fc9f9cda9078230c5ab5b4ce0d4d93 (patch)
tree6578430d6f24122fc5904c34220cb205345ba28a /sepolicy
parentd3c930897d2429bedcfbd713dae369b53840f97b (diff)
shinano-common: Cleanup sepolicy
Change-Id: If615758376413b16fcc80addd03a9ba5cd388e8a
Diffstat (limited to 'sepolicy')
-rw-r--r--sepolicy/adsprpcd.te7
-rw-r--r--sepolicy/audioserver.te3
-rw-r--r--sepolicy/bluetooth.te3
-rw-r--r--sepolicy/brcm_uim.te10
-rw-r--r--sepolicy/credmgrd.te21
-rw-r--r--sepolicy/dontaudit.te1
-rw-r--r--sepolicy/file.te29
-rw-r--r--sepolicy/file_contexts47
-rw-r--r--sepolicy/hal_bluetooth_default.te1
-rw-r--r--sepolicy/hal_lineage_touch_default.te4
-rw-r--r--sepolicy/hal_nfc_default.te (renamed from sepolicy/hal_nfc_defaul.te)2
-rw-r--r--sepolicy/hal_wifi_default.te3
-rw-r--r--sepolicy/hci_attach.te12
-rw-r--r--sepolicy/init.te13
-rw-r--r--sepolicy/ioctl_defines22
-rw-r--r--sepolicy/ioctl_macros25
-rw-r--r--sepolicy/keystore.te5
-rw-r--r--sepolicy/mediaserver.te11
-rw-r--r--sepolicy/mlog_qmi.te13
-rw-r--r--sepolicy/property.te5
-rw-r--r--sepolicy/property_contexts11
-rw-r--r--sepolicy/qseecomd.te23
-rw-r--r--sepolicy/rild.te2
-rw-r--r--sepolicy/scd.te8
-rw-r--r--sepolicy/sct.te3
-rw-r--r--sepolicy/sensors.te4
-rw-r--r--sepolicy/service_contexts5
-rw-r--r--sepolicy/tad.te14
-rw-r--r--sepolicy/tfa_amp.te10
-rw-r--r--sepolicy/uim.te22
-rw-r--r--sepolicy/vendor_init.te5
31 files changed, 158 insertions, 186 deletions
diff --git a/sepolicy/adsprpcd.te b/sepolicy/adsprpcd.te
deleted file mode 100644
index 8dcef13..0000000
--- a/sepolicy/adsprpcd.te
+++ /dev/null
@@ -1,7 +0,0 @@
-# access to qseecom qdsp_device
-allow adsprpcd tee_device:chr_file rw_file_perms;
-allowxperm adsprpcd tee_device:chr_file ioctl qseecom_sock_ipc_ioctls;
-
-# access to qseecom qdsp_device
-allow adsprpcd qdsp_device:chr_file rw_file_perms;
-allowxperm adsprpcd qdsp_device:chr_file ioctl adsprpcd_ioctls;
diff --git a/sepolicy/audioserver.te b/sepolicy/audioserver.te
deleted file mode 100644
index 67f2692..0000000
--- a/sepolicy/audioserver.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow audioserver tad_socket:sock_file write;
-allow audioserver tad:unix_stream_socket connectto;
-
diff --git a/sepolicy/bluetooth.te b/sepolicy/bluetooth.te
deleted file mode 100644
index 1ae7ff4..0000000
--- a/sepolicy/bluetooth.te
+++ /dev/null
@@ -1,3 +0,0 @@
-allow bluetooth hci_attach_dev:chr_file { open read write };
-allow bluetooth ta_data_file:file { open read };
-allow bluetooth ta_data_file:dir { search };
diff --git a/sepolicy/brcm_uim.te b/sepolicy/brcm_uim.te
new file mode 100644
index 0000000..dbb84c4
--- /dev/null
+++ b/sepolicy/brcm_uim.te
@@ -0,0 +1,10 @@
+init_daemon_domain(brcm_uim)
+
+allow brcm_uim bluetooth_data_file:dir search;
+allow brcm_uim bluetooth_data_file:file r_file_perms;
+allow brcm_uim sysfs_bluetooth_writable:dir search;
+allow brcm_uim sysfs_bluetooth_writable:file rw_file_perms;
+allow brcm_uim serial_device:chr_file rw_file_perms;
+allow brcm_uim self:capability net_admin;
+
+get_prop(brcm_uim, bluetooth_prop)
diff --git a/sepolicy/credmgrd.te b/sepolicy/credmgrd.te
new file mode 100644
index 0000000..5d185e2
--- /dev/null
+++ b/sepolicy/credmgrd.te
@@ -0,0 +1,21 @@
+init_daemon_domain(credmgrd)
+
+allow credmgrd credmgrd_socket:dir rw_dir_perms;
+allow credmgrd credmgrd_socket:sock_file create_file_perms;
+allow credmgrd firmware_file:dir search;
+allow credmgrd firmware_file:file r_file_perms;
+allow credmgrd ion_device:chr_file rw_file_perms;
+allow credmgrd tad:unix_stream_socket connectto;
+allow credmgrd tad_socket:sock_file rw_file_perms;
+allow credmgrd tee_device:chr_file rw_file_perms;
+allow credmgrd vendor_toolbox_exec:file rx_file_perms;
+
+allow credmgrd cache_file:dir create_dir_perms;
+allow credmgrd cache_file:file create_file_perms;
+
+# Needed to create /data/credmgr
+allow credmgrd system_data_file:dir { create_dir_perms relabelfrom };
+allow credmgrd credmgrd_data_file:dir { create_dir_perms relabelto };
+allow credmgrd credmgrd_data_file:file create_file_perms;
+
+set_prop(credmgrd, credmgrd_prop)
diff --git a/sepolicy/dontaudit.te b/sepolicy/dontaudit.te
new file mode 100644
index 0000000..2ddef4b
--- /dev/null
+++ b/sepolicy/dontaudit.te
@@ -0,0 +1 @@
+dontaudit domain credmgrd_exec:file *;
diff --git a/sepolicy/file.te b/sepolicy/file.te
index 89b414c..e119d27 100644
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@@ -1,4 +1,29 @@
-# BRCM BT FM
-type brcm_ldisc_sysfs, sysfs_type, fs_type;
+# Bluetooth
+type brcm_uim, domain;
type brcm_uim_exec, exec_type, file_type;
+# Credential manager
+type credmgrd, domain;
+type credmgrd_exec, exec_type, file_type;
+type credmgrd_data_file, file_type, data_file_type, core_data_file_type;
+type credmgrd_socket, file_type;
+type credmgrd_firmware, file_type;
+
+# Modem
+type mlog_qmi, domain;
+type mlog_qmi_exec, exec_type, file_type;
+
+# SCD
+type scd, domain;
+type scd_exec, exec_type, file_type;
+type scd_data_file, file_type, data_file_type, core_data_file_type;
+
+# SCT
+type sct, domain;
+type sct_exec, exec_type, file_type;
+
+# Trim Area
+type tad, domain;
+type tad_socket, file_type;
+type ta_data_file, file_type;
+type tad_exec, exec_type, file_type;
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
index a055d4e..d95a492 100644
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@@ -1,28 +1,47 @@
# Audio
-/dev/tfa98xx u:object_r:audio_device:s0
-/system/vendor/bin/tfa9890_amp u:object_r:tfa_amp_exec:s0
+/dev/tfa98xx u:object_r:audio_device:s0
# Bluetooth
-/system/vendor/bin/brcm-uim-sysfs u:object_r:brcm_uim_exec:s0
-
-# HCI
-/dev/ttyHS0 u:object_r:hci_attach_dev:s0
-/dev/brcm_bt_drv u:object_r:hci_attach_dev:s0
+/dev/brcm_bt_drv u:object_r:serial_device:s0
+/sys/devices/bcm4339\.82/rfkill/rfkill0(/.*)? u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/platform/bcm_ldisc(/.*)? u:object_r:sysfs_bluetooth_writable:s0
+/(vendor|system/vendor)/bin/brcm-uim-sysfs u:object_r:brcm_uim_exec:s0
+
+# Camera flash
+/sys/devices/pm8941-flash-[0-9]+(/.*)? u:object_r:sysfs_graphics:s0
+
+# Credential Manager
+/data/credmgr(/.*)? u:object_r:credmgrd_data_file:s0
+/data/suntory(/.*)? u:object_r:credmgrd_data_file:s0
+/dev/socket/credmgr u:object_r:credmgrd_socket:s0
+/dev/socket/suntory(/.*)? u:object_r:credmgrd_socket:s0
+/(vendor|system/vendor)/bin/credmgrd u:object_r:credmgrd_exec:s0
+/(vendor|system/vendor)/bin/credmgrfirstboot\.sh u:object_r:credmgrd_exec:s0
+/(vendor|system/vendor)/bin/suntrold u:object_r:credmgrd_exec:s0
# Lineage hardware
-/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.shinano u:object_r:hal_lineage_touch_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.shinano u:object_r:hal_lineage_touch_default_exec:s0
# Modem
-/system/vendor/bin/mlog_qmi_service u:object_r:mlog_qmi_exec:s0
+/(vendor|system/vendor)/bin/mlog_qmi_service u:object_r:mlog_qmi_exec:s0
# NFC
-/dev/pn547 u:object_r:nfc_device:s0
+/dev/pn547 u:object_r:nfc_device:s0
+
+# SCD
+/data/scd(/.*)? u:object_r:scd_data_file:s0
+/dev/socket/scd(/.*)? u:object_r:camera_socket:s0
+/(vendor|system/vendor)/bin/scd u:object_r:scd_exec:s0
-# Quick Charge
-/system/vendor/bin/hvdcp u:object_r:hvdcp_exec:s0
+# SCT
+/(vendor|system/vendor)/bin/sct_service u:object_r:sct_exec:s0
# Trim Area daemon
-/system/vendor/bin/tad_static u:object_r:tad_exec:s0
+/dev/socket/tad u:object_r:tad_socket:s0
+/(vendor|system/vendor)/bin/tad_static u:object_r:tad_exec:s0
+/(vendor|system/vendor)/bin/ta_qmi_service u:object_r:tad_exec:s0
+/(vendor|system/vendor)/bin/taimport u:object_r:tad_exec:s0
+/(vendor|system/vendor)/bin/updatemiscta u:object_r:tad_exec:s0
# WIFI
-/sys/module/bcmdhd/parameters/firmware_path u:object_r:sysfs_wlan_fwpath:s0
+/sys/module/bcmdhd/parameters/firmware_path u:object_r:sysfs_wlan_fwpath:s0
diff --git a/sepolicy/hal_bluetooth_default.te b/sepolicy/hal_bluetooth_default.te
new file mode 100644
index 0000000..8c2646b
--- /dev/null
+++ b/sepolicy/hal_bluetooth_default.te
@@ -0,0 +1 @@
+r_dir_file(hal_bluetooth_default, firmware_file)
diff --git a/sepolicy/hal_lineage_touch_default.te b/sepolicy/hal_lineage_touch_default.te
index d76d54b..a3a2185 100644
--- a/sepolicy/hal_lineage_touch_default.te
+++ b/sepolicy/hal_lineage_touch_default.te
@@ -1,2 +1,2 @@
-allow hal_lineage_touch_default sysfs_touch:dir search;
-allow hal_lineage_touch_default sysfs_touch:file rw_file_perms;
+allow hal_lineage_touch_default sysfs_securetouch:dir search;
+allow hal_lineage_touch_default sysfs_securetouch:file rw_file_perms;
diff --git a/sepolicy/hal_nfc_defaul.te b/sepolicy/hal_nfc_default.te
index da1a6c7..de6dea4 100644
--- a/sepolicy/hal_nfc_defaul.te
+++ b/sepolicy/hal_nfc_default.te
@@ -1,2 +1,2 @@
-allow hal_nfc_default nfc_data_file:dir rw_dir_perms;
+allow hal_nfc_default nfc_data_file:dir search;
allow hal_nfc_default nfc_data_file:file create_file_perms;
diff --git a/sepolicy/hal_wifi_default.te b/sepolicy/hal_wifi_default.te
index 83649e5..d0e52d6 100644
--- a/sepolicy/hal_wifi_default.te
+++ b/sepolicy/hal_wifi_default.te
@@ -1,2 +1 @@
-allow hal_wifi_default firmware_file:dir r_dir_perms;
-allow hal_wifi_default firmware_file:file r_file_perms;
+r_dir_file(hal_wifi_default, firmware_file)
diff --git a/sepolicy/hci_attach.te b/sepolicy/hci_attach.te
deleted file mode 100644
index 02ce60c..0000000
--- a/sepolicy/hci_attach.te
+++ /dev/null
@@ -1,12 +0,0 @@
-type hci_attach, domain;
-type hci_attach_exec, exec_type, file_type;
-
-init_daemon_domain(hci_attach)
-
-set_prop(hci_attach, wifi_prop)
-
-allow hci_attach bluetooth_data_file:dir search;
-allow hci_attach bluetooth_data_file:file r_file_perms;
-allow hci_attach bluetooth_prop:property_service set;
-allow hci_attach hci_attach_dev:chr_file rw_file_perms;
-allow hci_attach hci_attach_exec:file execute_no_trans;
diff --git a/sepolicy/init.te b/sepolicy/init.te
deleted file mode 100644
index bda5e8b..0000000
--- a/sepolicy/init.te
+++ /dev/null
@@ -1,13 +0,0 @@
-# FM BCM
-allow init hci_attach_dev:chr_file rw_file_perms;
-allow init brcm_uim_exec:file { execute getattr read open };
-allow init brcm_ldisc_sysfs:lnk_file { read };
-allow init uim:process { siginh noatsecure transition rlimitinh };
-allow init tmpfs:lnk_file { relabelfrom };
-
-# adsprpcd access to qseecom and qdsp_device
-allow init tee_device:chr_file rw_file_perms;
-allow init qdsp_device:chr_file rw_file_perms;
-
-# Touch
-allow init sysfs_touch:file setattr;
diff --git a/sepolicy/ioctl_defines b/sepolicy/ioctl_defines
deleted file mode 100644
index 58c1243..0000000
--- a/sepolicy/ioctl_defines
+++ /dev/null
@@ -1,22 +0,0 @@
-# socket ioctls defined in the kernel in ? --> BT
-define(`TCGETS', `0x00005401')
-define(`TCSETS', `0x00005402')
-define(`TCFLSH', `0x0000540b')
-define(`TIOCSETD', `0x00005423')
-define(`IOCTLUNKNOWN', `0x000055c8')
-
-# ioctls for audio dsp defined in kernel in include/linux/msm_adsp.h
-define(`ADSP_IOCTL_ENABLE', `0x00005201')
-define(`ADSP_IOCTL_DISABLE', `0x00005202')
-define(`ADSP_IOCTL_DISABLE_ACK', `0x00005203')
-define(`ADSP_IOCTL_WRITE_COMMAND', `0x00005204')
-define(`ADSP_IOCTL_GET_EVENT', `0x00005205')
-define(`ADSP_IOCTL_SET_CLKRATE', `0x00005206')
-define(`ADSP_IOCTL_DISABLE_EVENT_RSP', `0x0000520a')
-define(`ADSP_IOCTL_REGISTER_PMEM', `0x0000520d')
-define(`ADSP_IOCTL_UNREGISTER_PMEM', `0x0000520e')
-define(`ADSP_IOCTL_ABORT_EVENT_READ', `0x0000520f')
-define(`ADSP_IOCTL_LINK_TASK', `0x00005210')
-
-# ioctls for mlog_qmi; extracted from the log
-define(`MLOG_QMI_UNKNOWN', `0x0000c304')
diff --git a/sepolicy/ioctl_macros b/sepolicy/ioctl_macros
deleted file mode 100644
index 6756faf..0000000
--- a/sepolicy/ioctl_macros
+++ /dev/null
@@ -1,25 +0,0 @@
-define(`uim_sock_ipc_ioctls', `{
-TCGETS
-TCSETS
-TCFLSH
-TIOCSETD
-IOCTLUNKNOWN
-}')
-
-define(`adsprpcd_ioctls', `{
-ADSP_IOCTL_ENABLE
-ADSP_IOCTL_DISABLE
-ADSP_IOCTL_DISABLE_ACK
-ADSP_IOCTL_WRITE_COMMAND
-ADSP_IOCTL_GET_EVENT
-ADSP_IOCTL_SET_CLKRATE
-ADSP_IOCTL_DISABLE_EVENT_RSP
-ADSP_IOCTL_REGISTER_PMEM
-ADSP_IOCTL_UNREGISTER_PMEM
-ADSP_IOCTL_ABORT_EVENT_READ
-ADSP_IOCTL_LINK_TASK
-}')
-
-define(`mlog_qmi_ioctls', `{
-MLOG_QMI_UNKNOWN
-}')
diff --git a/sepolicy/keystore.te b/sepolicy/keystore.te
deleted file mode 100644
index 8c2f6d1..0000000
--- a/sepolicy/keystore.te
+++ /dev/null
@@ -1,5 +0,0 @@
-allow keystore tee_device:chr_file rw_file_perms;
-allow keystore firmware_file:file r_file_perms;
-allow keystore tee_prop:file { getattr open read };
-
-allow vold keystore:keystore_key { get_state get insert delete exist list sign verify };
diff --git a/sepolicy/mediaserver.te b/sepolicy/mediaserver.te
new file mode 100644
index 0000000..a722e75
--- /dev/null
+++ b/sepolicy/mediaserver.te
@@ -0,0 +1,11 @@
+allow mediaserver credmgrd_socket:sock_file rw_file_perms;
+allow mediaserver credmgrd:unix_stream_socket connectto;
+allow mediaserver mm-qcamerad:unix_stream_socket connectto;
+allow mediaserver sensorservice_service:service_manager find;
+allow mediaserver sysfs_battery_supply:dir search;
+allow mediaserver sysfs_battery_supply:file r_file_perms;
+allow mediaserver sysfs_graphics:dir search;
+allow mediaserver sysfs_graphics:{ file lnk_file } rw_file_perms;
+allow mediaserver system_server:unix_stream_socket rw_socket_perms;
+
+hal_client_domain(mediaserver, hal_configstore)
diff --git a/sepolicy/mlog_qmi.te b/sepolicy/mlog_qmi.te
index ed983fb..0b25daa 100644
--- a/sepolicy/mlog_qmi.te
+++ b/sepolicy/mlog_qmi.te
@@ -1,16 +1,3 @@
-type mlog_qmi, domain;
-type mlog_qmi_exec, exec_type, file_type;
-
-# Started by init
init_daemon_domain(mlog_qmi)
-allow mlog_qmi self:capability { net_raw net_bind_service };
allow mlog_qmi self:socket create_socket_perms;
-# NOTE: using self:socket for the ioctl results in a denial
-allowxperm mlog_qmi mlog_qmi:socket ioctl mlog_qmi_ioctls;
-
-# Access to /dev/smem_log
-allow mlog_qmi smem_log_device:chr_file rw_file_perms;
-
-# qseecom
-allow mlog_qmi tee_device:chr_file rw_file_perms;
diff --git a/sepolicy/property.te b/sepolicy/property.te
new file mode 100644
index 0000000..bb7e318
--- /dev/null
+++ b/sepolicy/property.te
@@ -0,0 +1,5 @@
+# Credential Manager
+type credmgrd_prop, property_type;
+
+# Trim Area
+type ta_prop, property_type;
diff --git a/sepolicy/property_contexts b/sepolicy/property_contexts
new file mode 100644
index 0000000..413ed3c
--- /dev/null
+++ b/sepolicy/property_contexts
@@ -0,0 +1,11 @@
+# Camera
+hw.camera.0.status. u:object_r:camera_prop:s0
+hw.camera.1.status. u:object_r:camera_prop:s0
+
+# Credential Manager
+sys.credmgrdready u:object_r:credmgrd_prop:s0
+
+# Trim Area
+persist.tareset. u:object_r:ta_prop:s0
+ro.semc.version. u:object_r:ta_prop:s0
+ro.sony. u:object_r:ta_prop:s0
diff --git a/sepolicy/qseecomd.te b/sepolicy/qseecomd.te
deleted file mode 100644
index e3375cf..0000000
--- a/sepolicy/qseecomd.te
+++ /dev/null
@@ -1,23 +0,0 @@
-# tee starts as root, and drops privileges
-allow tee self:capability {
- setuid
- setgid
-};
-
-# Need to directly manipulate certain block devices
-# for anti-rollback protection
-allow tee block_device:dir r_dir_perms;
-allow tee rpmb_device:blk_file rw_file_perms;
-
-# Provide tee access to ssd partition for HW FDE
-allow tee ssd_device:blk_file rw_file_perms;
-
-# allow tee to load firmware images
-r_dir_file(tee, firmware_file)
-
-binder_use(tee)
-
-# Provide tee ability to access QMUXD/IPCRouter for QMI
-qmux_socket(tee);
-
-set_prop(tee, tee_prop)
diff --git a/sepolicy/rild.te b/sepolicy/rild.te
deleted file mode 100644
index 5178ce8..0000000
--- a/sepolicy/rild.te
+++ /dev/null
@@ -1,2 +0,0 @@
-# Allow rild read to ro.semc
-allow rild ta_prop:file { read open getattr };
diff --git a/sepolicy/scd.te b/sepolicy/scd.te
new file mode 100644
index 0000000..6207541
--- /dev/null
+++ b/sepolicy/scd.te
@@ -0,0 +1,8 @@
+init_daemon_domain(scd)
+
+allow scd scd_data_file:dir create_dir_perms;
+allow scd scd_data_file:file create_file_perms;
+allow scd sysfs_rtc:dir search;
+allow scd sysfs_rtc:file r_file_perms;
+allow scd camera_socket:dir rw_dir_perms;
+allow scd camera_socket:sock_file create_file_perms;
diff --git a/sepolicy/sct.te b/sepolicy/sct.te
new file mode 100644
index 0000000..93d1ea4
--- /dev/null
+++ b/sepolicy/sct.te
@@ -0,0 +1,3 @@
+init_daemon_domain(sct)
+
+allow sct self:socket create_socket_perms;
diff --git a/sepolicy/sensors.te b/sepolicy/sensors.te
new file mode 100644
index 0000000..06defff
--- /dev/null
+++ b/sepolicy/sensors.te
@@ -0,0 +1,4 @@
+allow sensors tad:unix_stream_socket connectto;
+allow sensors tad_socket:sock_file rw_file_perms;
+
+get_prop(sensors, ta_prop)
diff --git a/sepolicy/service_contexts b/sepolicy/service_contexts
deleted file mode 100644
index e3d7dcf..0000000
--- a/sepolicy/service_contexts
+++ /dev/null
@@ -1,5 +0,0 @@
-#line 1 "vendor/semc/system/sepolicy/Camera_Extension_API/1.1.0/service_contexts"
-media.cameraextension u:object_r:mediaserver_service:s0
-
-#line 1 "vendor/semc/system/sepolicy/Image_Processor_API/1.1.0/service_contexts"
-media.cacao u:object_r:mediaserver_service:s0
diff --git a/sepolicy/tad.te b/sepolicy/tad.te
new file mode 100644
index 0000000..496dc9f
--- /dev/null
+++ b/sepolicy/tad.te
@@ -0,0 +1,14 @@
+init_daemon_domain(tad)
+
+allow tad block_device:dir search;
+allow tad proc_stat:file r_file_perms;
+allow tad self:capability setgid;
+allow tad self:socket create_socket_perms;
+allow tad self:unix_stream_socket create_socket_perms;
+allow tad tad_block_device:blk_file rw_file_perms;
+allow tad tad_socket:sock_file rw_file_perms;
+allow tad sysfs_wake_lock:file rw_file_perms;
+
+allowxperm tad tad_block_device:blk_file ioctl BLKGETSIZE;
+
+set_prop(tad, ta_prop)
diff --git a/sepolicy/tfa_amp.te b/sepolicy/tfa_amp.te
deleted file mode 100644
index ca64588..0000000
--- a/sepolicy/tfa_amp.te
+++ /dev/null
@@ -1,10 +0,0 @@
-type tfa_amp, domain;
-type tfa_amp_exec, exec_type, file_type;
-
-# Started by init
-init_daemon_domain(tfa_amp)
-
-allow tfa_amp self:capability dac_override;
-
-# Access to /dev/tfa98xx
-allow tfa_amp audio_device:chr_file rw_file_perms;
diff --git a/sepolicy/uim.te b/sepolicy/uim.te
deleted file mode 100644
index 6f8b30e..0000000
--- a/sepolicy/uim.te
+++ /dev/null
@@ -1,22 +0,0 @@
-type uim, domain;
-
-rw_dir_file(uim, sysfs)
-rw_dir_file(uim, brcm_ldisc_sysfs)
-rw_dir_file(uim, bluetooth_data_file)
-rw_dir_file(uim, sysfs_bluetooth_writable)
-allow uim brcm_uim_exec:file { entrypoint getattr read execute };
-allow uim self:capability { net_admin dac_override };
-allow uim rootfs:lnk_file getattr;
-allow uim ta_data_file:dir search;
-allow uim bluetooth_prop:sock_file write;
-allow uim ta_data_file:file r_file_perms;
-allow uim hci_attach_dev:chr_file ioctl;
-
-# Access to qseecomd
-allow uim tee_device:chr_file rw_file_perms;
-
-# Access to serial port
-allow uim hci_attach_dev:chr_file rw_file_perms;
-allowxperm uim hci_attach_dev:chr_file ioctl uim_sock_ipc_ioctls;
-
-get_prop(uim, bluetooth_prop)
diff --git a/sepolicy/vendor_init.te b/sepolicy/vendor_init.te
new file mode 100644
index 0000000..ae03077
--- /dev/null
+++ b/sepolicy/vendor_init.te
@@ -0,0 +1,5 @@
+allow vendor_init tad_block_device:blk_file setattr;
+allow vendor_init {
+ credmgrd_data_file
+ scd_data_file
+}:dir create_dir_perms;