Merge remote-tracking branch 'caf/LA.BF.2.1_rb1.6' into cm-12.0

Conflicts:
	Android.mk
	common/file_contexts
	common/ims.te
	common/mm-pp-daemon.te
	common/netmgrd.te
	common/radio.te
	common/service.te
	common/service_contexts
	common/system_app.te
	common/system_server.te
	common/thermal-engine.te
	common/untrusted_app.te
	common/wpa.te
	msm8960/Android.mk
	msm8960/file.te
	msm8960/file_contexts

Change-Id: I8308142c06d36380d422fd2256cceae2227fd04f

common/atfwd.te

@@ -12,3 +12,6 @@ binder_use(atfwd);
 binder_call(atfwd, system_app);
 binder_call(atfwd, servicemanager);
 r_dir_file(atfwd, sysfs_ssr);
+
+allow atfwd self:udp_socket create;
+unix_socket_connect(atfwd, property, init);

common/bluetooth.te

@@ -15,8 +15,3 @@ allow bluetooth input_device:chr_file { open read write ioctl };
 
 allow bluetooth persist_file:dir search;
 allow bluetooth persist_file:file rw_file_perms;
-allow bluetooth wpa:unix_stream_socket connectto;
-
-#For ANT tty communication and to set wc_transport prop
-allow system_server bluetooth_prop:property_service set;
-allow system_server serial_device:chr_file rw_file_perms;

common/device.te

@@ -76,5 +76,18 @@ type wcnss_device, dev_type;
 
 type mmc_block_device, dev_type;
 
+# Define QDSS devices
+type qdss_device, dev_type;
+
 #Define Gadget serial device
 type gadget_serial_device, dev_type;
+
+#Added for hbtp
+type bu21150_device, dev_type;
+type hbtp_device, dev_type;
+
+#added for voice device
+type voice_device, dev_type;
+
+#Define system health monitor devices
+type system_health_monitor_device, dev_type;

common/dhcp.te

@@ -0,0 +1 @@
+unix_socket_connect(dhcp, cnd, cnd)

common/file.te

@@ -48,6 +48,7 @@ type sysfs_msmuart_file, sysfs_type, fs_type;
 # Storage RFS file types
 type rfs_data_file, file_type;
 type rfs_system_file, file_type;
+type rfs_shared_hlos_file, file_type;
 
 #mm-pp-daemon file type for sysfs access
 type sysfs_leds, fs_type, sysfs_type;
@@ -94,10 +95,20 @@ type sysfs_socinfo, fs_type, sysfs_type;
 type sysfs_usb_uicc, sysfs_type, fs_type;
 
 type qlogd_socket, file_type;
-
+type qlogd_data_file, file_type;
 #Define the files written during the operation of mm-pp-daemon
 type display_config, file_type, data_file_type;
 
 # IPA file types
 type ipacm_socket, file_type;
 type ipacm_data_file, file_type;
+
+#Define the files written during the operation of mmi
+type mmi_data_file, file_type, data_file_type;
+
+#needed by vold
+type  proc_dirty_ratio, fs_type;
+
+# hbtp config file
+type hbtp_cfg_file, file_type;
+type hbtp_log_file, file_type;

common/file_contexts

@@ -42,8 +42,8 @@
 /dev/esoc.*                                     u:object_r:esoc_device:s0
 /dev/ks_hsic_bridge                             u:object_r:ksbridgehsic_device:s0
 /dev/efs_hsic_bridge                            u:object_r:efsbridgehsic_device:s0
-/dev/block/platform/msm_sdcc.1/by-name/misc                         u:object_r:misc_partition:s0
-/dev/block/platform/msm_sdcc.1/by-name/bootselect                   u:object_r:bootselect_device:s0
+/dev/block/bootdevice/by-name/misc              u:object_r:misc_partition:s0
+/dev/block/bootdevice/by-name/bootselect        u:object_r:bootselect_device:s0
 /dev/ipa                                        u:object_r:ipa_dev:s0
 /dev/wwan_ioctl                                 u:object_r:ipa_dev:s0
 /dev/ipaNatTable                                u:object_r:ipa_dev:s0
@@ -52,6 +52,14 @@
 /dev/dpl_ctrl                                   u:object_r:rmnet_device:s0
 /dev/wcnss_ctrl                                 u:object_r:wcnss_device:s0
 /dev/wcnss_wlan                                 u:object_r:wcnss_device:s0
+/dev/hbtp_input                                 u:object_r:hbtp_device:s0
+/dev/jdi-bu21150                                u:object_r:bu21150_device:s0
+/dev/voice_svc                                  u:object_r:voice_device:s0
+/dev/coresight-stm                              u:object_r:qdss_device:s0
+/dev/coresight-tmc-etf                          u:object_r:qdss_device:s0
+/dev/coresight-tmc-etr                          u:object_r:qdss_device:s0
+/dev/coresight-tmc-etr-stream                   u:object_r:qdss_device:s0
+/dev/system_health_monitor                      u:object_r:system_health_monitor_device:s0
 
 ###################################
 # Dev socket nodes
@@ -98,13 +106,14 @@
 /system/bin/drmdiagapp                          u:object_r:diag_exec:s0
 /system/bin/irsc_util                           u:object_r:irsc_util_exec:s0
 /system/bin/mm-pp-daemon                        u:object_r:mm-pp-daemon_exec:s0
+/system/bin/mmi                                 u:object_r:mmi_exec:s0
 /system/bin/mpdecision                          u:object_r:mpdecision_exec:s0
 /system/bin/perfd                               u:object_r:perfd_exec:s0
 /system/bin/msm_irqbalance                      u:object_r:msm_irqbalanced_exec:s0
 /system/bin/imsdatadaemon                       u:object_r:ims_exec:s0
 /system/bin/imsqmidaemon                        u:object_r:ims_exec:s0
 /system/bin/ims_rtp_daemon                      u:object_r:ims_exec:s0
-/system/bin/imscmservice                        u:object_r:ims_exec:s0
+/system/bin/imscmservice                        u:object_r:imscm_exec:s0
 /system/bin/netmgrd                             u:object_r:netmgrd_exec:s0
 /system/bin/qmuxd                               u:object_r:qmuxd_exec:s0
 /system/bin/port-bridge                         u:object_r:port-bridge_exec:s0
@@ -117,6 +126,8 @@
 /system/rfs.*                                   u:object_r:rfs_system_file:s0
 /system/bin/time_daemon                         u:object_r:time_daemon_exec:s0
 /system/bin/rmt_storage                         u:object_r:rmt_storage_exec:s0
+/system/bin/rfs_access                          u:object_r:rfs_access_exec:s0
+/system/bin/tftp_server                         u:object_r:rfs_access_exec:s0
 /system/bin/hvdcp                               u:object_r:hvdcp_exec:s0
 /system/bin/qseecomd                            u:object_r:tee_exec:s0
 /system/bin/hostapd_cli                         u:object_r:hostapd_exec:s0
@@ -150,6 +161,7 @@
 /system/vendor/bin/slim_ap_daemon               u:object_r:location_exec:s0
 /system/vendor/bin/qti                          u:object_r:qti_exec:s0
 /system/bin/wcnss_service                       u:object_r:wcnss_service_exec:s0
+/system/vendor/bin/hbtp_daemon                  u:object_r:hbtp_exec:s0
 
 ###################################
 # sysfs files
@@ -198,6 +210,7 @@
 /data/diag_log(/.*)?                                                u:object_r:diag_data_file:s0
 /data/misc/sensors(/.*)?                                            u:object_r:sensors_data_file:s0
 /data/rfs.*                                                         u:object_r:rfs_data_file:s0
+/data/hlos_rfs(/.*)?                                                u:object_r:rfs_shared_hlos_file:s0
 /data/camera(/.*)?                                                  u:object_r:camera_socket:s0
 /data/system/sensors(/.*)?                                          u:object_r:sensors_data_file:s0
 /data/time(/.*)?                                                    u:object_r:time_data_file:s0
@@ -209,6 +222,9 @@
 /data/dpm(/.*)?                                                     u:object_r:dpmd_data_file:s0
 /data/misc/qsee(/.*)?                                               u:object_r:data_qsee_file:s0
 /data/misc/location(/.*)?                                           u:object_r:location_data_file:s0
+/data/FTM_AP(/.*)?                                                  u:object_r:mmi_data_file:s0
+/data/misc/hbtp(/.*)?                                               u:object_r:hbtp_log_file:s0
+/data/misc/qlogd(/.*)?                                              u:object_r:qlogd_data_file:s0
 
 ###################################
 # persist files
@@ -223,3 +239,8 @@
 # oem files
 #
 /oem(/.*)?       u:object_r:system_file:s0
+
+###################################
+# etc files
+#
+/etc/firmware/hbtp/*                                                u:object_r:hbtp_cfg_file:s0

common/genfs_contexts

@@ -1 +1,2 @@
 genfscon proc /asound/card0/state u:object_r:proc_audiod:s0
+genfscon proc /proc/sys/vm/dirty_ratio  u:object_r:proc_dirty_ratio:s0

common/hbtp.te

@@ -0,0 +1,19 @@
+# Policies for hbtp (host based touch processing)
+type hbtp, domain;
+type hbtp_exec, exec_type, file_type;
+
+init_daemon_domain(hbtp)
+
+# Allow access for /dev/hbtp_input and /dev/jdi-bu21150
+allow hbtp hbtp_device:chr_file rw_file_perms;
+allow hbtp bu21150_device:chr_file rw_file_perms;
+
+allow hbtp hbtp_cfg_file:dir rw_dir_perms;
+allow hbtp hbtp_cfg_file:file create_file_perms;
+
+allow hbtp hbtp_log_file:dir rw_dir_perms;
+allow hbtp hbtp_log_file:file create_file_perms;
+
+allow hbtp self:netlink_kobject_uevent_socket { create read setopt bind };
+
+binder_use(hbtp);

common/ims.te

@@ -4,13 +4,54 @@ type ims_exec, exec_type, file_type;
 
 # Started by init
 init_daemon_domain(ims)
+net_domain(ims)
 
-allow radio ims_socket:sock_file { open read write };
-allow ims ims_socket:sock_file { open read write };
-allow ims property_socket:sock_file write;
-allow ims servicemanager:binder call;
+# Talk to qmuxd
+qmux_socket(ims)
+
+# To make VT call
 binder_use(ims)
+
+# Bring up IMSPDM
+allow ims kernel:system module_request;
+
+allow ims self:socket create_socket_perms;
+allow ims self:capability { net_admin net_raw };
+
+# Use generic netlink socket
+allow ims self:netlink_socket create_socket_perms;
+
+# To run NDC command
+allow ims shell_exec:file rx_file_perms;
+allow ims system_file:file rx_file_perms;
+
+# IMS route installation
+allow ims wcnss_service_exec:file rx_file_perms;
+
+# Talk to netd via netd_socket
+unix_socket_connect(ims, netd, netd)
+
+# Talk to qumuxd via ims_socket
+unix_socket_connect(ims, ims, qmuxd)
+
+# Talk to init via property_socket
 unix_socket_connect(ims, property, init)
-allow ims self:socket { read bind create write ioctl };
-allow ims system_prop:property_service set;
+
+#Add connectionmanager service
 allow ims imscm_service:service_manager add;
+
+# Set property to start imsdata_daemon and ims_rtp_daemon
+allow ims qcom_ims_prop:property_service set;
+
+# permissions needed for IMS to connect and interact with WPA supplicant
+allow ims wpa:unix_dgram_socket sendto;
+allow ims wpa_exec:file rx_file_perms;
+allow ims wpa_socket:dir w_dir_perms;
+allow ims wpa_socket:sock_file { write create unlink setattr };
+allow ims wifi_data_file:dir r_dir_perms;
+
+# permissions for communication with CNE in LBO use case
+unix_socket_connect(ims, cnd, cnd)
+
+#Communication with voice_svc device for audio on APP
+allow ims voice_device:chr_file rw_file_perms;

common/imscm.te

@@ -0,0 +1,25 @@
+#integrated sensor process
+type imscm, domain;
+type imscm_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(imscm)
+net_domain(imscm)
+
+# To make VT call
+binder_use(imscm)
+
+#Add connectionmanager service
+allow imscm imscm_service:service_manager add;
+
+#allow imscm ims_socket:sock_file write;
+#allow imscm ims:unix_stream_socket connectto;
+unix_socket_connect(imscm, ims, ims)
+allow imscm self:capability net_raw;
+#allow imscm untrusted_app:binder call;
+
+# imscm needs to communicate with test app
+# using binder call
+userdebug_or_eng(`
+  binder_call(imscm, untrusted_app)
+')

common/kernel.te

@@ -0,0 +1 @@
+allow kernel block_device:blk_file r_file_perms;

common/mediaserver.te

@@ -5,6 +5,7 @@ allow mediaserver camera_device:chr_file rw_file_perms;
 unix_socket_send(mediaserver, camera, mm-qcamerad)
 
 allow mediaserver tee_device:chr_file rw_file_perms;
+allow mediaserver qdsp_device:chr_file r_file_perms;
 
 allow mediaserver self:socket create_socket_perms;
 
@@ -19,7 +20,7 @@ userdebug_or_eng(`
 
 allow mediaserver sysfs_esoc:dir r_dir_perms;
 allow mediaserver sysfs_esoc:lnk_file read;
-
+allow mediaserver system_app_data_file:file rw_file_perms;
 # access to perflock
 allow mediaserver mpctl_socket:dir r_dir_perms;
 unix_socket_send(mediaserver, mpctl, mpdecision)

common/mm-pp-daemon.te

@@ -8,12 +8,20 @@ init_daemon_domain(mm-pp-daemon)
 allow mm-pp-daemon graphics_device:chr_file rw_file_perms;
 allow mm-pp-daemon graphics_device:dir search;
 
-# Allow reading calibration data from persist
-allow mm-pp-daemon persist_file:file r_file_perms;
-allow mm-pp-daemon persist_file:dir search;
+# Allow reading/writing to persist
+# The color config file is dynamically created
+allow mm-pp-daemon persist_file:dir rw_dir_perms;
+allow mm-pp-daemon persist_file:file create_file_perms;
+
+# Allow reading/writing data config files
+allow mm-pp-daemon display_config:dir create_dir_perms;
+allow mm-pp-daemon display_config:file create_file_perms;
+
+# Allow read to sensor device and read/write to sensor socket
+allow mm-pp-daemon sensors_device:chr_file r_file_perms;
+allow mm-pp-daemon sensors_socket:sock_file rw_file_perms;
+allow mm-pp-daemon sensors:unix_stream_socket connectto;
 
-# Allow pp daemon to save settings to /data
-allow mm-pp-daemon display_config:file rw_file_perms;
 allow mm-pp-daemon system_prop:property_service set;
 #Calibration can only be done on userdebug or eng builds
 #Enable on user builds too. This is causing mayhem for gfx
@@ -33,12 +41,14 @@ allow mm-pp-daemon system_prop:property_service set;
     allow mm-pp-daemon shell_exec:file rx_file_perms;
     allow mm-pp-daemon system_file:file execute_no_trans;
     allow mm-pp-daemon zygote_exec:file rx_file_perms;
+    allow mm-pp-daemon self:process ptrace;
 
-    # Allow writing to persist
-    allow mm-pp-daemon persist_file:file rw_file_perms;
+# Allow mm-pp-daemon to change the brightness of the target during display
+# calibration
+allow mm-pp-daemon sysfs:file rw_file_perms;
 
-    # Allow mm-pp-daemon to change the brightness of the target during display
-    # calibration
-    allow mm-pp-daemon sysfs:file rw_file_perms;
-    unix_socket_connect(mm-pp-daemon, property, init)
 #')
+
+# Allow socket calls in pp-daemon
+unix_socket_connect(mm-pp-daemon, property, init)
+unix_socket_connect(mm-pp-daemon, pps, init)

common/mm-qcamerad.te

@@ -37,3 +37,6 @@ allow mm-qcamerad system_data_file:file create_file_perms;
 
 #Remove GL fine reference
 allow mm-qcamerad shell_data_file:dir search;
+
+# IMS use camera daemon to make VT call
+allow mm-qcamerad port:tcp_socket name_bind;

common/mmi.te

@@ -0,0 +1,31 @@
+#integrated process
+type mmi, domain;
+type mmi_exec, exec_type, file_type;
+
+#started by init
+init_daemon_domain(mmi)
+
+#self capability
+allow mmi self:capability { sys_nice dac_override };
+allow mmi self:capability2 block_suspend;
+
+#For various devices
+allow mmi graphics_device:chr_file rw_file_perms;
+allow mmi input_device:chr_file r_file_perms;
+allow mmi input_device:dir r_file_perms;
+allow mmi nfc_device:chr_file rw_file_perms;
+allow mmi shell_exec:file rx_file_perms;
+allow mmi sysfs_wake_lock:file rw_file_perms;
+
+#FTM_AP folder permissions
+allow mmi mmi_data_file:dir rw_dir_perms;
+allow mmi mmi_data_file:file rw_file_perms;
+
+#socket
+unix_socket_connect(mmi, property, init)
+
+#allow mmi set system prop
+allow mmi powerctl_prop:property_service set;
+
+#allow mmi operation on MISC partition
+allow mmi misc_partition:blk_file w_file_perms;

common/mpdecision.te

@@ -17,12 +17,11 @@ allow mpdecision self:socket create_socket_perms;
 allow mpdecision device_latency:chr_file w_file_perms;
 
 allow mpdecision sysfs_rqstats:dir search;
-allow mpdecision socket_device:dir w_file_perms;
 allow mpdecision sysfs_thermal:dir search;
 
 #policies for mpctl
 #mpctl socket
-allow mpdecision self:capability { net_admin chown dac_override fsetid };
+allow mpdecision self:capability { net_admin chown dac_override fsetid sys_nice };
 allow mpdecision mpctl_socket:dir rw_dir_perms;
 allow mpdecision mpctl_socket:sock_file { create_file_perms unlink };
 

common/netd.te

@@ -1,6 +1,8 @@
 #Policies for IPv6 tethering
 allow netd netd:capability { setgid setuid };
 allow netd netd:packet_socket { create bind setopt read ioctl };
+allow netd wfd_app:fd use;
+allow netd wfd_app:tcp_socket { read write setopt getopt };
 
 dontaudit netd self:capability sys_module;
 

common/netmgrd.te

@@ -61,4 +61,6 @@ allow netmgrd sysfs_esoc:lnk_file read;
 
 r_dir_file(netmgrd, sysfs_ssr);
 
-allow netmgrd wcnss_service_exec:file rx_file_perms;
+allow netmgrd { wcnss_service_exec wpa_exec }:file rx_file_perms;
+
+allow netmgrd sysfs:file write;

common/property.te

@@ -1,2 +1,3 @@
 # property for uicc_daemon
 type uicc_prop, property_type;
+type qcom_ims_prop, property_type;

common/property_contexts

@@ -1,2 +1,3 @@
 wc_transport.              u:object_r:bluetooth_prop:s0
 usb_uicc.                  u:object_r:uicc_prop:s0
+sys.ims.                   u:object_r:qcom_ims_prop:s0

common/qcomsysd.te

@@ -11,6 +11,7 @@ allow qcomsysd smem_log_device:chr_file { open read write ioctl };
 allow qcomsysd diag_device:chr_file { open read write ioctl };
 
 #Needed to read/write cookies to the misc partition
+allow qcomsysd block_device:dir { search };
 allow qcomsysd misc_partition:blk_file { open read getattr write };
 
 #Needed to access the bootselect partition
@@ -19,3 +20,5 @@ allow qcomsysd bootselect_device:blk_file { open read getattr write };
 #Needed to get image info from socinfo
 allow qcomsysd sysfs_socinfo:dir  { open search read };
 allow qcomsysd sysfs_socinfo:file { open read write };
+
+allow qcomsysd self:capability { dac_override };

common/qlogd.te

@@ -6,31 +6,51 @@ type qlogd_exec, exec_type, file_type;
 init_daemon_domain(qlogd)
 
 # need to access sharemem log device for smem logs
-allow qlogd smem_log_device:chr_file { open read write ioctl };
+allow qlogd smem_log_device:chr_file rw_file_perms;
 
 # need to add more capabilities for qlogd
-allow qlogd self:capability { setuid setgid dac_override dac_read_search sys_admin };
-allow qlogd self:capability2 syslog;
+allow qlogd self:capability { setuid setgid dac_override dac_read_search
+               sys_admin net_raw net_admin fowner fsetid kill sys_module };
+allow qlogd self:capability2 { block_suspend syslog };
+allow qlogd self:packet_socket { create ioctl bind getopt setopt };
 
 # need to access system_data partitions for configration files
-allow qlogd system_data_file:dir { write add_name };
-allow qlogd system_data_file:file { open read write create };
+allow qlogd qlogd_data_file:dir rw_dir_perms;
+allow qlogd qlogd_data_file:file create_file_perms;
 allow qlogd system_file:file execute_no_trans;
 
 # need to create and listen socket
-allow qlogd socket_device:sock_file { create setattr };
-allow qlogd qlogd_socket:sock_file { create read write setattr };
+allow qlogd qlogd_socket:sock_file create_file_perms;
 
 # need to start shell execute files
 allow qlogd shell_exec:file { execute read open execute_no_trans };
 
 # need to create and write files in fuse partition
-allow qlogd fuse:dir { search read write add_name create open };
-allow qlogd fuse:file { create read write append open getattr };
+allow qlogd fuse:dir create_dir_perms;
+allow qlogd fuse:file create_file_perms;
 
-#need to capture kmsg
+# need to capture kmsg
 allow qlogd kernel:system syslog_mod;
 
+# need for qdss log
+userdebug_or_eng(`
+  allow qlogd debugfs:file read;
+  allow qlogd sysfs:file write;
+  allow qlogd qdss_device:chr_file { open read };
+')
+
 # need for capture adb logs
-allow qlogd logdr_socket:sock_file write;
-allow qlogd logd:unix_stream_socket connectto;
+unix_socket_connect(qlogd, logdr, logd)
+
+# need for subsystem ramdump
+allow qlogd device:dir r_dir_perms;
+allow qlogd ramdump_device:chr_file { setattr rw_file_perms };
+
+# need for qxdm log
+allow qlogd diag_exec:file rx_file_perms;
+allow qlogd sysfs_wake_lock:file ra_file_perms;
+
+# need for tcpdump
+userdebug_or_eng(`
+  allow qlogd kernel:system module_request;
+')

common/radio.te

@@ -8,3 +8,6 @@ allow radio shell_data_file:dir search;
 
 #Need permission to execute dpmd talk to radio layer
 unix_socket_connect(radio, dpmd, dpmd)
+
+# IMS needs permission to use unix domain socket
+allow radio ims:unix_stream_socket connectto;

common/rfs_access.te

@@ -5,36 +5,44 @@ init_daemon_domain(rfs_access)
 
 #The files created by rfs_access process in the /data folder will have type rfs_data_file
 type_transition rfs_access system_data_file:{ dir file } rfs_data_file;
+type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs";
 
 #To read the uio char device
-allow rfs_access uio_device:chr_file { read write open };
+allow rfs_access uio_device:chr_file rw_file_perms;
 
-#For QMI sockets
-allow rfs_access self:socket { create_socket_perms };
+#For QMI sockets and IPCR Sockets
+allow rfs_access self:socket create_socket_perms;
+allow rfs_access smem_log_device:chr_file rw_file_perms;
 
 #For Wakelocks
 allow rfs_access self:capability2 block_suspend;
-allow rfs_access sysfs_wake_lock:file { open write append };
+allow rfs_access sysfs_wake_lock:file w_file_perms;
 
-#To create the /data/rfs
-allow rfs_access system_data_file:dir { write add_name };
+#To create the folders in /data
+allow rfs_access system_data_file:dir create_dir_perms;
 
 #For system folder entries
-allow rfs_access rfs_system_file:dir search;
-allow rfs_access rfs_system_file:lnk_file read;
+allow rfs_access rfs_system_file:dir r_dir_perms;
+allow rfs_access rfs_system_file:lnk_file r_file_perms;
 
 #For data folder entries
-allow rfs_access rfs_data_file:dir { write search create add_name };
-allow rfs_access rfs_data_file:file { open read write create append getattr };
+allow rfs_access rfs_data_file:dir create_dir_perms;
+allow rfs_access rfs_data_file:file create_file_perms;
+
+allow rfs_access rfs_shared_hlos_file:dir create_dir_perms;
+allow rfs_access rfs_shared_hlos_file:file create_file_perms;
 
 #For ramdump entries in /data/tombstones.
-allow rfs_access tombstone_data_file:dir { write search create add_name };
-allow rfs_access tombstone_data_file:file { open read write create append getattr };
+allow rfs_access tombstone_data_file:dir create_dir_perms;
+allow rfs_access tombstone_data_file:file create_file_perms;
 
 #For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes).
-allow rfs_access firmware_file:dir { search };
-allow rfs_access firmware_file:file { open read getattr };
+allow rfs_access firmware_file:dir r_dir_perms;
+allow rfs_access firmware_file:file r_file_perms;
+
+#For dropping permisions from root and wakelock
+allow rfs_access self:capability { setuid setgid setpcap net_raw };
 
 #Prevent other domains from accessing RFS data files.
-neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir { write search create add_name };
-neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file { open read write create append getattr };
+neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:dir create_dir_perms;
+neverallow { domain -rfs_access -kernel -recovery -init userdebug_or_eng(`-su') -init_shell } rfs_data_file:file create_file_perms;

common/rmt_storage.te

@@ -3,14 +3,16 @@ type rmt_storage, domain;
 type rmt_storage_exec, exec_type, file_type;
 init_daemon_domain(rmt_storage)
 
-allow rmt_storage modem_efs_partition_device:blk_file { read write open };
-allow rmt_storage block_device:dir search;
-allow rmt_storage cgroup:dir { create add_name };
-allow rmt_storage smem_log_device:chr_file { read write ioctl open };
-allow rmt_storage self:capability { setuid setgid sys_admin dac_override };
+allow rmt_storage modem_efs_partition_device:blk_file rw_file_perms;
+allow rmt_storage block_device:dir r_dir_perms;
+allow rmt_storage cgroup:dir create_dir_perms;
+allow rmt_storage smem_log_device:chr_file rw_file_perms;
+
+# sys_admin is needed for ioprio_set
+allow rmt_storage self:capability { setuid setgid sys_admin dac_override net_raw setpcap };
+
 allow rmt_storage self:capability2 block_suspend;
-allow rmt_storage self:socket { create_socket_perms };
-allow rmt_storage sysfs_wake_lock:file { open write append };
-allow rmt_storage uio_device:chr_file { read write open };
-allow rmt_storage mmc_block_device:blk_file r_file_perms;
-allow rmt_storage self:capability { net_raw setpcap };
+allow rmt_storage self:socket create_socket_perms;
+allow rmt_storage sysfs_wake_lock:file w_file_perms;
+allow rmt_storage uio_device:chr_file rw_file_perms;
+allow rmt_storage mmc_block_device:blk_file r_file_perms;

common/sensors.te

@@ -14,7 +14,7 @@ allow sensors self:capability chown;
 dontaudit sensors self:capability fsetid;
 
 # Access /data/misc/sensors/debug and /data/system/sensors/settings
-allow sensors self:capability { dac_override dac_read_search };
+allow sensors self:capability { dac_override dac_read_search net_bind_service };
 
 # Sensors socket
 allow sensors sensors_socket:sock_file create_file_perms;
@@ -35,6 +35,9 @@ allow sensors persist_file:dir r_dir_perms;
 allow sensors sensors_persist_file:dir create_dir_perms;
 allow sensors sensors_persist_file:file create_file_perms;
 
+# Access to execmem
+allow sensors self:process execmem;
+
 # Wake lock access
 wakelock_use(sensors)
 

common/service.te

@@ -6,3 +6,4 @@ type wbc_service,               service_manager_type;
 type dun_service,               service_manager_type;
 type digitalpen_service,        service_manager_type;
 type imscm_service,             service_manager_type;
+type color_service,             service_manager_type;

common/service_contexts

@@ -7,3 +7,4 @@ wbc_service                                    u:object_r:wbc_service:s0
 dun                                            u:object_r:dun_service:s0
 DigitalPen                                     u:object_r:digitalpen_service:s0
 qti.ims.connectionmanagerservice               u:object_r:imscm_service:s0
+com.qti.snapdragon.sdk.display.IColorService   u:object_r:color_service:s0

common/surfaceflinger.te

@@ -2,10 +2,7 @@ allow surfaceflinger sysfs_graphics:file rw_file_perms;
 allow surfaceflinger shell_data_file:dir search;
 
 # Allows pp-daemon to refresh the screen in calibration mode
-userdebug_or_eng(`
-  allow surfaceflinger mm-pp-daemon:dir search;
-  allow surfaceflinger mm-pp-daemon:file r_file_perms;
-')
+r_dir_file(surfaceflinger, mm-pp-daemon)
 
 binder_call(surfaceflinger, location)
 binder_call(surfaceflinger, tee)

common/system_app.te

@@ -25,9 +25,13 @@ userdebug_or_eng(`
 ')
 allow system_app cnd_data_file:dir w_dir_perms;
 allow system_app cnd_data_file:file create_file_perms;
+allow system_app bluetooth:unix_stream_socket ioctl;
+
+# access to tee domain
+allow system_app tee:unix_dgram_socket sendto;
 
 # access to time_daemon
 allow system_app time_daemon:unix_stream_socket connectto;
 
-# access to tee domain
-allow system_app tee:unix_dgram_socket sendto;
+# access to color service SDK
+allow system_app color_service:service_manager add;

common/system_server.te

@@ -38,8 +38,15 @@ allow system_server location_data_file:sock_file rw_file_perms;
 #For wifistatemachine
 allow system_server kernel:key search;
 allow system_server wbc_service:service_manager add;
-
 allow system_server digitalpen_service:service_manager add;
 
+#For ssr
+allow system_server ssr_device:chr_file { read open };
+
 allow system_server fuse:dir search;
 allow system_server persist_file:dir search;
+
+#For ANT tty communication and to set wc_transport prop
+allow system_server bluetooth_prop:property_service set;
+allow system_server serial_device:chr_file rw_file_perms;
+allow system_server smd_device:chr_file rw_file_perms;

common/thermal-engine.te

@@ -19,6 +19,7 @@ allow thermal-engine thermal_socket:sock_file { create setattr open read write u
 allow thermal-engine sysfs_thermal:dir r_dir_perms;
 allow thermal-engine sysfs_thermal:file rw_file_perms;
 allow thermal-engine sysfs_thermal:lnk_file read;
+allow thermal-engine sysfs:file write;
 #This is required for qmi access
 qmux_socket(thermal-engine);
 allow thermal-engine sysfs_mpdecision:file rw_file_perms;

common/untrusted_app.te

@@ -4,3 +4,9 @@ unix_socket_send(untrusted_app, mpctl, perfd)
 unix_socket_connect(untrusted_app, mpctl, perfd)
 unix_socket_send(untrusted_app, mpctl, mpdecision)
 unix_socket_connect(untrusted_app, mpctl, mpdecision)
+
+# test apps needs to communicate with imscm
+# using binder call
+userdebug_or_eng(`
+  binder_call(untrusted_app, imscm)
+')

common/vold.te

@@ -6,3 +6,4 @@ allow vold proc_sysrq:file rw_file_perms;
 allow vold self:capability sys_boot;
 allow vold cache_file:dir { write add_name };
 allow vold cache_file:file { write create open };
+allow vold proc_dirty_ratio:file rw_file_perms;

common/wfd_app.te

@@ -0,0 +1,23 @@
+allow wfd_app init:unix_stream_socket connectto;
+allow wfd_app node:tcp_socket node_bind;
+allow wfd_app port:tcp_socket { name_bind name_connect };
+allow wfd_app self:tcp_socket { bind create setopt listen write read getopt connect accept getattr };
+allow wfd_app dalvikcache_data_file:file { write setattr };
+allow wfd_app graphics_device:chr_file rw_file_perms;
+allow wfd_app graphics_device:dir r_dir_perms;
+allow wfd_app node:udp_socket node_bind;
+allow wfd_app port:udp_socket name_bind;
+allow wfd_app self:udp_socket { bind create getattr write setopt ioctl read getopt };
+allow wfd_app video_device:dir r_dir_perms;
+allow wfd_app video_device:chr_file rw_file_perms;
+allow wfd_app audio_device:dir r_dir_perms;
+allow wfd_app audio_device:chr_file rw_file_perms;
+allow wfd_app fwmarkd_socket:sock_file write;
+allow wfd_app netd:unix_stream_socket connectto;
+allow wfd_app firmware_file:dir r_dir_perms;
+allow wfd_app firmware_file:file r_file_perms;
+allow wfd_app tee_device:chr_file rw_file_perms;
+allow wfd_app media_rw_data_file:dir rw_dir_perms;
+allow wfd_app media_rw_data_file:file create_file_perms;
+allow wfd_app system_app_data_file:dir create_dir_perms;
+allow wfd_app uhid_device:chr_file rw_file_perms;

common/wpa.te

@@ -7,3 +7,6 @@ allow wpa proc_net:file write;
 
 # allow wpa_supplicant to send back wifi information to cnd
 allow wpa cnd:unix_dgram_socket sendto;
+
+# permission for wpa socket which IMS use to communicate
+allow wpa ims:unix_dgram_socket sendto;

sepolicy.mk

@@ -59,6 +59,7 @@ BOARD_SEPOLICY_UNION += \
        mcStarter.te \
        keystore.te \
        ims.te \
+       imscm.te \
        healthd.te \
        charger_monitor.te \
        surfaceflinger.te \
@@ -83,7 +84,14 @@ BOARD_SEPOLICY_UNION += \
        seapp_contexts \
        logd.te \
        installd.te \
-       wcnss_service.te
+       wcnss_service.te \
+       mmi.te \
+       dhcp.te \
+       wfd_app.te \
+       mediaserver_test.te \
+       hbtp.te \
+       kernel.te \
+       vold.te
 
 -include device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)/Android.mk
 

test/file.te

@@ -0,0 +1,3 @@
+#Define the files written during the operation of mm-pp-daemon
+type display_test_media_file, file_type, data_file_type;
+

test/file_contexts

@@ -57,3 +57,6 @@
 /system/bin/test-fake-ap                        u:object_r:location_exec:s0
 /system/bin/loc_api_app                         u:object_r:location_exec:s0
 /system/bin/test_loc_api_client                 u:object_r:location_exec:s0
+
+#Context for mediaserver
+/data/display-tests/media(/.*)?                 u:object_r:display_test_media_file:s0

test/mediaserver_test.te

@@ -0,0 +1,5 @@
+#Access to media files for testing
+userdebug_or_eng(`
+  allow mediaserver display_test_media_file:dir r_dir_perms;
+  allow mediaserver display_test_media_file:file r_file_perms;
+')

test/qmi_test_service.te

@@ -5,6 +5,8 @@ userdebug_or_eng(`
   type qmi_test_service, domain;
   domain_auto_trans(shell, qmi_test_service_exec, qmi_test_service)
   domain_auto_trans(adbd, qmi_test_service_exec, qmi_test_service)
+  #enable access to loader in 64 bit system
+  allow qmi_test_service shell:fd use;
   #test is launched from pseudo terminal so output goes there
   allow qmi_test_service devpts:chr_file {read write getattr ioctl};
   #to access smem log
@@ -20,4 +22,7 @@ userdebug_or_eng(`
   allow qmi_test_service qmi_test_service:capability {dac_override dac_read_search setgid setuid fsetid};
   #QCCI calls qmuxd API.  The API will internally require this
   qmux_socket(qmi_test_service);
+  #enable accessing the system health monitor to check the system health,
+  #if a request times out
+  allow qmi_test_service system_health_monitor_device:chr_file rw_file_perms;
 ')