sm8250-common: Initial common sepolicies

* Adapted from xiaomi-sm6150 and xiaomi-sm6250

Co-authored-by: Pig <pig.priv@gmail.com>
Co-authored-by: Zinadin Zidan <zidan.roking@gmail.com>
Co-authored-by: Utsav Balar <utsavbalar1231@gmail.com>
Co-authored-by: Ramii Ahmed <ramy@ahmedramy.com>
Change-Id: Ie64d863d6d36bdebb79d328de9ede5826b1cd486

BoardConfigCommon.mk

@@ -163,6 +163,27 @@ VENDOR_SECURITY_PATCH := 2020-02-01
 
 # Sepolicy
 include device/qcom/sepolicy_vndr/SEPolicy.mk
+BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/private
+BOARD_PLAT_PUBLIC_SEPOLICY_DIR += $(COMMON_PATH)/sepolicy/public
+BOARD_VENDOR_SEPOLICY_DIRS += $(COMMON_PATH)/sepolicy/vendor
+BOARD_SEPOLICY_M4DEFS += \
+    debugfs_clk=vendor_debugfs_clk \
+    debugfs_ipc=vendor_debugfs_ipc \
+    latency_device=vendor_latency_device \
+    nfc_vendor_data_file=vendor_nfc_vendor_data_file \
+    persist_audio_file=vendor_persist_audio_file \
+    persist_sensors_file=vendor_persist_sensors_file \
+    public_vendor_default_prop=vendor_public_vendor_default_prop \
+    sensors_prop=vendor_sensors_prop \
+    sysfs_boot_adsp=vendor_sysfs_boot_adsp \
+    sysfs_devfreq=vendor_sysfs_devfreq \
+    sysfs_fingerprint=vendor_sysfs_fingerprint \
+    sysfs_graphics=vendor_sysfs_graphics \
+    sysfs_kgsl=vendor_sysfs_kgsl \
+    sysfs_scsi_host=vendor_sysfs_scsi_host \
+    sysfs_ssr=vendor_sysfs_ssr \
+    wcnss_service_exec=vendor_wcnss_service_exec \
+    wifi_vendor_data_file=vendor_wifi_vendor_data_file
 
 # Treble
 BOARD_VNDK_VERSION := current

sepolicy/private/devicesettings_app.te

@@ -0,0 +1,33 @@
+app_domain(devicesettings_app)
+
+# Allow devicesettings_app to find *_service
+allow devicesettings_app {
+  app_api_service
+  audioserver_service
+  cameraserver_service
+  drmserver_service
+  mediaextractor_service
+  mediametrics_service
+  mediaserver_service
+}:service_manager find;
+
+hal_client_domain(devicesettings_app, hal_motor)
+hal_client_domain(devicesettings_app, hal_touchfeature)
+
+# Allow devicesettings_app read and write /data/data subdirectory
+allow devicesettings_app system_app_data_file:dir create_dir_perms;
+allow devicesettings_app system_app_data_file:{ file lnk_file } create_file_perms;
+
+# Allow binder communication with gpuservice
+binder_call(devicesettings_app, gpuservice)
+binder_call(devicesettings_app, hal_motor)
+binder_call(devicesettings_app, hal_touchfeature)
+
+# Allow devicesettings_app to read and write to cgroup/sysfs_leds/sysfs_thermal
+allow devicesettings_app sysfs_leds:dir search;
+#allow devicesettings_app sysfs_graphics:dir search;
+allow devicesettings_app {
+  cgroup
+  sysfs_leds
+  sysfs_thermal
+}:{ file lnk_file } rw_file_perms;

sepolicy/private/property_contexts

@@ -0,0 +1,16 @@
+# Global
+ro.boot.hwc              u:object_r:exported_default_prop:s0
+ro.build.flavor          u:object_r:exported_default_prop:s0
+ro.product.mod_device    u:object_r:exported2_default_prop:s0
+ro.product.system.manufacturer u:object_r:exported2_default_prop:s0 exact string
+
+# IMEI
+persist.radio.imei             u:object_r:deviceid_prop:s0
+persist.radio.meid             u:object_r:deviceid_prop:s0
+ro.ril.miui.imei               u:object_r:deviceid_prop:s0
+ro.ril.oem.imei                u:object_r:deviceid_prop:s0
+ro.ril.oem.meid                u:object_r:deviceid_prop:s0
+
+# MIUI
+ro.cust.test            u:object_r:exported_system_prop:s0
+ro.miui.                u:object_r:exported_system_prop:s0

sepolicy/private/seapp_contexts

@@ -0,0 +1,2 @@
+user=system seinfo=platform name=org.lineageos.devicesettings domain=devicesettings_app type=system_app_data_file
+user=system seinfo=platform name=org.lineageos.settings domain=devicesettings_app type=system_app_data_file

sepolicy/private/system_app.te

@@ -0,0 +1 @@
+hal_client_domain(system_app, hal_mlipay)

sepolicy/public/attributes

@@ -0,0 +1,7 @@
+hal_attribute_lineage(displayfeature)
+
+hal_attribute_lineage(mlipay)
+
+hal_attribute_lineage(motor)
+
+hal_attribute_lineage(touchfeature)

sepolicy/public/devicesettings_app.te

@@ -0,0 +1 @@
+type devicesettings_app, domain;

sepolicy/public/property.te

@@ -0,0 +1,2 @@
+# IMEI
+type deviceid_prop, property_type;

sepolicy/vendor/adsprpcd.te

@@ -0,0 +1 @@
+r_dir_file(vendor_adsprpcd, sysfs_graphics)

sepolicy/vendor/app.te

@@ -0,0 +1,2 @@
+get_prop({ appdomain -isolated_app }, vendor_fp_prop)
+get_prop({ appdomain -isolated_app }, vendor_tee_listener_prop)

sepolicy/vendor/batterysecret.te

@@ -0,0 +1,50 @@
+type batterysecret, domain;
+type batterysecret_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(batterysecret)
+
+r_dir_file(batterysecret, cgroup)
+r_dir_file(batterysecret, mnt_vendor_file)
+r_dir_file(batterysecret, vendor_sysfs_battery_supply)
+r_dir_file(batterysecret, sysfs_batteryinfo)
+r_dir_file(batterysecret, sysfs_type)
+r_dir_file(batterysecret, vendor_sysfs_usb_supply)
+r_dir_file(batterysecret, vendor_sysfs_usbpd_device)
+
+allow batterysecret {
+  mnt_vendor_file
+  persist_subsys_file
+  rootfs
+}:dir rw_dir_perms;
+
+allow batterysecret {
+  persist_subsys_file
+  sysfs
+  vendor_sysfs_battery_supply
+  sysfs_usb
+  vendor_sysfs_usb_supply
+  vendor_sysfs_usbpd_device
+}:file w_file_perms;
+
+allow batterysecret kmsg_device:chr_file w_file_perms;
+
+allow batterysecret self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+allow batterysecret self:global_capability_class_set {
+  sys_tty_config
+  sys_boot
+};
+
+allow batterysecret self:capability {
+  chown
+  fsetid
+};
+
+allow batterysecret {
+  system_suspend_hwservice
+  hidl_manager_hwservice
+}:hwservice_manager find;
+
+binder_call(batterysecret, system_suspend_server)
+
+wakelock_use(batterysecret)

sepolicy/vendor/device.te

@@ -0,0 +1,13 @@
+type efs_block_device, dev_type;
+
+type fingerprint_device, dev_type;
+
+type hall_device, dev_type;
+
+type lirc_device, dev_type;
+
+type motor_device, dev_type;
+
+type sound_device, dev_type;
+
+type touchfeature_device, dev_type;

sepolicy/vendor/file.te

@@ -0,0 +1,19 @@
+type sysfs_msm_boot, fs_type, sysfs_type;
+type sysfs_msm_subsys, sysfs_type, fs_type;
+type sysfs_wireless_supply, sysfs_type, fs_type;
+type vendor_sysfs_smart_fps, fs_type, sysfs_type;
+type vendor_sysfs_dynamic_fps, fs_type, sysfs_type;
+type vendor_sysfs_iio, fs_type, sysfs_type;
+
+type fingerprint_data_file, data_file_type, file_type, vendor_persist_type;
+type thermal_data_file, file_type, data_file_type;
+
+type camera_persist_file, file_type, vendor_persist_type;
+
+type audio_socket, file_type;
+
+type ultrasound_device, dev_type;
+
+type persist_subsys_file, vendor_persist_type, file_type;
+
+type proc_last_kmsg, fs_type, proc_type;

sepolicy/vendor/file_contexts

@@ -0,0 +1,91 @@
+# Audio
+/sys/devices/platform/soc/a8c000.i2c/i2c-2/2-005a/f0_value u:object_r:vendor_sysfs_audio:s0
+
+# Camera
+/dev/akm09970                   u:object_r:hall_device:s0
+/dev/drv8846_dev                u:object_r:motor_device:s0
+/dev/ti-drv8846                 u:object_r:motor_device:s0
+/mnt/vendor/persist/camera(/.*)? u:object_r:camera_persist_file:s0
+/vendor/bin/remosaic_daemon     u:object_r:remosaic_daemon_exec:s0
+
+# Charger
+/vendor/bin/batterysecret       u:object_r:batterysecret_exec:s0
+
+# Data files
+/data/vendor/goodix(/.*)?       u:object_r:fingerprint_data_file:s0
+/data/vendor/fpc(/.*)?          u:object_r:fingerprint_data_file:s0
+/data/vendor/fpdump(/.*)?       u:object_r:fingerprint_data_file:s0
+/data/vendor/thermal(/.*)?      u:object_r:thermal_data_file:s0
+/data/vendor/mac_addr(/.*)?     u:object_r:wifi_vendor_data_file:s0
+
+# EFS Block devices
+/dev/block/sde[0-9]	u:object_r:efs_block_device:s0
+
+# Elliptic
+/dev/elliptic[0-9]              u:object_r:ultrasound_device:s0
+/dev/mius(.*)?                  u:object_r:ultrasound_device:s0
+
+# Fingerprint devices
+/dev/goodix_fp                  u:object_r:fingerprint_device:s0
+
+# Graphics nodes
+/sys/devices/platform/soc/[a-z0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/panel_info        u:object_r:sysfs_graphics:s0
+/sys/devices/platform/soc/[a-z0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/disp_param        u:object_r:sysfs_graphics:s0
+/sys/devices/platform/soc/[a-z0-9]+.qcom,mdss_mdp/drm/card([0-3])+/card([0-3])+-DSI-1/hbm_status        u:object_r:sysfs_graphics:s0
+
+# HALs
+/vendor/bin/hw/vendor\.lineage\.biometrics\.fingerprint\.inscreen@1.0-service\.xiaomi_kona              u:object_r:hal_lineage_fod_kona_exec:s0
+/vendor/bin/hw/vendor\.xiaomi\.hardware\.displayfeature@1\.0-service                                    u:object_r:hal_displayfeature_default_exec:s0
+/vendor/bin/hw/vendor\.xiaomi\.hardware\.motor@1.0-service                                              u:object_r:hal_motor_default_exec:s0
+/vendor/bin/hw/vendor\.xiaomi\.hardware\.touchfeature@1\.0-service                                      u:object_r:hal_touchfeature_default_exec:s0
+
+# Health
+/sys/devices/platform/soc/soc:maxim_ds28e16/power_supply/batt_verify(/.*)?                                                                         u:object_r:sysfs_battery_supply:s0
+
+# IR
+/dev/lirc[0-9]             u:object_r:lirc_device:s0
+/dev/spidev[0-9]\.1        u:object_r:lirc_device:s0
+
+# LED
+/sys/class/leds/(blue|green|red)(-right)?(/.*)?                 u:object_r:sysfs_leds:s0
+/sys/devices/platform/soc/[a-z0-9]+.qcom,spmi/spmi-[0-1]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,leds@d000/leds(/.*)?             u:object_r:sysfs_leds:s0
+/sys/devices/platform/soc/[a-z0-9]+.i2c/i2c-[0-9]/[0-9]-[0-9]+/leds(/.*)?             u:object_r:sysfs_leds:s0
+
+# Mlipay
+/vendor/bin/mlipayd@1\.1 u:object_r:hal_mlipay_default_exec:s0
+
+# Mac
+/vendor/bin/nv_mac       u:object_r:wcnss_service_exec:s0
+
+# Persist subsystem
+/mnt/vendor/persist/subsys(/.*)?                                  u:object_r:persist_subsys_file:s0
+
+# Sockets
+/dev/socket/audio_hw_socket                   u:object_r:audio_socket:s0
+
+# SSR
+/sys/devices(/platform)?/soc/[a-z0-9\.:]+,[a-z0-9\-\_]+/subsys[0-9]+/name         u:object_r:sysfs_ssr:s0
+
+# Sys
+/sys/devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/smart_fps_value u:object_r:vendor_sysfs_smart_fps:s0
+/sys/devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/card0-DSI-1/dynamic_fps  u:object_r:vendor_sysfs_dynamic_fps:s0
+/sys/bus/iio/devices  u:object_r:vendor_sysfs_iio:s0
+/sys/devices/platform/us_prox.0/iio:device3(/.*)? u:object_r:vendor_sysfs_iio:s0
+/sys/devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:vadc@3100/iio:device1(/.*)? u:object_r:vendor_sysfs_iio:s0
+
+# Sysfs
+/sys/devices/platform/soc/888000.i2c/i2c-5/5-0055/power_supply/lionsemi(/.*)?         u:object_r:sysfs:s0
+/sys/devices/platform/soc/884000.i2c/i2c-4/4-0066/wakeup/wakeup48(/.*)?               u:object_r:sysfs:s0
+/sys/devices/platform/soc/884000.i2c/i2c-4/4-0066/wakeup/wakeup48/event_count         u:object_r:sysfs:s0
+/sys/devices/platform/soc/a600000.ssusb/wakeup/wakeup33(/.*)?                         u:object_r:sysfs:s0
+/sys/devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qcom,qpnp-smb5/power_supply/wireless(/.*)?                                                        u:object_r:sysfs_wireless_supply:s0
+/sys/devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm8150@0:qcom,pm8150_rtc/rtc/rtc0/hctosys u:object_r:sysfs:s0
+
+# Thermal
+/vendor/bin/mi_thermald         u:object_r:mi_thermald_exec:s0
+
+# Touchfeature
+/dev/xiaomi-touch          u:object_r:touchfeature_device:s0
+
+# USB
+/vendor/bin/init\.mi\.usb\.sh    u:object_r:vendor_qti_init_shell_exec:s0

sepolicy/vendor/genfs_contexts

@@ -0,0 +1,104 @@
+genfscon sysfs /kernel/boot_cdsp/boot                                           u:object_r:sysfs_msm_boot:s0
+genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state           u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/drm/card0/sde-crtc-0/early_wakeup     u:object_r:sysfs_msm_subsys:s0
+
+genfscon sysfs /devices/platform/soc/soc:qcom,dsi-display                       u:object_r:sysfs_graphics:s0
+
+genfscon sysfs /devices/platform/soc/2c00000.qcom,kgsl-3d0                      u:object_r:sysfs_msm_subsys:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,gpubw                             u:object_r:sysfs_msm_subsys:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,gpubw/devfreq                     u:object_r:sysfs_msm_subsys:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,cpu-cpu-llcc-bw                   u:object_r:sysfs_msm_subsys:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,cpu-llcc-ddr-bw                   u:object_r:sysfs_msm_subsys:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,cpu0-cpu-l3-lat                   u:object_r:sysfs_msm_subsys:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,cpu6-cpu-l3-lat                   u:object_r:sysfs_msm_subsys:s0
+genfscon sysfs /devices/platform/soc/1d84000.ufshc/clkgate_enable               u:object_r:sysfs_scsi_host:s0
+
+genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/device_prepare        u:object_r:sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/fingerdown_wait       u:object_r:sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/irq                   u:object_r:sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/request_vreg          u:object_r:sysfs_fingerprint:s0
+genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/wakeup_enable         u:object_r:sysfs_fingerprint:s0
+
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d300/leds/flashlight/brightness               u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d300/leds/led:torch_0/brightness              u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d300/leds/led:torch_1/brightness              u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d300/leds/led:switch_0/brightness             u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-05/c440000.qcom,spmi:qcom,pm6150l@5:qcom,leds@d300/leds/led:switch_1/brightness             u:object_r:sysfs_leds:s0
+
+genfscon sysfs /class/power_supply/battery/capacity u:object_r:sysfs_battery_supply:s0
+
+genfscon proc /last_kmsg u:object_r:proc_last_kmsg:s0
+
+# Wakeup source stats
+genfscon sysfs /devices/0306_02.01.00/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/188101c.qcom,spss/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c00000.qcom,pcie/pci0000:00/0000:00:00.0/0000:01:00.0/1101_00.01.00/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c00000.qcom,pcie/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c10000.qcom,pcie/pci0002:00/0002:00:00.0/0002:01:00.0/0306_02.01.00_EFS/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1c10000.qcom,pcie/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/1e00000.qcom,ipa/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:fingerprint_fpc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/8300000.qcom,turing/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/884000.i2c/i2c-3/3-0066/power_supply/bq2597x-standalone u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/888000.i2c/i2c-8/8-0026/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/888000.i2c/i2c-8/8-0055/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/888000.i2c/i2c-8/8-0055/wakeup/wakeup44 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/9800000.qcom,npu/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/984000.i2c/i2c-5/5-0018/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/984000.i2c/i2c-5/5-0019/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/984000.i2c/i2c-5/5-0028/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/994000.i2c/i2c-7/7-003b/994000.i2c:op,wlchg_rx@3b:idt,p9415/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/994000.i2c/i2c-7/7-0066/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/998000.qcom,qup_uart/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/a8c000.i2c/i2c-3/3-005a/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/a94000.i2c/i2c-4/4-0048/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/aab0000.qcom,venus/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/abb0000.qcom,cvpss/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/b0000000.qcom,cnss-qca6390/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm8150@0:qcom,pm8150_rtc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm8150@0:qcom,pm8150_rtc/rtc/rtc0/hctosys u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-00/c440000.qcom,spmi:qcom,pm8150@0:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:qpnp,fg/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pm8150b@2:vadc@3100/iio:device1 u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-04/c440000.qcom,spmi:qcom,pm8150l@4:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-08/c440000.qcom,spmi:qcom,pmxprairie@8:qcom,power-on@800/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:goodix_fp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:oem_rf_cable/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:oneplus_wlchg/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,ipa_uc/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/rx-macro/rx_swr_ctrl/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,msm-audio-apr/soc:qcom,msm-audio-apr:qcom,q6core-audio/soc:qcom,msm-audio-apr:qcom,q6core-audio:bolero-cdc/tx-macro/tx_swr_ctrl/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-adsp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-cdsp/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-dsps/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p-npu/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,smp2p_sleepstate/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/goodix_ts.0/wakeup                                                                                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/18800000.qcom,icnss/wakeup                                                                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/890000.i2c/i2c-0/0-0010/890000.i2c:qcom,smb1390@10:qcom,charge_pump/wakeup                                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/88e0000.qcom,msm-eud/wakeup                                                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/a84000.i2c/i2c-2/2-0028/wakeup                                                                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/171c0000.slim/tavil-slim-pgd/wakeup                                                                           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/soc/soc:gpio_keys/wakeup                                                                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/vendor/vendor:extcon_usb1/wakeup                                                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/diag/diag/wakeup                                                                                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd/wakeup                                                                                         u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/fastrpc/adsprpc-smd-secure/wakeup                                                                                  u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_aac/wakeup                                                                                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_alac/wakeup                                                                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_amrnb/wakeup                                                                                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_amrwb/wakeup                                                                                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_amrwbplus/wakeup                                                                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_ape/wakeup                                                                                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_evrc/wakeup                                                                                               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_g711alaw/wakeup                                                                                           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_g711mlaw/wakeup                                                                                           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_mp3/wakeup                                                                                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_multi_aac/wakeup                                                                                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_qcelp/wakeup                                                                                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_wma/wakeup                                                                                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/virtual/misc/msm_wmapro/wakeup                                                                                             u:object_r:sysfs_wakeup:s0

sepolicy/vendor/hal_audio_default.te

@@ -0,0 +1,12 @@
+# For interfacing with PowerHAL
+hal_client_domain(hal_audio_default, hal_power)
+
+# Allow hal_audio_default to read persist_audio_file
+r_dir_file(hal_audio_default, persist_audio_file)
+
+r_dir_file(hal_audio_default, sysfs)
+
+set_prop(hal_audio_default, vendor_audio_prop)
+
+allow hal_audio_default audio_socket:sock_file rw_file_perms;
+allow hal_audio_default system_suspend_hwservice:hwservice_manager find;

sepolicy/vendor/hal_bluetooth_default.te

@@ -0,0 +1,2 @@
+# Allow hal_bluetooth_default to read files in wifi_vendor_data_file
+r_dir_file(hal_bluetooth_default, wifi_vendor_data_file)

sepolicy/vendor/hal_camera_default.te

@@ -0,0 +1,19 @@
+# For interfacing with PowerHAL
+hal_client_domain(hal_camera_default, hal_power)
+
+# Allow hal_camera_default to read to sysfs_kgsl
+r_dir_file(hal_camera_default, sysfs_kgsl)
+
+# Allow hal_camera_default to read to mnt/vendor/persist/camera
+r_dir_file(hal_camera_default, camera_persist_file)
+r_dir_file(hal_camera_default, mnt_vendor_file)
+r_dir_file(hal_camera_default, persist_sensors_file)
+
+allow hal_camera_default remosaic_daemon_service:service_manager find;
+
+allow hal_camera_default proc_stat:file read;
+
+set_prop(hal_camera_default, vendor_camera_prop)
+
+allow hal_camera_default socket_device:sock_file write;
+allow hal_camera_default proc_stat:file { open };

sepolicy/vendor/hal_citsensorservice_default.te

@@ -0,0 +1,21 @@
+type hal_citsensorservice_default, domain;
+type hal_citsensorservice_default_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(hal_citsensorservice_default)
+
+get_prop(hal_citsensorservice_default, hwservicemanager_prop)
+get_prop(hal_citsensorservice_default, vendor_sensors_prop)
+
+allow hal_citsensorservice_default hal_citsensorservice_default_exec:file execute_no_trans;
+allow hal_citsensorservice_default self:qipcrtr_socket create_socket_perms_no_ioctl;
+allow hal_citsensorservice_default input_device:chr_file rw_file_perms;
+allow hal_citsensorservice_default input_device:dir rw_dir_perms;
+allow hal_citsensorservice_default mnt_vendor_file:dir rw_dir_perms;
+allow hal_citsensorservice_default hidl_base_hwservice:hwservice_manager add;
+allow hal_citsensorservice_default hwservicemanager:binder { call transfer };
+allow hal_citsensorservice_default citsensorservice_hwservice:hwservice_manager { add find };
+allow hal_citsensorservice_default vendor_persist_sensors_file:dir r_dir_perms;
+allow hal_citsensorservice_default vendor_persist_sensors_file:file rw_file_perms;
+allow hal_citsensorservice_default vendor_sysfs_graphics:file rw_file_perms;
+allow hal_citsensorservice_default vendor_sysfs_graphics:dir r_dir_perms;
+allow hal_citsensorservice_default vendor_sysfs_dynamic_fps:file rw_file_perms;

sepolicy/vendor/hal_displayfeature_default.te

@@ -0,0 +1,28 @@
+type hal_displayfeature_default, domain;
+hal_server_domain(hal_displayfeature_default, hal_displayfeature)
+
+type hal_displayfeature_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_displayfeature_default)
+
+binder_call(hal_displayfeature_client, hal_displayfeature_server)
+
+hal_attribute_hwservice(hal_displayfeature, hal_displayfeature_hwservice)
+
+set_prop(hal_displayfeature_default, vendor_displayfeature_prop)
+set_prop(hal_displayfeature_default, hwservicemanager_prop)
+get_prop(hal_displayfeature_default, vendor_mpctl_prop)
+
+vndbinder_use(hal_displayfeature_default)
+
+allow hal_displayfeature_default vendor_hal_display_config_hwservice:hwservice_manager find;
+allow hal_displayfeature_default fwk_sensor_hwservice:hwservice_manager find;
+allow hal_displayfeature_default vendor_qdisplay_service:service_manager find;
+allow hal_displayfeature_default hwservicemanager:binder { call transfer };
+allow hal_displayfeature_default hal_displayfeature_hwservice:hwservice_manager { add find };
+allow hal_displayfeature_default hal_graphics_composer_default:binder { call transfer };
+allow hal_displayfeature_default hidl_base_hwservice:hwservice_manager add;
+allow hal_displayfeature_default vendor_display_vendor_data_file:dir search;
+allow hal_displayfeature_default vendor_hal_display_postproc_hwservice:hwservice_manager find;
+allow hal_displayfeature_default vendor_sysfs_graphics:file rw_file_perms;
+allow hal_displayfeature_default vendor_sysfs_graphics:dir r_dir_perms;
+allow hal_displayfeature_default vendor_sysfs_smart_fps:file rw_file_perms;

sepolicy/vendor/hal_fingerprint_default.te

@@ -0,0 +1,35 @@
+allow hal_fingerprint_default fingerprint_data_file:dir rw_dir_perms;
+allow hal_fingerprint_default fingerprint_data_file:file create_file_perms;
+
+allow hal_fingerprint_default {
+  fingerprint_device
+  input_device
+  tee_device
+  uhid_device
+}: chr_file rw_file_perms;
+
+allow hal_fingerprint_default self:netlink_socket create_socket_perms_no_ioctl;
+
+allow hal_fingerprint_default {
+  input_device
+  sysfs_graphics
+  sysfs_msm_subsys
+}: dir r_dir_perms;
+
+allow hal_fingerprint_default {
+  sysfs_fingerprint
+  sysfs_graphics
+  sysfs_msm_subsys
+}: file rw_file_perms;
+
+r_dir_file(hal_fingerprint_default, firmware_file)
+
+get_prop(system_server, vendor_fp_prop);
+
+get_prop(hal_fingerprint_default, vendor_displayfeature_prop);
+
+set_prop(hal_fingerprint_default, vendor_fp_prop)
+
+allow hal_fingerprint_default vendor_sysfs_spss:dir { search };
+allow hal_fingerprint_default sysfs:file { write getattr };
+allow hal_fingerprint_default vendor_sysfs_spss:file { open read };

sepolicy/vendor/hal_graphics_composer_default.te

@@ -0,0 +1,8 @@
+hal_client_domain(hal_graphics_composer_default, hal_displayfeature)
+binder_call(hal_graphics_composer_default, hal_displayfeature)
+
+allow hal_graphics_composer_default sysfs_graphics:file rw_file_perms;
+allow hal_graphics_composer_default property_socket:sock_file { getattr read write ioctl };
+allow hal_graphics_composer_default init:unix_stream_socket connectto;
+
+set_prop(hal_graphics_composer_default, vendor_displayfeature_prop)

sepolicy/vendor/hal_health_default.te

@@ -0,0 +1,3 @@
+allow hal_health_default sysfs:file rw_file_perms;;
+allow hal_health_default sysfs_wakeup:dir r_dir_perms;
+allow hal_health_default sysfs_wakeup:file r_file_perms;

sepolicy/vendor/hal_ir_default.te

@@ -0,0 +1,4 @@
+allow hal_ir_default lirc_device:{
+  chr_file
+  file
+} rw_file_perms;

sepolicy/vendor/hal_light_default.te

@@ -0,0 +1,5 @@
+allow hal_light_default {
+  sysfs_leds
+}:file rw_file_perms;
+
+r_dir_file(hal_light_default, sysfs_leds)

sepolicy/vendor/hal_lineage_fod_kona.te

@@ -0,0 +1,24 @@
+type hal_lineage_fod_kona, domain;
+hal_server_domain(hal_lineage_fod_kona, hal_lineage_fod)
+
+type hal_lineage_fod_kona_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_lineage_fod_kona)
+
+wakelock_use(hal_lineage_fod_kona)
+
+# Allow access to the HALs
+hal_client_domain(hal_lineage_fod_kona, hal_displayfeature)
+hal_client_domain(hal_lineage_fod_kona, hal_fingerprint)
+hal_client_domain(hal_lineage_fod_kona, hal_touchfeature)
+
+# Allow binder communication with hal_displayfeature_default
+binder_call(hal_lineage_fod_kona, hal_displayfeature_default)
+
+# Allow binder communication with hal_fingerprint_kona
+binder_call(hal_lineage_fod_kona, hal_fingerprint_default)
+
+# Allow binder communication with hal_touchfeature_default
+binder_call(hal_lineage_fod_kona, hal_touchfeature_default)
+
+allow hal_lineage_fod_kona sysfs_graphics:dir r_dir_perms;
+allow hal_lineage_fod_kona sysfs_graphics:file rw_file_perms;

sepolicy/vendor/hal_mlipay.te

@@ -0,0 +1,4 @@
+# HwBinder IPC from client to server
+binder_call(hal_mlipay_client, hal_mlipay_server)
+
+hal_attribute_hwservice(hal_mlipay, hal_mlipay_hwservice)

sepolicy/vendor/hal_mlipay_default.te

@@ -0,0 +1,16 @@
+type hal_mlipay_default, domain;
+hal_server_domain(hal_mlipay_default, hal_mlipay)
+
+type hal_mlipay_default_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_mlipay_default)
+
+allow hal_mlipay_default {
+  ion_device
+  tee_device
+}:chr_file rw_file_perms;
+
+r_dir_file(hal_mlipay_default, firmware_file)
+
+get_prop(hal_mlipay_default, vendor_fp_prop)
+set_prop(hal_mlipay_default, vendor_tee_listener_prop)

sepolicy/vendor/hal_motor_default.te

@@ -0,0 +1,31 @@
+type hal_motor_default, domain;
+
+type hal_motor_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_motor_default)
+
+binder_call(hal_motor_client, hal_motor_server)
+
+hal_client_domain(cameraserver, hal_motor)
+hal_server_domain(hal_motor_default, hal_motor)
+
+binder_call(devicesettings_app, hal_motor)
+binder_call(hal_motor_default, devicesettings_app)
+
+hal_attribute_hwservice(hal_motor, hal_motor_hwservice)
+
+# Allow hal_motor_default to read and write to { motor_device hall_device }
+allow hal_motor_default {
+  hall_device 
+  motor_device
+}:chr_file rw_file_perms;
+
+# Allow hal_motor_default to read and write to { mnt_vendor_file persist_sensors_file }
+allow hal_motor_default {
+  mnt_vendor_file 
+  persist_sensors_file
+}:dir rw_dir_perms;
+
+allow hal_motor_default {
+  mnt_vendor_file
+  persist_sensors_file
+}:file rw_file_perms;

sepolicy/vendor/hal_nfc_default.te

@@ -0,0 +1,3 @@
+# Data file accesses.
+allow hal_nfc_default nfc_vendor_data_file:dir create_dir_perms;
+allow hal_nfc_default nfc_vendor_data_file:file create_file_perms;

sepolicy/vendor/hal_power_default.te

@@ -0,0 +1,32 @@
+# Allow hal_power_default to write to dt2w nodes
+allow hal_power_default input_device:dir r_dir_perms;
+allow hal_power_default input_device:chr_file rw_file_perms;
+
+r_dir_file(hal_power_default, input_device)
+
+allow hal_power_default {
+  sysfs_devfreq
+  sysfs_msm_subsys
+}:dir search;
+
+allow hal_power_default {
+  cgroup
+  proc
+  sysfs_devfreq
+  sysfs_devices_system_cpu
+  sysfs_graphics
+  sysfs_kgsl
+  sysfs_msm_subsys
+  sysfs_scsi_host 
+}:{
+  file
+  lnk_file
+} rw_file_perms;
+
+allow hal_power_default latency_device:chr_file rw_file_perms;
+
+# Rule for hal_power_default to access graphics composer process
+unix_socket_connect(hal_power_default, vendor_pps, hal_graphics_composer_default);
+
+# To get/set powerhal state property
+set_prop(hal_power_default, power_prop)

sepolicy/vendor/hal_power_stats_default.te

@@ -0,0 +1,4 @@
+allow hal_power_stats_default vendor_sysfs_iio:dir r_dir_perms;
+allow hal_power_stats_default vendor_sysfs_iio:file r_file_perms;
+allow hal_power_stats_default sysfs:dir r_dir_perms;
+allow hal_power_stats_default sysfs:file r_file_perms;

sepolicy/vendor/hal_sensors_default.te

@@ -0,0 +1,10 @@
+unix_socket_connect(hal_sensors_default, audio, hal_audio_default)
+
+allow hal_sensors_default audio_socket:sock_file rw_file_perms;
+allow hal_sensors_default socket_device:sock_file rw_file_perms;
+allow hal_sensors_default iio_device:chr_file rw_file_perms;
+allow hal_sensors_default ultrasound_device:chr_file rw_file_perms;
+allow hal_sensors_default vendor_sysfs_iio:dir r_dir_perms;
+allow hal_sensors_default vendor_sysfs_iio:file rw_file_perms;
+
+get_prop(hal_sensors_default, vendor_adsprpc_prop)

sepolicy/vendor/hal_touchfeature_default.te

@@ -0,0 +1,16 @@
+type hal_touchfeature_default, domain;
+hal_server_domain(hal_touchfeature_default, hal_touchfeature)
+
+type hal_touchfeature_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_touchfeature_default)
+
+binder_call(hal_touchfeature_client, hal_touchfeature_server)
+
+hal_attribute_hwservice(hal_touchfeature, hal_touchfeature_hwservice)
+
+# Allow hal_touchfeature_default to read and write to touchfeature_device
+allow hal_touchfeature_default touchfeature_device:chr_file rw_file_perms;
+
+set_prop(hal_touchfeature_default, vendor_touchfeature_prop)
+
+vndbinder_use(hal_touchfeature_default)

sepolicy/vendor/hwservice.te

@@ -0,0 +1,9 @@
+type citsensorservice_hwservice, hwservice_manager_type;
+
+type hal_displayfeature_hwservice, hwservice_manager_type;
+
+type hal_mlipay_hwservice, hwservice_manager_type;
+
+type hal_motor_hwservice, hwservice_manager_type;
+
+type hal_touchfeature_hwservice, hwservice_manager_type;

sepolicy/vendor/hwservice_contexts

@@ -0,0 +1,12 @@
+vendor.goodix.hardware.cap.biometrics.fingerprint::IGoodixFingerprintDaemon              u:object_r:hal_fingerprint_hwservice:s0
+vendor.goodix.hardware.cap.biometrics.fingerprint::IGoodixFingerprintDaemonExt           u:object_r:hal_fingerprint_hwservice:s0
+vendor.goodix.hardware.interfaces.biometrics.fingerprint::IGoodixFingerprintDaemon       u:object_r:hal_fingerprint_hwservice:s0
+vendor.goodix.hardware.interfaces.biometrics.fingerprint::IGoodixFingerprintDaemonExt    u:object_r:hal_fingerprint_hwservice:s0
+vendor.goodix.hardware.biometrics.fingerprint::IGoodixFingerprintDaemon                  u:object_r:hal_fingerprint_hwservice:s0
+vendor.xiaomi.hardware.campostproc::IMiPostProcService                        u:object_r:hal_camerapostproc_xiaomi_hwservice:s0
+vendor.xiaomi.hardware.citsensorservice::ICitSensorService                    u:object_r:vendor_hal_citsensorservice_xiaomi_hwservice:s0
+vendor.xiaomi.hardware.displayfeature::IDisplayFeature                        u:object_r:hal_displayfeature_hwservice:s0
+vendor.xiaomi.hardware.fingerprintextension::IXiaomiFingerprint               u:object_r:hal_fingerprint_hwservice:s0
+vendor.xiaomi.hardware.mlipay::IMlipayService                                 u:object_r:hal_mlipay_hwservice:s0
+vendor.xiaomi.hardware.motor::IMotor                                          u:object_r:hal_motor_hwservice:s0
+vendor.xiaomi.hardware.touchfeature::ITouchFeature                            u:object_r:hal_touchfeature_hwservice:s0

sepolicy/vendor/hwservicemanager.te

@@ -0,0 +1,2 @@
+allow hwservicemanager hal_displayfeature_default:binder { call transfer };
+

sepolicy/vendor/init.te

@@ -0,0 +1,9 @@
+# For mount tracefs tracefs /sys/kernel/tracing
+allow init debugfs_tracing_debug:dir mounton;
+
+allow init same_process_hal_file:file execute;
+
+allow init proc_last_kmsg:file {
+  r_file_perms
+  setattr
+};

sepolicy/vendor/mi_thermald.te

@@ -0,0 +1,33 @@
+type mi_thermald, domain;
+type mi_thermald_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(mi_thermald)
+
+allow mi_thermald self:capability { chown fowner fsetid };
+
+# Allow mi_thermald to read thermal_data_file
+allow mi_thermald thermal_data_file:dir rw_dir_perms;
+allow mi_thermald thermal_data_file:file create_file_perms;
+
+allow mi_thermald sysfs:file write;
+
+r_dir_file(mi_thermald, sysfs)
+r_dir_file(mi_thermald, sysfs_battery_supply)
+r_dir_file(mi_thermald, sysfs_devices_system_cpu)
+r_dir_file(mi_thermald, sysfs_graphics)
+r_dir_file(mi_thermald, sysfs_kgsl)
+r_dir_file(mi_thermald, sysfs_leds)
+r_dir_file(mi_thermald, sysfs_thermal)
+
+# Allow mi_thermald to read and write to sysfs_*
+allow mi_thermald {
+  sysfs_battery_supply 
+  sysfs_devices_system_cpu
+  sysfs_kgsl
+  sysfs_thermal
+}:{
+  file
+  lnk_file
+} rw_file_perms;
+
+set_prop(mi_thermald, thermal_normal_prop)

sepolicy/vendor/property.te

@@ -0,0 +1,17 @@
+# Displayfeature
+type vendor_displayfeature_prop, property_type;
+
+# Fingerprint
+type vendor_fp_prop, property_type;
+
+# Init
+type vendor_device_prop, property_type;
+
+# Power
+type power_prop, property_type;
+
+# Thermal
+type thermal_normal_prop, property_type;
+
+# Touchfeature
+type vendor_touchfeature_prop, property_type;

sepolicy/vendor/property_contexts

@@ -0,0 +1,99 @@
+# Audio
+audio.soundtrigger.debug.urser_id u:object_r:vendor_audio_prop:s0
+audio_hal.in_period_size                u:object_r:vendor_audio_prop:s0
+
+# Camera
+camera.                                         u:object_r:vendor_camera_prop:s0
+persist.camera.                                 u:object_r:vendor_camera_prop:s0
+persist.vendor.camera                           u:object_r:vendor_camera_prop:s0
+vendor.camera.boot_complete                     u:object_r:vendor_camera_prop:s0
+vendor.camera.sensor.                           u:object_r:vendor_camera_prop:s0
+ro.vendor.camera.                               u:object_r:vendor_camera_prop:s0
+ro.vendor.camera.res.fmq.size                   u:object_r:vendor_camera_prop:s0
+ro.vendor.camera.req.fmq.size                   u:object_r:vendor_camera_prop:s0
+ro.camera.res.fmq.size                          u:object_r:vendor_camera_prop:s0
+ro.camera.req.fmq.size                          u:object_r:vendor_camera_prop:s0
+
+# Display feature
+vendor.panel.color                           u:object_r:vendor_displayfeature_prop:s0
+vendor.panel.vendor                          u:object_r:vendor_displayfeature_prop:s0
+vendor.panel.display                         u:object_r:vendor_displayfeature_prop:s0
+vendor.panel.touch_vendor                    u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.eyecare.threshold                  u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.eyecare.level                      u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.hist.threshold                     u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.histogram.enable                   u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.whitepoint_calibration_enable      u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.df.effect.conflict                 u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.df.extcolor.proc              u:object_r:vendor_displayfeature_prop:s0
+vendor.displayfeature.entry.enable           u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.df.color.temp                 u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.bl.notify                          u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.dc_backlight.enable           u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.dc_backlight.threshold        u:object_r:vendor_displayfeature_prop:s0
+vendor.display.panel.calibration.status      u:object_r:vendor_displayfeature_prop:s0
+vendor.hbm.enable                            u:object_r:vendor_displayfeature_prop:s0
+persist.vendor.max.brightness                u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.bl.poll                            u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.display.default_fps                u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.cabc.enable                        u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.bcbc.enable                        u:object_r:vendor_displayfeature_prop:s0
+ro.vendor.dfps.enable                        u:object_r:vendor_displayfeature_prop:s0
+
+# DFPS
+persist.vendor.dfps.level	u:object_r:vendor_display_prop:s0
+persist.vendor.video.dfps.level	u:object_r:vendor_display_prop:s0
+persist.vendor.power.dfps.level	u:object_r:vendor_display_prop:s0
+
+# Fingerprint
+gf.debug.                  u:object_r:vendor_fp_prop:s0
+persist.vendor.fpc.        u:object_r:vendor_fp_prop:s0
+persist.vendor.sys.fp.     u:object_r:vendor_fp_prop:s0
+persist.sys.fp.            u:object_r:vendor_fp_prop:s0
+ro.hardware.fp             u:object_r:vendor_fp_prop:s0
+vendor.fps_hal.            u:object_r:vendor_fp_prop:s0
+ro.boot.fpsensor	   u:object_r:vendor_fp_prop:s0
+
+# Global
+ro.boot.factorybuild                u:object_r:public_vendor_default_prop:s0
+ro.boot.hwversion                   u:object_r:public_vendor_default_prop:s0
+ro.carrier.name                     u:object_r:public_vendor_default_prop:s0
+ro.miui.cust_variant                u:object_r:public_vendor_default_prop:s0
+ro.product.marketname		    u:object_r:public_vendor_default_prop:s0
+
+# Graphics
+ro.gfx.driver.1            u:object_r:exported3_default_prop:s0
+
+# Power
+vendor.powerhal.state      u:object_r:power_prop:s0
+vendor.powerhal.audio      u:object_r:power_prop:s0
+vendor.powerhal.lpm        u:object_r:power_prop:s0
+vendor.powerhal.init       u:object_r:power_prop:s0
+vendor.powerhal.rendering  u:object_r:power_prop:s0
+
+# Mlipay
+persist.vendor.sys.pay     u:object_r:vendor_tee_listener_prop:s0
+
+# Recovery
+ro.build.expect.           u:object_r:exported_default_prop:s0
+
+# RIL
+ro.vendor.ril              u:object_r:public_vendor_default_prop:s0
+
+# Sensor
+persist.sensor.                u:object_r:sensors_prop:s0
+invn.hal.data.      u:object_r:vendor_sensors_prop:s0
+invn.hal.entry.     u:object_r:vendor_sensors_prop:s0
+invn.hal.debug.     u:object_r:vendor_sensors_prop:s0
+invn.hal.verbose.   u:object_r:vendor_sensors_prop:s0
+
+# Thermal
+sys.thermal.        u:object_r:thermal_normal_prop:s0
+vendor.sys.thermal.        u:object_r:thermal_normal_prop:s0
+persist.sys.thermal.config u:object_r:thermal_normal_prop:s0
+
+# Touchfeature
+ro.vendor.touchfeature.type              u:object_r:vendor_touchfeature_prop:s0
+
+# USB
+sys.usb.configfs	u:object_r:system_prop:s0

sepolicy/vendor/radio.te

@@ -0,0 +1 @@
+get_prop(radio, vendor_audio_prop)

sepolicy/vendor/remosaic_daemon.te

@@ -0,0 +1,8 @@
+type remosaic_daemon, domain;
+type remosaic_daemon_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(remosaic_daemon)
+
+vndbinder_use(remosaic_daemon)
+
+allow remosaic_daemon remosaic_daemon_service:service_manager add;

sepolicy/vendor/rild.te

@@ -0,0 +1 @@
+set_prop(rild, deviceid_prop)

sepolicy/vendor/sensors.te

@@ -0,0 +1,2 @@
+# Allow sensors to access backlight sysfs state
+r_dir_file(vendor_sensors, vendor_sysfs_graphics)

sepolicy/vendor/system_app.te

@@ -0,0 +1,6 @@
+allow system_app vendor_sysfs_battery_supply:dir { search };
+allow system_app vendor_sysfs_battery_supply:file { read };
+allow system_app vendor_sysfs_battery_supply:file { open };
+allow system_app vendor_sysfs_battery_supply:file { getattr };
+
+r_dir_file(system_app, vendor_sysfs_battery_supply)

sepolicy/vendor/system_server.te

@@ -0,0 +1,2 @@
+allow system_server proc_last_kmsg:file r_file_perms;
+

sepolicy/vendor/tee.te

@@ -0,0 +1,7 @@
+allow tee fingerprint_data_file:dir create_dir_perms;
+allow tee {
+  fingerprint_data_file
+  mnt_vendor_file
+}:file create_file_perms;
+
+allow tee mnt_vendor_file:dir rw_dir_perms;

sepolicy/vendor/thermal-engine.te

@@ -0,0 +1,12 @@
+allow vendor_thermal-engine {
+  sysfs_devfreq
+  sysfs_msm_subsys
+  thermal_data_file
+}:dir r_dir_perms;
+
+allow vendor_thermal-engine sysfs_devfreq:file rw_file_perms;
+
+# Rule for vendor_thermal-engine to access init process
+unix_socket_connect(vendor_thermal-engine, property, init);
+
+set_prop(vendor_thermal-engine, thermal_normal_prop)

sepolicy/vendor/uevent.te

@@ -0,0 +1,2 @@
+allow ueventd self:capability sys_nice;
+allow vendor_qti_init_shell sysfs_wakeup:file setattr;

sepolicy/vendor/vendor_hal_perf_default.te

@@ -0,0 +1 @@
+allow vendor_hal_perf_default sysfs_msm_subsys:dir search;

sepolicy/vendor/vendor_init.te

@@ -0,0 +1,15 @@
+set_prop(vendor_init, power_prop)
+set_prop(vendor_init, vendor_alarm_boot_prop)
+set_prop(vendor_init, vendor_video_prop)
+
+allow vendor_init {
+  debugfs_clk
+  proc_dirty
+  proc
+}:file w_file_perms;
+
+allow vendor_init block_device:lnk_file setattr;
+allow vendor_init sysfs:lnk_file setattr;
+allow vendor_init vendor_camera_prop:property_service set;
+
+allow vendor_init input_device:chr_file { create setattr unlink rw_file_perms };

sepolicy/vendor/vendor_mdm_helper.te

@@ -0,0 +1,4 @@
+allow vendor_mdm_helper efs_block_device:blk_file r_file_perms;
+allow vendor_mdm_helper vendor_tombstone_data_file:fifo_file rw_file_perms;
+
+get_prop(vendor_mdm_helper, vendor_ssr_prop)

sepolicy/vendor/vendor_qti_init_shell.te

@@ -0,0 +1,7 @@
+allow vendor_qti_init_shell configfs:dir rw_dir_perms;
+allow vendor_qti_init_shell configfs:file create_file_perms;
+allow vendor_qti_init_shell ctl_stop_prop:property_service set;
+allow vendor_qti_init_shell sysfs_wakeup:file setattr;
+
+set_prop(vendor_qti_init_shell, vendor_displayfeature_prop)
+

sepolicy/vendor/vndservice.te

@@ -0,0 +1 @@
+type remosaic_daemon_service, vndservice_manager_type;

sepolicy/vendor/vndservice_contexts

@@ -0,0 +1 @@
+android.IRemosaicDaemon                        u:object_r:remosaic_daemon_service:s0