Address selinux denials

rootdir/etc/init.qcom.rc

@@ -392,7 +392,7 @@ service netmgrd /system/bin/netmgrd
 service mpdecision /system/bin/mpdecision --no_sleep --avg_comp
     class main
     user root
-    group root readproc
+    group root system readproc wakelock
     disabled
 
 service qcamerasvr /system/bin/mm-qcamera-daemon

sepolicy/private/file.te

@@ -0,0 +1,2 @@
+type sysfs_disk_pre_eol_info, fs_type, sysfs_type;
+type sysfs_disk_rev, fs_type, sysfs_type;

sepolicy/private/permissioncontroller_app.te

@@ -0,0 +1 @@
+allow permissioncontroller_app tethering_service:service_manager find;

sepolicy/private/storaged.te

@@ -0,0 +1,2 @@
+r_dir_file(storaged, sysfs_disk_pre_eol_info)
+r_dir_file(storaged, sysfs_disk_rev)

sepolicy/private/system_app.te

@@ -0,0 +1,2 @@
+binder_call(system_app, storaged)
+binder_call(system_app, system_suspend)

sepolicy/vendor/file_contexts

@@ -59,6 +59,7 @@
 #
 /data/system/default_values     u:object_r:mpctl_data_file:s0
 /dev/socket/mpctl               u:object_r:mpctl_socket:s0
+/(system|vendor|system/vendor)/bin/mpdecision          u:object_r:mpdecision_exec:s0
 
 ###################################
 # Rootfs Symlinks

sepolicy/vendor/mm-qcamerad.te

@@ -14,9 +14,11 @@ allow mm-qcamerad device:chr_file { ioctl open read write };
 allow mm-qcamerad sysfs:file { getattr open read write };
 allow mm-qcamerad system_data_root_file:sock_file unlink;
 allow mm-qcamerad system_lib_file:file execmod;
+allow mm-qcamerad mpctl_socket:sock_file w_file_perms;
 
 allow mm-qcamerad { audioserver cameraserver surfaceflinger mediaserver }:fd use;
 allow mm-qcamerad { hal_graphics_allocator hal_camera_default }:fd use;
 allow mm-qcamerad hal_renderscript_hwservice:hwservice_manager find;
 binder_call(mm-qcamerad, servicemanager);
 
+unix_socket_connect(mm-qcamerad, mpdecision, mpdecision)

sepolicy/vendor/mpdecision.te

@@ -1,13 +1,23 @@
-allow mpdecision mpdecision:netlink_kobject_uevent_socket { create setopt bind read };
+init_daemon_domain(mpdecision)
+
+binder_use(mpdecision)
+
+type_transition mpdecision socket_device:sock_file mpctl_socket;
+type_transition mpdecision system_data_file:file mpctl_data_file;
 
+allow mpdecision mpctl_data_file:dir w_dir_perms;
+allow mpdecision mpctl_data_file:sock_file create_file_perms;
 allow mpdecision mpdecision_socket:dir w_dir_perms;
 allow mpdecision mpdecision_socket:sock_file create_file_perms;
+allow mpdecision socket_device:dir w_dir_perms;
+allow mpdecision sysfs_devices_system_cpu:file rw_file_perms;
+allow mpdecision system_data_file:dir w_dir_perms;
+allow mpdecision sysfs_memory:dir search;
 
-type_transition mpdecision system_data_file:file mpctl_data_file;
+allow mpdecision mpdecision:netlink_kobject_uevent_socket { create setopt bind read };
 
 unix_socket_connect(mpdecision, thermal, thermal-engine)
 
-allow mpdecision system_data_file:dir w_dir_perms;
 allow mpdecision sysfs:file rw_file_perms;
 
 allow mpdecision mediaserver:dir search;
@@ -16,4 +26,4 @@ allow mpdecision mediaserver:file { read open };
 r_dir_file(mpdecision, mediaserver)
 r_dir_file(mpdecision, cameraserver)
 r_dir_file(mpdecision, audioserver)
-r_dir_file(mpdecision, domain)
+r_dir_file(mpdecision, domain)

sepolicy/vendor/thermal-engine.te

@@ -1,3 +1,3 @@
 allow thermal-engine self:capability { chown net_admin };
 allow thermal-engine init:unix_stream_socket connectto;
-allow thermal-engine mpdecision_socket:dir create_dir_perms;
+allow thermal-engine mpdecision_socket:dir rw_dir_perms;