sepolicy : merge of sepolicy.lnx.5.0 to sepolicy.lnx.5.9

as part of keeping common system image syncing the public and
private folder of 2 components.

Change-Id: Ia2bffa5155b001b67ac6c4f9b0cc156c4afb5ad6

qva/private/app.te

@@ -1,4 +1,4 @@
-# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -25,4 +25,6 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
+get_prop(appdomain, persist_dpm_prop)
+
 unix_socket_send(appdomain, seempdw, seempd)

qva/private/bt_logger.te

@@ -0,0 +1,41 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type bt_logger, domain;
+type bt_logger_exec, system_file_type, exec_type, file_type;
+typeattribute  bt_logger  bluetoothdomain;
+typeattribute bt_logger coredomain;
+
+init_daemon_domain(bt_logger)
+bluetooth_domain(bt_logger)
+
+allow bluetooth bt_logger:unix_stream_socket connectto;
+allow bt_logger bluetooth:unix_stream_socket connectto;
+
+allow bt_logger bluetooth_data_file:dir search;
+allow bt_logger bluetooth_logs_data_file:dir rw_dir_perms;
+allow bt_logger bluetooth_logs_data_file:file create_file_perms;

qva/private/device.te

@@ -0,0 +1,30 @@
+# Copyright (c) 2015, 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+
+#Define smd7 device
+type smd7_device, dev_type;

qva/private/dun-server.te

@@ -0,0 +1,40 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type dun-server_exec, system_file_type, exec_type, file_type;
+typeattribute  dun-server  bluetoothdomain;
+typeattribute dun-server coredomain;
+
+allow bluetooth dun-server:unix_stream_socket connectto;
+allow dun-server {
+    serial_device
+    smd7_device
+}:chr_file rw_file_perms;
+
+init_daemon_domain(dun-server)
+
+bluetooth_domain(dun-server)

qva/private/file_contexts

@@ -26,24 +26,34 @@
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 ####### device files ##############
-/dev/smcinvoke                      u:object_r:smcinvoke_device:s0
+/dev/smcinvoke                                  u:object_r:smcinvoke_device:s0
+/dev/smd7                                       u:object_r:smd7_device:s0
 
 ####### dev/socket files ##########
 /dev/socket/seempdw                 u:object_r:seempdw_socket:s0
-/dev/socket/tcm                     u:object_r:dpmtcm_socket:s0
-/dev/socket/mirrorlinkserverapi     u:object_r:mirrorlink_socket:s0
-/dev/socket/mirrorlinkserverah      u:object_r:mirrorlink_socket:s0
+/dev/socket/dpmd                                u:object_r:dpmd_socket:s0
+/dev/socket/dpmwrapper                          u:object_r:dpmwrapper_socket:s0
+/dev/socket/tcm                                 u:object_r:dpmtcm_socket:s0
+/dev/socket/qvrservice                          u:object_r:qvrd_socket:s0
+/dev/socket/qvrservice_camera                   u:object_r:qvrd_socket:s0
+/dev/socket/qvrservice_hvx_camera               u:object_r:qvrd_hvx_socket:s0
+/dev/socket/mirrorlinkserverapi                 u:object_r:mirrorlink_socket:s0
+/dev/socket/mirrorlinkserverah                  u:object_r:mirrorlink_socket:s0
 
 ####### system file ###############
-/system/bin/smcinvoked              u:object_r:smcinvoke_daemon_exec:s0
-/system/bin/perfservice             u:object_r:perfservice_exec:s0
-/system/bin/dpmd                    u:object_r:dpmd_exec:s0
-/system/bin/mirrorlinkserver        u:object_r:mirrorlink_exec:s0
-/system/bin/qvrservice              u:object_r:qvrd_exec:s0
-/system/bin/seempd                  u:object_r:seempd_exec:s0
-#/system/bin/dun-server              u:object_r:dun-server_exec:s0
-/system/bin/mmi                     u:object_r:vendor_mmi_sys_exec:s0
-/system/bin/mmi_diag                u:object_r:vendor_mmi_sys_exec:s0
+/system/bin/seempd                              u:object_r:seempd_exec:s0
+/system/bin/dpmd                                u:object_r:dpmd_exec:s0
+/system/bin/dun-server                          u:object_r:dun-server_exec:s0
+/system/bin/bt_logger                           u:object_r:bt_logger_exec:s0
+/system/bin/smcinvoked                          u:object_r:smcinvoke_daemon_exec:s0
+/system/bin/qvrservice                          u:object_r:qvrd_exec:s0
+/system/bin/wfdservice                          u:object_r:wfdservice_exec:s0
+/system/bin/mmi                                 u:object_r:vendor_mmi_sys_exec:s0
+/system/bin/mmi_diag                            u:object_r:vendor_mmi_sys_exec:s0
+/system/bin/perfservice                         u:object_r:perfservice_exec:s0
+/system/bin/mirrorlinkserver                    u:object_r:mirrorlink_exec:s0
 
 ####### data files ################
-/data/misc/mirrorlinkserver(/.*)?   u:object_r:mirrorlink_data_file:s0
+/data/dpm(/.*)?                                 u:object_r:dpmd_data_file:s0
+/data/misc/qvr(/.*)?                            u:object_r:qvrd_data_file:s0
+/data/misc/mirrorlinkserver(/.*)?               u:object_r:mirrorlink_data_file:s0

qva/private/ioctl_defines

@@ -0,0 +1,34 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#    * Redistributions of source code must retain the above copyright
+#      notice, this list of conditions and the following disclaimer.
+#    * Redistributions in binary form must reproduce the above
+#      copyright notice, this list of conditions and the following
+#      disclaimer in the documentation and/or other materials provided
+#      with the distribution.
+#    * Neither the name of The Linux Foundation nor the names of its
+#      contributors may be used to endorse or promote products derived
+#      from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h
+define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300')
+define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301')
+define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302')
+define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303')
+define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304')
+define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305')

qva/private/ioctl_macros

@@ -0,0 +1,35 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#    * Redistributions of source code must retain the above copyright
+#      notice, this list of conditions and the following disclaimer.
+#    * Redistributions in binary form must reproduce the above
+#      copyright notice, this list of conditions and the following
+#      disclaimer in the documentation and/or other materials provided
+#      with the distribution.
+#    * Neither the name of The Linux Foundation nor the names of its
+#      contributors may be used to endorse or promote products derived
+#      from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+define(`msm_sock_ipc_ioctls_system', `{
+IPC_ROUTER_IOCTL_GET_VERSION
+IPC_ROUTER_IOCTL_GET_MTU
+IPC_ROUTER_IOCTL_LOOKUP_SERVER
+IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE
+IPC_ROUTER_IOCTL_BIND_CONTROL_PORT
+IPC_ROUTER_IOCTL_CONFIG_SEC_RULES
+}')

qva/private/mediaprovider.te

@@ -0,0 +1,30 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+allow mediaprovider dpmtcm_socket:sock_file w_file_perms;
+allow mediaprovider dpmwrapper_socket:sock_file w_file_perms;
+allow mediaprovider dpmd:unix_stream_socket connectto;

qva/private/mediaserver.te

@@ -0,0 +1,28 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+unix_socket_send(mediaserver, seempdw, seempd)

qva/private/mirrorlink.te

@@ -38,12 +38,11 @@ net_domain(mirrorlink)
 allow mirrorlink self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 
 # Allow socket permissions on udp_socket.
-allowxperm mirrorlink self:udp_socket ioctl priv_sock_ioctls;
+allowxperm mirrorlink self:udp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS SIOCGIFCONF SIOCGIFADDR SIOCGIFMTU };
 
 # Allow access to mirrorlink_data_file (/data/misc/mirrorlinkserver)
 allow mirrorlink mirrorlink_data_file:file create_file_perms;
 allow mirrorlink mirrorlink_data_file:dir create_dir_perms;
-
 # Allow read-write permissions to mirrorlink sockets under dev/socket/.
 allow mirrorlink mirrorlink_socket:sock_file { read write };
 
@@ -83,15 +82,11 @@ hal_client_domain(mirrorlink, hal_graphics_allocator);
 
 # Allow RW access to USB properties.
 set_prop(mirrorlink, exported_system_radio_prop);
+get_prop(mirrorlink, system_prop);
 
 # Allow access to usb ncm state from net
-r_dir_file(mirrorlink, sysfs_net);
+allow mirrorlink sysfs_net:dir r_dir_perms;
+allow mirrorlink sysfs_net:file r_file_perms;
 
 # Allow read access to EGL lib
 allow mirrorlink system_file:dir r_dir_perms;
-
-# Allow access to video encoder device.
-allow mirrorlink video_device:chr_file rw_file_perms;
-
-# Allow read access to mirrorlink specific property type.
-get_prop(mirrorlink, vendor_mirrorlink_prop);

qva/private/mmi_sys.te

@@ -42,3 +42,4 @@ hal_client_domain(vendor_mmi_sys, hal_graphics_allocator)
 allow vendor_mmi_sys vendor_mmi_sys_exec:file execute_no_trans;
 
 allow vendor_mmi_sys gpu_device:chr_file rw_file_perms;
+allow vendor_mmi_sys kmsg_device:chr_file w_file_perms;

qva/private/platform_app.te

@@ -27,3 +27,15 @@
 
 #allow platform_app to read vendor_camera_prop
 get_prop(platform_app, persist_camera_prop)
+# Allow cneservice to be found
+allow platform_app cne_service:service_manager find;
+
+# Allow dpmservice to be found
+allow platform_app dpmservice:service_manager find;
+allow platform_app { dpmd_socket dpmtcm_socket dpmwrapper_socket }:sock_file w_file_perms;
+allow platform_app dpmd:unix_stream_socket connectto;
+userdebug_or_eng(`
+  r_dir_file(platform_app, seemp_data_file)
+  allow platform_app seemp_data_file: file w_file_perms;
+')
+allow platform_app color_service:service_manager find;

qva/private/priv_app.te

@@ -26,3 +26,6 @@
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
 get_prop(priv_app, persist_camera_prop)
+allow priv_app dpmtcm_socket:sock_file w_file_perms;
+allow priv_app dpmwrapper_socket:sock_file w_file_perms;
+allow priv_app dpmd:unix_stream_socket connectto;

qva/private/property_contexts

@@ -27,10 +27,13 @@
 
 persist.vendor.dpm.                        u:object_r:persist_dpm_prop:s0
 persist.vendor.btstack                     u:object_r:bluetooth_prop:s0
+persist.vendor.bluetooth.emailaccountcount u:object_r:bluetooth_prop:s0
 persist.vendor.bt.a2dp                     u:object_r:bluetooth_prop:s0
+
 persist.vendor.service.bt.                 u:object_r:bluetooth_prop:s0
 ro.vendor.btstack.                         u:object_r:bluetooth_prop:s0
 vendor.pts.                                u:object_r:bluetooth_prop:s0
+vendor.bt.pts.                             u:object_r:bluetooth_prop:s0
 vendor.bluetooth.                          u:object_r:bluetooth_prop:s0
 vendor.camera.aux.packagelist              u:object_r:persist_camera_prop:s0
 persist.vendor.camera.privapp.list         u:object_r:persist_camera_prop:s0

qva/private/qvrd.te

@@ -32,3 +32,50 @@ type qvrd_exec, exec_type, system_file_type, file_type;
 init_daemon_domain(qvrd)
 
 binder_call(qvrd, system_server);
+
+# Allow interracting with qvrd directory
+allow qvrd qvrd_data_file:dir create_dir_perms;
+allow qvrd qvrd_data_file:file create_file_perms;
+
+#Allow hardware binder use
+hwbinder_use(qvrd)
+get_prop(qvrd, hwservicemanager_prop)
+
+# Allow access to our socket
+allow qvrd qvrd_socket:sock_file rw_file_perms;
+
+
+# Allow access to sensor1 API
+allow qvrd self:socket create_socket_perms_no_ioctl;
+
+#
+# Display
+#
+
+# Allow access to /dev/graphics/fb0 for configuring vsync interrupts
+allow qvrd graphics_device:dir r_dir_perms;
+allow qvrd graphics_device:chr_file rw_file_perms;
+
+#
+# Graphics
+#
+
+#Allow hal graphics mapper permissions
+hal_client_domain(qvrd, hal_graphics_composer);
+
+#Allow hal graphics allocator permissions
+hal_client_domain(qvrd, hal_graphics_allocator);
+
+#
+# Scheduler
+#
+
+allow qvrd self:capability { sys_nice };
+userdebug_or_eng(`
+  allow qvrd su:process setsched;
+')
+allow qvrd appdomain:process setsched;
+
+# whitelisting ioctlcmd c302
+allowxperm qvrd self:socket ioctl msm_sock_ipc_ioctls_system;
+allow qvrd self:socket ioctl;

qva/private/radio.te

@@ -0,0 +1,35 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# permissions for PresenceTestApp
+userdebug_or_eng(`
+  allow radio uce_service:service_manager find;
+')
+
+userdebug_or_eng(`
+  unix_socket_send(radio,seempdw, seempd)
+')

qva/private/service.te

@@ -30,3 +30,5 @@ type dpmservice,                  service_manager_type;
 type MinkBinderSvc,               app_api_service, service_manager_type;
 type vendor_perf_service,         app_api_service, service_manager_type;
 type izat_service,                app_api_service, system_api_service, service_manager_type;
+type color_service,               service_manager_type;
+type wfdservice_service,          service_manager_type;

qva/private/service_contexts

@@ -33,3 +33,5 @@ qti.ims.ext                                    u:object_r:radio_service:s0
 com.qualcomm.location.izat.IzatService         u:object_r:izat_service:s0
 qti.security.seempspa                          u:object_r:seemp_service:s0
 vendor.audio.vrservice                         u:object_r:audioserver_service:s0
+com.qti.snapdragon.sdk.display.IColorService   u:object_r:color_service:s0
+wfdservice                                     u:object_r:wfdservice_service:s0

qva/private/system_app.te

@@ -1,4 +1,4 @@
-# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+# Copyright (c) 2015, 2017, 2019, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -27,3 +27,20 @@
 
 # allow system_app to access netd
 unix_socket_connect(system_app, netd, netd)
+# access to seemp folder
+allow system_app seemp_data_file:dir r_dir_perms;
+allow system_app seemp_data_file:{ file fifo_file } rw_file_perms;
+binder_call(system_app, seempd)
+
+allow system_app dpmtcm_socket:sock_file w_file_perms;
+allow system_app dpmwrapper_socket:sock_file w_file_perms;
+allow system_app dpmd:unix_stream_socket connectto;
+allow system_app color_service:service_manager add;
+get_prop(system_app, bluetooth_prop);
+# allow system_app to interact with smcinvoke daemon
+binder_call(system_app, smcinvoke_daemon)
+
+# allow system app to interact with mirrorlinkserver
+binder_call(system_app, mirrorlink);
+# allow system app to connect to mirrorlink_socket
+unix_socket_connect(system_app, mirrorlink, mirrorlink);

qva/private/system_server.te

@@ -1,4 +1,4 @@
-# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+# Copyright (c) 2015,2017,2019 The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -27,7 +27,7 @@
 
 add_service(system_server, izat_service)
 
-allow system_server vendor_perf_service:service_manager find;
+
 
 allow system_server seempdw_socket:sock_file write;
 
@@ -36,3 +36,13 @@ unix_socket_send(system_server, seempdw, seempd)
 
 #Allow system server to get mirrorlink connection status prop
 get_prop(system_server, vendor_mirrorlink_prop)
+unix_socket_connect(system_server, dpmd, dpmd);
+allow system_server { dpmd_socket dpmtcm_socket dpmwrapper_socket }:sock_file w_file_perms;
+
+allow system_server dpmd_data_file:dir create_dir_perms;
+allow system_server dpmd_data_file:file create_file_perms;
+
+#Allow system_server to add and find perf service
+#add_service(system_server, vendor_perf_service);
+allow system_server vendor_perf_service:service_manager find;
+binder_call(system_server,qvrd);

qva/private/untrusted_app.te

@@ -0,0 +1,37 @@
+# Copyright (c) 2015, 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+unix_socket_connect(untrusted_app,dpmtcm, dpmd);
+allow untrusted_app dpmtcm_socket:sock_file w_file_perms;
+allow untrusted_app dpmwrapper_socket:sock_file w_file_perms;
+allow untrusted_app dpmd:unix_stream_socket connectto;
+userdebug_or_eng(`
+  r_dir_file(untrusted_app, seemp_data_file)
+  allow untrusted_app seemp_data_file: file w_file_perms;
+')
+unix_socket_connect(untrusted_app, qvrd, qvrd);
+allow untrusted_app qvrd:fd use;

qva/private/untrusted_app_27.te

@@ -0,0 +1,30 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+unix_socket_connect(untrusted_app_27,dpmtcm, dpmd);
+allow untrusted_app_27 dpmtcm_socket:sock_file w_file_perms;
+allow untrusted_app_27 dpmd:unix_stream_socket connectto;

qva/private/wfdservice.te

@@ -0,0 +1,129 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+typeattribute wfdservice coredomain;
+
+#Allow for transition from init domain to wfdservice
+init_daemon_domain(wfdservice)
+
+#Inherit base socket permissions from netd domain
+net_domain(wfdservice)
+
+#Allow wfdservice to use Binder IPC
+binder_use(wfdservice)
+
+#Allow for interaction with Display HAL
+binder_call(wfdservice, surfaceflinger)
+binder_call(surfaceflinger, wfdservice)
+
+#Allow apps to interact with wfdservice
+binder_call(wfdservice, platform_app)
+binder_call(platform_app, wfdservice)
+binder_call(wfdservice, system_app)
+binder_call(system_app, wfdservice)
+
+#Allow access to Audio Flinger APIs
+binder_call(wfdservice, audioserver)
+
+#Allow access to Permission Controller in System Server
+binder_call(wfdservice, system_server)
+
+# Mark wfdservice as a Binder service domain
+binder_service(wfdservice)
+
+#Allow wfdservice to be registered with service manager
+allow wfdservice wfdservice_service:service_manager add;
+
+#Allow access to PCM sound card
+allow wfdservice audio_device:chr_file rw_file_perms;
+allow wfdservice audio_device:dir r_dir_perms;
+
+#Allow access to /dev/graphics/fb* for screen capture
+allow wfdservice graphics_device:chr_file rw_file_perms;
+
+#Allow access to encoder for YUV statistics
+allow wfdservice gpu_device:chr_file rw_file_perms;
+
+#Allow communication with init over property server
+unix_socket_connect(wfdservice, property, init);
+
+#Allow access to /dev/video/* devices for encoding/decoding
+allow wfdservice video_device:chr_file rw_file_perms;
+allow wfdservice video_device:dir r_dir_perms;
+
+#Allow access to tee device for HDCP sessions
+allow wfdservice tee_device:chr_file rw_file_perms;
+
+#Allow access to uhid driver for HID event injection
+allow wfdservice uhid_device:chr_file rw_file_perms;
+
+#Allow PROT_EXEC for 3rd party library loaded by wfdservice
+allow wfdservice self:process execmem;
+
+userdebug_or_eng(`
+#Allow access to read mmosal_logmask file in /data partition
+  allow wfdservice system_data_file:file r_file_perms;
+#Allow access to dump encoder/decoder dumps in /data/misc/media
+  allow wfdservice media_data_file:dir w_dir_perms;
+  allow wfdservice media_data_file:file create_file_perms;
+')
+
+#Allow access to /data/media for dumping
+allow wfdservice media_rw_data_file:dir create_dir_perms;
+allow wfdservice media_rw_data_file:file create_file_perms;
+
+allow wfdservice self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Allow access to input_device for touch input detection
+allow wfdservice input_device:dir r_dir_perms;
+allow wfdservice input_device:chr_file r_file_perms;
+
+# Allow access to mediaserver, surfaceflinger and permissionmanager
+# for interaction of wfdservice
+allow wfdservice {audioserver_service permission_service surfaceflinger_service wfdservice_service mediametrics_service}: service_manager find;
+
+#Allow setting of net_admin capability so that libnl API's can be used
+allow wfdservice self:capability net_admin;
+
+#allow binder call to hal_omx_server from wfdservice
+binder_call(wfdservice, hal_omx_server);
+
+#Allow wfdservice to query interface name of network (p2p etc.)
+allow wfdservice self:netlink_socket create_socket_perms_no_ioctl;
+allow wfdservice self:netlink_generic_socket create_socket_perms_no_ioctl;
+
+#Allow ion device access
+allow wfdservice ion_device:chr_file r_file_perms;
+
+#Allow udp socket ioctl
+allow wfdservice self:udp_socket ioctl;
+
+# ioctlcmd=8bff
+allowxperm wfdservice self:udp_socket ioctl priv_sock_ioctls;
+
+#Allow access to proc/net/arp
+allow wfdservice proc_net:file r_file_perms;

qva/public/dun-server.te

@@ -0,0 +1,28 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type dun-server, domain;

qva/public/property.te

@@ -30,3 +30,6 @@ type persist_camera_prop, property_type, extended_core_property_type;
 
 #MirrorLink
 type vendor_mirrorlink_prop, property_type, extended_core_property_type;
+# this is vendor defined property  and added with prefix vendor
+# which is going to be working from system
+type vendor_bt_prop, property_type, extended_core_property_type;

qva/public/property_contexts

@@ -0,0 +1,28 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+persist.dpm.feature        u:object_r:persist_dpm_prop:s0

qva/public/wfdservice.te

@@ -0,0 +1,29 @@
+# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type wfdservice, domain;
+type wfdservice_exec, system_file_type, exec_type, file_type;