5 files changed, 15 insertions, 3 deletions

diff --git a/common/bluetooth.te b/common/bluetooth.te
index 76045285..4f1d579b 100644
--- a/common/bluetooth.te
+++ b/common/bluetooth.te
@@ -15,7 +15,6 @@ allow bluetooth input_device:chr_file { open read write ioctl };
 
 allow bluetooth persist_file:dir search;
 allow bluetooth persist_file:file rw_file_perms;
-allow bluetooth wpa:unix_stream_socket connectto;
 
 #For ANT tty communication and to set wc_transport prop
 allow system_server bluetooth_prop:property_service set;
diff --git a/common/mediaserver.te b/common/mediaserver.te
index 241bc15f..dbd59da8 100644
--- a/common/mediaserver.te
+++ b/common/mediaserver.te
@@ -20,7 +20,7 @@ userdebug_or_eng(`
 
 allow mediaserver sysfs_esoc:dir r_dir_perms;
 allow mediaserver sysfs_esoc:lnk_file read;
-
+allow mediaserver system_app_data_file:file rw_file_perms;
 # access to perflock
 allow mediaserver mpctl_socket:dir r_dir_perms;
 unix_socket_send(mediaserver, mpctl, mpdecision)
diff --git a/common/netmgrd.te b/common/netmgrd.te
index 35ad1daa..51d39a2d 100644
--- a/common/netmgrd.te
+++ b/common/netmgrd.te
@@ -23,13 +23,15 @@ allow netmgrd smem_log_device:chr_file { rw_file_perms };
 
 #Allow operations on different types of sockets
 allow netmgrd netmgrd:rawip_socket { create getopt setopt write };
-allow netmgrd netmgrd:netlink_xfrm_socket { create bind };
+allow netmgrd netmgrd:netlink_xfrm_socket { create_socket_perms nlmsg_write nlmsg_read };
 allow netmgrd netmgrd:netlink_socket { write read create bind };
 allow netmgrd netmgrd:socket { create ioctl };
 allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write };
 allow netmgrd init:unix_stream_socket { connectto };
 allow netmgrd property_socket:sock_file write;
 
+unix_socket_connect(netmgrd, cnd, cnd);
+
 qmux_socket(netmgrd);
 
 #Allow writing of ipv6 network properties
@@ -49,6 +51,9 @@ allow netmgrd sysfs_esoc:dir r_dir_perms;
 
 #Allow communication with netd
 allow netmgrd netd_socket:sock_file write;
+allow netmgrd net_data_file:file r_file_perms;
+allow netmgrd wpa_exec:file rx_file_perms;
+allow netmgrd net_data_file:dir r_dir_perms;
 
 #Allow nemtgrd to use esoc api's to determine target
 allow netmgrd shell_exec:file { execute r_file_perms execute_no_trans };
diff --git a/common/system_app.te b/common/system_app.te
index 4e2c5f02..7844edfb 100644
--- a/common/system_app.te
+++ b/common/system_app.te
@@ -21,3 +21,4 @@ userdebug_or_eng(`
 ')
 allow system_app cnd_data_file:dir w_dir_perms;
 allow system_app cnd_data_file:file create_file_perms;
+allow system_app bluetooth:unix_stream_socket ioctl;
diff --git a/common/untrusted_app.te b/common/untrusted_app.te
index 4968a679..bce77b0e 100644
--- a/common/untrusted_app.te
+++ b/common/untrusted_app.te
@@ -2,3 +2,10 @@ allow dpmd untrusted_app:fd use;
 allow dpmd untrusted_app:tcp_socket { read write };
 allow untrusted_app dpmd:unix_stream_socket connectto;
 allow untrusted_app dpmd_socket:sock_file write;
+
+# access to perflock
+allow untrusted_app mpctl_socket:dir r_dir_perms;
+unix_socket_send(untrusted_app, mpctl, perfd)
+unix_socket_connect(untrusted_app, mpctl, perfd)
+unix_socket_send(untrusted_app, mpctl, mpdecision)
+unix_socket_connect(untrusted_app, mpctl, mpdecision)