msm8974-common: sepolicy: Clean up

* Group policy statements better
* Nuke unneeded allows

Change-Id: Ibc1fd4debe8c95005a6dd54e1428d6365248bd80

sepolicy/common/bluetooth.te

@@ -1,6 +1,11 @@
 allow bluetooth bluetooth_device:chr_file rw_file_perms;
-allow bluetooth bt_fw_file:file r_file_perms;
+
 allow bluetooth firmware_file:dir r_dir_perms;
+
 allow bluetooth proc_bt_sleep:dir search;
 allow bluetooth proc_bt_sleep:file w_file_perms;
-allow bluetooth wifi_data_file:file r_file_perms;
+
+allow bluetooth {
+    bt_fw_file
+    wifi_data_file
+}:file r_file_perms;

sepolicy/common/cameraserver.te

@@ -1,2 +0,0 @@
-allow cameraserver camera_socket:sock_file w_file_perms;
-allow cameraserver vendor_file:file execmod;

sepolicy/common/file.te

@@ -1,4 +1,4 @@
-type proc_bt_sleep, fs_type;
+type proc_bt_sleep, fs_type, proc_type;
 
 type sysfs_camera, fs_type, sysfs_type;
 type sysfs_hal_pwr, fs_type, sysfs_type;

sepolicy/common/hal_wifi_hostapd_default.te

@@ -1 +1,2 @@
 allow hal_wifi_hostapd_default sysfs_net:lnk_file { getattr read };
+allow hal_wifi_hostapd_default wlan_device:chr_file read;

sepolicy/common/hostapd.te

@@ -1 +0,0 @@
-allow hostapd wlan_device:chr_file r_file_perms;

sepolicy/common/init.te

@@ -10,10 +10,6 @@ allow init {
     sysfs_sensors
 }:lnk_file read;
 
-allow init sysfs_input:file rw_file_perms;
-
-allow init sysfs_graphics:file r_file_perms;
-
 allow init {
     sysfs_audio
     sysfs_batteryinfo

sepolicy/common/mediaserver.te

@@ -1,7 +1,3 @@
-allow mediaserver camera_socket:sock_file write;
-allow mediaserver hal_camera_hwservice:hwservice_manager find;
-allow mediaserver mm-qcamerad:unix_dgram_socket sendto;
 allow mediaserver sysfs_camera:dir search;
 allow mediaserver sysfs_camera:file r_file_perms;
-allow mediaserver thermal-engine:unix_stream_socket connectto;
 allow mediaserver vendor_file:file execmod;

sepolicy/common/mm-qcamerad.te

@@ -1,7 +1,5 @@
 type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket3";
 
-#allow mm-qcamerad camera_socket:sock_file create_file_perms;
-
 # Allow mm-qcamera-daemon to create the socket camera_socket
 allow mm-qcamerad system_data_file:dir w_dir_perms;
 

sepolicy/common/system_server.te

@@ -1,17 +1,15 @@
-get_prop(system_server, alarm_boot_prop)
-
-allow system_server efs_file:dir search;
-allow system_server efs_file:file r_file_perms;
-allow system_server mpctl_data_file:dir search;
-allow system_server mpctl_data_file:sock_file w_file_perms;
-allow system_server mpdecision:unix_stream_socket connectto;
-allow system_server qmuxd:unix_stream_socket connectto;
-allow system_server qmuxd_socket:dir w_dir_perms;
-allow system_server qmuxd_socket:sock_file { create setattr write };
-allow system_server qti_debugfs:file r_file_perms;
-allow system_server sensors_device:chr_file r_file_perms;
 allow system_server sysfs_mdnie:file rw_file_perms;
 
+allow system_server {
+    efs_file
+    mpctl_data_file
+}:dir search;
+
+allow system_server {
+    efs_file
+    qti_debugfs
+}:file r_file_perms;
+
 allow system_server {
     sysfs_sec_ir
     sysfs_sec_led

sepolicy/common/vold.te

@@ -1,6 +1,9 @@
-allow vold block_device:blk_file getattr;
-allow vold cache_block_device:blk_file getattr;
-allow vold efs_block_device:blk_file getattr;
 allow vold efs_file:dir rw_dir_perms;
 allow vold efs_file:file create;
-allow vold system_block_device:blk_file getattr;
+
+allow vold {
+    block_device
+    cache_block_device
+    efs_block_device
+    system_block_device
+}:blk_file getattr;