Revert "sepolicy:qcc: switch to platform app"

"LA.QSSI.13.0.r1-11100-qssi.0"

# By Prachi Gupta
# Via Linux Build Service Account (1) and Prachi Gupta (1)
* tag 'LA.QSSI.13.0.r1-11100-qssi.0':
  Adding sepolicy changes in attributes for qspa aidl

Change-Id: Ie2b071558c5392e8ec5a338e02bf33e84b92074a

.gitupstream

@@ -0,0 +1 @@
+https://git.codelinaro.org/clo/la/device/qcom/sepolicy

Android.mk

@@ -1,23 +0,0 @@
-# Board specific SELinux policy variable definitions
-ifeq ($(call is-vendor-board-platform,QCOM),true)
-LOCAL_PATH:= $(call my-dir)
-BOARD_SEPOLICY_DIRS := \
-       $(BOARD_SEPOLICY_DIRS) \
-       $(LOCAL_PATH) \
-       $(LOCAL_PATH)/common \
-       $(LOCAL_PATH)/ssg \
-       $(LOCAL_PATH)/$(TARGET_BOARD_PLATFORM)
-
-ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
-BOARD_SEPOLICY_DIRS += \
-       $(LOCAL_PATH)/test
-endif
-
-BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
-    $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) \
-    $(LOCAL_PATH)/public
-
-BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
-    $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) \
-    $(LOCAL_PATH)/private
-endif

SEPolicy.mk

@@ -0,0 +1,25 @@
+# Board specific SELinux policy variable definitions
+SEPOLICY_PATH:= device/qcom/sepolicy
+LOCAL_PATH := $(call my-dir)
+BOARD_SYSTEM_EXT_PREBUILT_DIR := device/qcom/sepolicy/generic
+BOARD_PRODUCT_PREBUILT_DIR := device/qcom/sepolicy/generic/product
+BOARD_PLAT_PUB_VERSIONED_POLICY := device/qcom/sepolicy
+$(shell $(SEPOLICY_PATH)/append.sh)
+
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS := \
+    $(SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS) \
+    $(SEPOLICY_PATH)/generic/public
+
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS := \
+    $(SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS) \
+    $(SEPOLICY_PATH)/generic/private
+
+#once all the services are moved to Product /ODM above lines will be removed.
+# sepolicy rules for product images
+PRODUCT_PUBLIC_SEPOLICY_DIRS := \
+    $(PRODUCT_PUBLIC_SEPOLICY_DIRS) \
+    $(SEPOLICY_PATH)/generic/product/public
+
+PRODUCT_PRIVATE_SEPOLICY_DIRS := \
+    $(PRODUCT_PRIVATE_SEPOLICY_DIRS) \
+    $(SEPOLICY_PATH)/generic/product/private

append.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Copyright (c) 2021, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above copyright
+#       notice, this list of conditions and the following disclaimer in the
+#       documentation and/or other materials provided with the distribution.
+#     * Neither the name of The Linux Foundation nor
+#       the names of its contributors may be used to endorse or promote
+#       products derived from this software without specific prior written
+#       permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NON-INFRINGEMENT ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
+# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+# OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+# OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+# ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+api_versions=(30.0 31.0 32.0)
+
+dirpath=$(pwd)
+
+for i in ${api_versions[@]}
+do
+
+ cat $dirpath/system/sepolicy/prebuilts/api/$i/plat_pub_versioned.cil $dirpath/device/qcom/sepolicy/generic/prebuilts/api/$i/system_ext_pub_versioned.cil $dirpath/device/qcom/sepolicy/generic/product/prebuilts/api/$i/product_pub_versioned.cil > $dirpath/device/qcom/sepolicy/prebuilts/api/$i/plat_pub_versioned.cil
+
+done
+

apq8084/file_contexts

@@ -1,48 +0,0 @@
-# Copyright (c) 2015, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-###################################
-# Primary storage device nodes
-#
-/dev/block/platform/msm_sdcc\.1/by-name/modem                           u:object_r:modem_efs_partition_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/ssd                             u:object_r:ssd_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/misc                            u:object_r:misc_block_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/userdata                        u:object_r:userdata_block_device:s0
-/dev/block/mmcblk0                                                      u:object_r:root_block_device:s0
-/dev/block/mmcblk0rpmb                                                  u:object_r:rpmb_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/mdm1m9kefs1                     u:object_r:efs_boot_dev:s0
-/dev/block/platform/msm_sdcc\.1/by-name/mdm1m9kefs2                     u:object_r:efs_boot_dev:s0
-/dev/block/platform/msm_sdcc\.1/by-name/mdm1m9kefs3                     u:object_r:efs_boot_dev:s0
-/dev/block/platform/msm_sdcc\.1/by-name/mdm1m9kefsc                     u:object_r:efs_boot_dev:s0
-/dev/block/platform/msm_sdcc\.1/by-name/boot                            u:object_r:boot_block_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/system                          u:object_r:system_block_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/cache                           u:object_r:cache_block_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/recovery                        u:object_r:recovery_block_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/logdump                         u:object_r:logdump_partition:s0
-
-# qca data file for apq8084 target
-/data/misc/location/qca1530(/.*)?                                       u:object_r:qca1530_data_file:s0

apq8084/qca1530.te

@@ -1,74 +0,0 @@
-# Copyright (c) 2015, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-
-type qca1530, domain, domain_deprecated;
-type qca1530_exec, exec_type, file_type;
-net_domain(qca1530)
-init_daemon_domain(qca1530)
-
-userdebug_or_eng(`
-  domain_auto_trans(shell, qca1530_exec, qca1530)
-  domain_auto_trans(adbd, qca1530_exec, qca1530)
-')
-
-qmux_socket(qca1530)
-wakelock_use(qca1530)
-unix_socket_connect(qca1530, property, init)
-
-# need to access sharemem log device for smem logs
-allow qca1530 smem_log_device:chr_file rw_file_perms;
-
-allow qca1530 location_data_file:dir create_dir_perms;
-allow qca1530 location_data_file:file create_file_perms;
-allow qca1530 qca1530_data_file:dir create_dir_perms;
-allow qca1530 qca1530_data_file:file create_file_perms;
-allow qca1530 sysfs_qca1530:file { rw_file_perms setattr };
-allow qca1530 sysfs_qca1530:dir r_dir_perms;
-allow qca1530 self:capability {
-    setuid
-    setgid
-    setpcap
-    dac_override
-    net_raw
-    fowner
-    chown
-    fsetid
-    sys_nice
-};
-
-allow qca1530 self:capability2 syslog;
-allow qca1530 self:{ unix_dgram_socket packet_socket socket } create_socket_perms;
-
-# Execute the shell or system commands.
-allow qca1530 { qca1530_exec shell_exec }:file rx_file_perms;
-allow qca1530 system_file:file x_file_perms;
-
-#Setting sys.qca1530 property in QCA1530 detect service
-#Setting system default properties on start command to system server
-allow qca1530 { qca1530_prop ctl_default_prop }:property_service set;
-
-# Access to serial port conncting to QCA1530 chip
-allow qca1530 serial_device:chr_file rw_file_perms;

apq8098_latv/file_contexts

@@ -1,118 +0,0 @@
-# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-###################################
-# Dev block nodes
-
-# UFS Devices
-/dev/block/platform/soc/1da4000.ufshc/by-name/system                            u:object_r:system_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/userdata                          u:object_r:userdata_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/boot                              u:object_r:boot_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/logdump                           u:object_r:logdump_partition:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/fsc                                u:object_r:modem_efs_partition_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/fsg                                u:object_r:modem_efs_partition_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/modemst1                           u:object_r:modem_efs_partition_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/modemst2                           u:object_r:modem_efs_partition_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/ssd                                u:object_r:ssd_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/misc                               u:object_r:misc_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/rpm                                u:object_r:rpmb_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/msadp                              u:object_r:mba_debug_dev:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/recovery                           u:object_r:recovery_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/cache                              u:object_r:cache_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/frp                                u:object_r:frp_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/mdtp                               u:object_r:mdtp_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/mdtpsecapp                         u:object_r:mdtp_device:s0
-
-#rawdump partition
-/dev/block/platform/soc/1da4000.ufshc/by-name/rawdump                            u:object_r:rawdump_block_device:s0
-/sys/kernel/dload/emmc_dload                                                     u:object_r:sysfs_emmc_dload:s0
-
-# A/B partitions.
-/dev/block/platform/soc/1da4000.ufshc/by-name/abl_[ab]          u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/apdp_[ab]         u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/boot_[ab]         u:object_r:boot_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/cmnlib_[ab]       u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/cmnlib64_[ab]     u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/devcfg_[ab]       u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/hyp_[ab]          u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/keymaster_[ab]    u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/modem_[ab]        u:object_r:modem_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/bluetooth_[ab]    u:object_r:modem_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/msadp_[ab]        u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/pmic_[ab]         u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/rpm_[ab]          u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/system_[ab]       u:object_r:system_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/tz_[ab]           u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/vendor_[ab]       u:object_r:system_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/xbl_[ab]          u:object_r:xbl_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/mdtp_[ab]         u:object_r:mdtp_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/mdtpsecapp_[ab]   u:object_r:mdtp_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/dsp_[ab]          u:object_r:custom_ab_block_device:s0
-
-# Block device holding the GPT, where the A/B attributes are stored.
-/dev/block/platform/soc/1da4000.ufshc/sd[ade]                   u:object_r:gpt_block_device:s0
-
-# Block devices for the drive that holds the xbl_a and xbl_b partitions.
-/dev/block/platform/soc/1da4000.ufshc/sd[bc]                 u:object_r:xbl_block_device:s0
-
-###################################
-# Dev socket nodes
-#
-
-###################################
-# System files
-#
-
-###################################
-# data files
-#
-
-##################################
-# non-hlos mount points
-/firmware                  u:object_r:firmware_file:s0
-/bt_firmware               u:object_r:bt_firmware_file:s0
-
-##################################
-# FBE
-/(vendor|system/vendor)/bin/init.qti.qseecomd.sh                                u:object_r:init-qti-fbe-sh_exec:s0
-
-###################################
-# sysfs files
-#
-/sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input[0-9]/secure_touch_enable u:object_r:sysfs_securetouch:s0
-/sys/devices/virtual/graphics/fb([0-3])+/lineptr_value                           u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_persist_mode                     u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/cec/enable                              u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/cec/enable_compliance                   u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/cec/logical_addr                        u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/cec/rd_msg                              u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/cec/wr_msg                              u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/connected                               u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/pa                                      u:object_r:sysfs_graphics:s0
-###################################
-# adding same_process_hal_file
-/vendor/lib(64)?/hw/gralloc\.apq8098_latv\.so                                    u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/hw/hdmi_cec\.apq8098_latv\.so                                   u:object_r:same_process_hal_file:s0

common/adbd.te

@@ -1,8 +0,0 @@
-allow adbd tombstone_data_file:dir getattr;
-
-# allow read access for adb
-r_dir_file(adbd, RIDL_data_file)
-
-# allow read access for adb
-r_dir_file(adbd, qti_logkit_priv_data_file)
-r_dir_file(adbd, qti_logkit_pub_data_file)

common/adsprpcd.te

@@ -1,14 +0,0 @@
-# adsprpcd daemon
-type adsprpcd, domain;
-type adsprpcd_exec, exec_type, vendor_file_type, file_type;
-
-# Started by init
-init_daemon_domain(adsprpcd)
-
-allow adsprpcd qdsp_device:chr_file r_file_perms;
-
-# For reading dir/files on /dsp
-r_dir_file(adsprpcd, adsprpcd_file)
-
-allow adsprpcd ion_device:chr_file r_file_perms;
-allow adsprpcd system_file:dir r_dir_perms;

common/app.te

@@ -1,28 +0,0 @@
-# allow application to access cnd domain and socket
-#unix_socket_connect(appdomain, cnd, cnd)
-
-# allow application to access dpmd domain and socket
-#unix_socket_connect(appdomain, dpmwrapper, dpmd)
-
-#unix_socket_connect(appdomain, qlogd, qlogd)
-#unix_socket_send(appdomain, seempdw, seempd)
-
-#Allow all apps to open and send ioctl to qdsp device
-allow appdomain qdsp_device:chr_file r_file_perms;
-#Allow all apps to have read access to dsp partition
-r_dir_file(appdomain, adsprpcd_file)
-
-# Allow access to qti_logkit
-#allow { appdomain -untrusted_app } qti_logkit_pub_data_file:dir create_dir_perms;
-#allow { appdomain -untrusted_app } qti_logkit_pub_data_file:file create_file_perms;
-allow appdomain qti_logkit_pub_socket:dir r_dir_perms;
-#unix_socket_connect(appdomain, qti_logkit_pub, qti_logkit)
-#allow appdomain qti_logkit_pub_socket:sock_file r_file_perms;
-#allow appdomain qti_logkit_priv_data_file:dir r_dir_perms;
-allow appdomain hwui_prop:file r_file_perms;
-allow appdomain bservice_prop:file r_file_perms;
-allow appdomain reschedule_service_prop:file r_file_perms;
-allow appdomain debug_gralloc_prop:file r_file_perms;
-
-#most of apps/UI try to read this prop
-get_prop(appdomain, sf_lcd_density_prop)

common/atfwd.te

@@ -1,23 +0,0 @@
-type atfwd, domain;
-type atfwd_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(atfwd)
-
-allow atfwd self:socket create_socket_perms;
-allowxperm atfwd self:socket ioctl msm_sock_ipc_ioctls;
-
-binder_call(atfwd, system_app);
-
-r_dir_file(atfwd, sysfs_ssr);
-r_dir_file(atfwd, sysfs_esoc);
-r_dir_file(atfwd, sysfs_data);
-
-set_prop(atfwd, radio_prop)
-
-hwbinder_use(atfwd)
-get_prop(atfwd, hwservicemanager_prop)
-
-#diag
-userdebug_or_eng(`
-    diag_use(atfwd)
-')

common/attributes

@@ -1,83 +0,0 @@
-# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# HALs
-attribute hal_display_color;
-attribute hal_display_color_client;
-attribute hal_display_color_server;
-
-attribute hal_display_config;
-attribute hal_display_config_client;
-attribute hal_display_config_server;
-
-attribute hal_display_postproc;
-attribute hal_display_postproc_client;
-attribute hal_display_postproc_server;
-
-attribute hal_hbtp;
-attribute hal_hbtp_client;
-attribute hal_hbtp_server;
-
-attribute hal_perf;
-attribute hal_perf_client;
-attribute hal_perf_server;
-
-attribute wifidisplayhalservice;
-attribute wifidisplayhalservice_client;
-attribute wifidisplayhalservice_server;
-
-attribute hal_alarm_qti;
-attribute hal_alarm_qti_client;
-attribute hal_alarm_qti_server;
-
-attribute hal_vehicle;
-attribute hal_vehicle_client;
-attribute hal_vehicle_server;
-
-attribute hal_vpp;
-attribute hal_vpp_client;
-attribute hal_vpp_server;
-
-attribute hal_wigig;
-attribute hal_wigig_client;
-attribute hal_wigig_server;
-
-attribute hal_qteeconnector;
-attribute hal_qteeconnector_client;
-attribute hal_qteeconnector_server;
-
-attribute hal_esepowermanager;
-attribute hal_esepowermanager_client;
-attribute hal_esepowermanager_server;
-
-attribute hal_iop;
-attribute hal_iop_client;
-attribute hal_iop_server;
-
-attribute hal_voiceprint;
-attribute hal_voiceprint_server;
-attribute hal_voiceprint_client;

common/audiod.te

@@ -1,9 +0,0 @@
-# audio daemon
-type audiod, domain;
-type audiod_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(audiod)
-allow audiod proc_audiod:file r_file_perms;
-allow audiod audio_device:chr_file rw_file_perms;
-#allow audiod audioserver_service:service_manager find;
-#binder_use(audiod)
-binder_call(audiod, audioserver)

common/audioserver.te

@@ -1,80 +0,0 @@
-# Copyright (c) 2016, The Linux Foundation. All rights reserved.
-
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#    * Redistributions of source code must retain the above copyright
-#      notice, this list of conditions and the following disclaimer.
-#    * Redistributions in binary form must reproduce the above
-#      copyright notice, this list of conditions and the following
-#      disclaimer in the documentation and/or other materials provided
-#      with the distribution.
-#    * Neither the name of The Linux Foundation nor the names of its
-#      contributors may be used to endorse or promote products derived
-#      from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#
-# Copyright (c) 2015-2016 Dolby Laboratories, Inc. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-#debugfs access to audio
-userdebug_or_eng(`
-allow audioserver qti_debugfs:dir r_dir_perms;
-allow audioserver qti_debugfs:file rw_file_perms;
-')
-# Allow audioserver to create socket files for audio arbitration
-allow audioserver audio_data_file:sock_file { create setattr unlink };
-allow audioserver audio_data_file:dir remove_name;
-
-# Allow audioserver to read soundcard state under /proc/asound
-allow audioserver proc_audiod:file r_file_perms;
-
-# Allow audioserver to read sysfs dir and sysfs_thermal files for speaker protection
-allow audioserver sysfs:dir r_dir_perms;
-allow audioserver sysfs_thermal:file r_file_perms;
-
-# Allow audioserver to access sysfs nodes
-allow audioserver sysfs:file rw_file_perms;
-userdebug_or_eng(`
-  diag_use(audioserver)
-')
-
-#Rules for audioserver to talk to peripheral manager
-#use_per_mgr(audioserver);
-
-# DOLBY_START
-allow audioserver activity_service:service_manager find;
-set_prop(audioserver, dolby_prop)
-# DOLBY_END

common/bluetooth.te

@@ -1,72 +0,0 @@
-#Adding all bt related service to bt domains
-type sapd, bluetoothdomain;
-type sapd_exec, exec_type, vendor_file_type, file_type;
-
-type btsnoop, bluetoothdomain;
-type btsnoop_exec, exec_type, vendor_file_type, file_type;
-
-type bt_logger, bluetoothdomain;
-type bt_logger_exec, exec_type, vendor_file_type, file_type;
-
-type btnvtool, bluetoothdomain;
-type btnvtool_exec, exec_type, vendor_file_type, file_type;
-
-type fmhal_service, bluetoothdomain;
-type fmhal_service_exec, exec_type, vendor_file_type, file_type;
-
-allow bluetooth bluetooth_prop:property_service set;
-allow bluetooth sysfs_bluetooth_writable:file w_file_perms;
-
-#Access to /data/media
-allow bluetooth media_rw_data_file:dir create_dir_perms;
-allow bluetooth media_rw_data_file:file create_file_perms;
-#allow proc_sysrq access for crash dump
-userdebug_or_eng(`
- allow bluetooth proc_sysrq:file w_file_perms;
- allow bluetooth qti_debugfs:file r_file_perms;
-')
-
-allow bluetooth {
-    uhid_device
-    #input_device
-    serial_device
-    #BT needes read and write on smd device node
-    smd_device
-    bt_device
-}:chr_file rw_file_perms;
-
-#Access to persist_file
-allow bluetooth persist_bluetooth_file:dir rw_dir_perms;
-allow bluetooth persist_bluetooth_file:file create_file_perms;
-r_dir_file(bluetooth, persist_file)
-allow bluetooth persist_file:file w_file_perms;
-
-allow bluetooth self:socket { create write getopt read };
-
-#For bluetooth firmware
-r_dir_file(bluetooth, bt_firmware_file)
-
-#dun-server requires binding with system_app and servicemanager
-binder_use(bluetooth);
-binder_call(bluetooth, system_app);
-binder_call(bluetooth, servicemanager);
-allow bluetooth dun_service:service_manager find;
-
-#sapd requires interaction with qmux sockets
-#qmux_socket(bluetooth);
-
-# for finding wbc_service
-allow bluetooth wbc_service:service_manager find;
-
-# for fastmmi test bluetooth
-#allow bluetooth mmi:unix_stream_socket connectto;
-#connect to wcnss_filter
-#allow bluetooth wcnss_filter:unix_stream_socket connectto;
-
-# ioctlcmd=c302
-allow bluetooth self:socket ioctl;
-allowxperm bluetooth self:socket ioctl msm_sock_ipc_ioctls;
-
-#SplitA2dp bluetooth requires binding with audio hal
-binder_call(bluetooth, hal_audio);
-allow bluetooth hal_audio_hwservice:hwservice_manager find;

common/bootanim.te

@@ -1,34 +0,0 @@
-# Copyright (c) 2016, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# allow bootanim to binder mediaserver
-binder_call(bootanim, mediaserver);
-allow bootanim mediaserver_service:service_manager find;
-allow bootanim boot_animation_prop:file r_file_perms;
-allow bootanim debug_gralloc_prop:file r_file_perms;
-set_prop(bootanim, qemu_gles_prop)
-userdebug_or_eng(`allow bootanim self:process execmem;')

common/cameraserver.te

@@ -1,67 +0,0 @@
-# Copyright (c) 2016, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-allow cameraserver camera_data_file:sock_file write;
-allow cameraserver gpu_device:chr_file rw_file_perms;
-#allow cameraserver mm-qcamerad:unix_dgram_socket sendto;
-#changes to access laser device
-r_dir_file(cameraserver, input_device);
-
-#interaction with thermal sockets
-#unix_socket_connect(cameraserver, thermal, thermal-engine)
-
-#Allow surfaceflinger access for camera preview
-allow cameraserver surfaceflinger:unix_stream_socket { read write };
-
-# allow cameraserver to communicate with sensors
-allow cameraserver sensors_device:chr_file rw_file_perms;
-#unix_socket_connect(cameraserver, sensors, sensors);
-allow cameraserver system_server:unix_stream_socket { read write };
-
-#Allow read access to soc/msm-cam/video4linux/video0/name sysfs
-allow cameraserver sysfs:file r_file_perms;
-
-allow cameraserver persist_file:dir r_dir_perms;
-set_prop(cameraserver, camera_prop)
-allow cameraserver self:socket create_socket_perms_no_ioctl;
-allow cameraserver sensors_persist_file:dir r_dir_perms;
-allow cameraserver sensors_persist_file:file r_file_perms;
-allow cameraserver graphics_device:dir r_dir_perms;
-allow cameraserver sensorservice_service:service_manager find;
-allow cameraserver system_file:dir r_dir_perms;
-
-#Allows camera to call ADSP QDSP6 functionality
-allow cameraserver qdsp_device:chr_file r_file_perms;
-allow cameraserver camera_prop:file r_file_perms;
-
-#need this in full_treble for camera perview
-allow cameraserver hal_allocator:fd use;
-
-# added now for camcorder functionality. need to use HIDL
-userdebug_or_eng(`
-binder_call(cameraserver, hal_graphics_composer)
-')

common/charger_monitor.te

@@ -1,17 +0,0 @@
-#integrated process
-type charger_monitor, domain;
-type charger_monitor_exec, exec_type, vendor_file_type, file_type;
-
-#started by init
-init_daemon_domain(charger_monitor)
-
-#charger monitor will use uevent, visit sysfs and use the wake lock
-allow charger_monitor self:netlink_kobject_uevent_socket { read create setopt bind };
-allow charger_monitor{
-    sysfs_wake_lock
-    sysfs_battery_supply
-}:file rw_file_perms;
-
-allow charger_monitor sysfs:file w_file_perms;
-allow charger_monitor sysfs_battery_supply:dir r_dir_perms;
-r_dir_file(charger_monitor, sysfs_usb_supply)

common/cnd.te

@@ -1,107 +0,0 @@
-#permissive cnd;
-type cnd, domain, mlstrustedsubject;
-type cnd_exec, exec_type, vendor_file_type, file_type;
-file_type_auto_trans(cnd, socket_device, cnd_socket);
-
-# cnd is started by init, type transit from init domain to cnd domain
-init_daemon_domain(cnd)
-
-# associate netdomain as an attribute of cnd domain
-net_domain(cnd)
-
-allow cnd smem_log_device:chr_file rw_file_perms;
-
-# allow cnd the following capability
-allow cnd self:capability {
-    net_admin
-    sys_module
-    net_bind_service
-};
-
-allow cnd self:capability2 block_suspend;
-
-# socket used to communicate with kernel via the netlink syscall
-allow cnd self:{
-    netlink_tcpdiag_socket
-    netlink_route_socket
-    netlink_socket
-    netlink_generic_socket
-    # allow cnd to perform socket operation on itself
-    socket
-} create_socket_perms_no_ioctl;
-
-# allow cnd to read tcp diagnostics through netlink
-allow cnd self:netlink_tcpdiag_socket nlmsg_read;
-
-# allow cnd to set system property
-set_prop(cnd, system_prop)
-
-# allow cnd to access cnd_data_file
-allow cnd cnd_data_file:file create_file_perms;
-allow cnd cnd_data_file:sock_file { unlink create setattr };
-allow cnd cnd_data_file:dir rw_dir_perms;
-
-# allow cnd to access qmux_radio_socket
-qmux_socket(cnd)
-
-# allow cnd to access wpa_socket
-unix_socket_send(cnd, wpa, hal_wifi_supplicant)
-allow cnd wpa_socket:dir rw_dir_perms;
-allow cnd wpa_socket:sock_file { create unlink setattr };
-allow cnd wifi_data_file:dir r_dir_perms;
-allow cnd wifi_vendor_data_file:dir r_dir_perms;
-allow cnd wifi_vendor_wpa_socket:sock_file write;
-
-# allow cnd to obtain wakelock
-wakelock_use(cnd)
-
-# allow cnd to get appname and use inet socket
-#cnd_nims_socket_perm(appdomain)
-#cnd_nims_socket_perm(system_server)
-#cnd_nims_socket_perm(mediaserver)
-#cnd_nims_socket_perm(mtp)
-#cnd_nims_socket_perm(wfdservice)
-#cnd_nims_socket_perm(drmserver)
-
-# allow cnd to access ipa_dev
-allow cnd ipa_dev:chr_file rw_file_perms;
-
-# allow access to nims
-allow cnd socket_device:dir remove_name;
-
-allow cnd ipacm_data_file:dir r_dir_perms;
-allow cnd ipacm_data_file:file r_file_perms;
-
-# explicitly allow udp socket permissions for appdomain
-#allow cnd appdomain:udp_socket rw_socket_perms;
-
-#allow cnd daemon to invoke hostapd_cli
-allow cnd vendor_shell_exec:file rx_file_perms;
-domain_auto_trans(cnd, hostapd_exec, hostapd)
-allow cnd hostapd_socket:dir r_dir_perms;
-unix_socket_send(cnd, hostapd, hostapd)
-
-# only allow getopt for appdomain
-allow appdomain zygote:unix_dgram_socket getopt;
-dontaudit { domain -appdomain } zygote:unix_dgram_socket getopt;
-
-#diag
-userdebug_or_eng(`
-    diag_use(cnd)
-')
-
-allow cnd proc_meminfo:file r_file_perms;
-allow cnd self:socket ioctl;
-allowxperm cnd self:socket ioctl msm_sock_ipc_ioctls;
-
-allow cnd self:udp_socket ioctl;
-allowxperm cnd self:udp_socket ioctl wlan_sock_ioctls;
-
-allow cnd sysfs:file r_file_perms;
-allow cnd sysfs_data:file r_file_perms;
-
-add_hwservice(cnd, hal_cne_hwservice)
-hwbinder_use(cnd)
-get_prop(cnd, hwservicemanager_prop)
-binder_call(cnd, dataservice_app)
-binder_call(cnd, ims)

common/device.te

@@ -1,154 +0,0 @@
-#Define the logging device type
-type diag_device, dev_type, mlstrustedobject;
-type smem_log_device, dev_type;
-
-#Define the hsic device
-type hsic_device, dev_type;
-
-#Define the mhi device
-type mhi_device, dev_type;
-
-#Define the bhi device
-type bhi_device, dev_type;
-
-#device type for smd device nodes, ie /dev/smd*
-type smd_device, dev_type;
-
-#device type for rmnet device nodes, ie /dev/rmnet_ctrl*
-type rmnet_device, dev_type;
-
-#Define thermal-engine devices
-type thermal_device, dev_type;
-
-#Define vm_bms devices
-type vm_bms_device, dev_type;
-type battery_data_device, dev_type;
-
-#Add qdsp_device type
-type qdsp_device, dev_type, mlstrustedobject;
-type dsp_device, dev_type;
-#Define hvdcp/quickcharge device
-type hvdcp_device, dev_type;
-
-#Define mpdecision device
-type device_latency, dev_type;
-
-#Added for fm_radio device
-type  fm_radio_device, dev_type;
-
-#Add for storage pertitions for EFS partitions
-type modem_efs_partition_device, dev_type;
-
-#Define device for partition links
-type ssd_device, dev_type;
-type rpmb_device, dev_type;
-type sg_device, dev_type;
-type dip_device, dev_type;
-type mdtp_device, dev_type;
-type sd_device, dev_type;
-
-#ESOC device
-type esoc_device, dev_type;
-
-#SSR device
-type ssr_device, dev_type;
-
-#Ramdump device
-type ramdump_device, dev_type;
-
-#Kickstart bridge devices
-type ksbridgehsic_device, dev_type;
-
-#EFS sync bridge devices
-type efsbridgehsic_device, dev_type;
-
-#EFS sync block devices
-type efs_boot_dev, dev_type;
-
-#MBA debug image partition
-type mba_debug_dev, dev_type;
-
-#logdump partition
-type logdump_partition, dev_type;
-
-#Bootselect partition
-type bootselect_device, dev_type;
-
-#define usb_uicc_device for usb_uicc daemon
-type usb_uicc_device, dev_type;
-
-# Define IPA devices
-type ipa_dev, dev_type;
-
-type wcnss_device, dev_type;
-
-# Define spcom device
-type spcom_device, dev_type;
-
-# Define skp device
-type skp_device, dev_type;
-
-# Define sp_ssr device
-type sp_ssr_device, dev_type;
-
-# Define sp_keymaster device
-type sp_keymaster_device, dev_type;
-
-# Define sec_nvm devices
-type sec_nvm_device, dev_type;
-
-# Define cryptoapp device
-type cryptoapp_device, dev_type;
-
-# Define qsee_ipc_irq_spss device
-type qsee_ipc_irq_spss_device, dev_type;
-
-# Define QDSS devices
-type qdss_device, dev_type;
-
-#Define Gadget serial device
-type gadget_serial_device, dev_type;
-
-#energy-awareness device
-type pta_device, dev_type;
-
-#Added for hbtp
-type bu21150_device, dev_type;
-type hbtp_device, dev_type;
-
-#Define qfintverify device
-type qce_device, dev_type;
-type rng_device, dev_type;
-
-#Define system health monitor devices
-type system_health_monitor_device, dev_type;
-
-#Define usf device
-type usf_device, dev_type;
-
-#Define qbt1000 device - ultrasonic fingperprint sensor
-type qbt1000_device, dev_type;
-
-#Define avtimer device
-type avtimer_device, dev_type;
-
-#define AT device
-type at_device, dev_type;
-
-#define Bluetooth device
-type bt_device, dev_type;
-
-#define Wlan device
-type wlan_device, dev_type;
-
-#Define rawdump block device
-type rawdump_block_device, dev_type;
-
-#Block device for A/B partitions
-type custom_ab_block_device, dev_type;
-type xbl_block_device, dev_type;
-type gpt_block_device, dev_type;
-type modem_block_device, dev_type;
-
-#define bgcom char device
-type bg_daemon_device, dev_type;

common/dhcp.te

@@ -1 +0,0 @@
-#unix_socket_connect(dhcp, cnd, cnd)

common/diag.te

@@ -1,45 +0,0 @@
-type diag, domain;
-type diag_exec, exec_type, vendor_file_type, file_type;
-userdebug_or_eng(`
-  domain_auto_trans(shell, diag_exec, diag)
-  #domain_auto_trans(adbd, diag_exec, diag)
-  file_type_auto_trans(diag, system_data_file, diag_data_file);
-  allow diag {
-      diag_device
-      devpts
-      console_device
-      # allow access to qseecom for drmdiagapp
-      tee_device
-  }:chr_file rw_file_perms;
-  allow diag {
-      shell
-      su
-  }:fd use;
-
-  allow diag {
-      cgroup
-      fuse
-      persist_drm_file
-  }:dir create_dir_perms;
-
-  allow diag port:tcp_socket name_connect;
-  allow diag self:capability { setuid net_raw sys_admin setgid dac_override };
-  allow diag self:capability2 syslog;
-  allow diag self:tcp_socket { create connect setopt};
-  wakelock_use(diag)
-  allow diag kernel:system syslog_mod;
-  # allow drmdiagapp access to drm related paths
-  allow diag persist_file:dir r_dir_perms;
-  r_dir_file(diag, persist_data_file)
-  # Write to drm related pieces of persist partition
-  allow diag persist_drm_file:file create_file_perms;
-
-  # For DiagExample daemon
-  init_daemon_domain(diag)
-  net_domain(diag)
-
-  allow diag fuse:dir r_dir_perms;
-  allow diag fuse:file r_file_perms;
-  r_dir_file(diag, storage_file)
-  r_dir_file(diag, mnt_user_file)
-')

common/dnsmasq.te

@@ -1,2 +0,0 @@
-# allow dnsmasq access to netd fifo_file
-allow dnsmasq netd:fifo_file getattr;

common/domain.te

@@ -1,23 +0,0 @@
-r_dir_file(domain, sysfs_socinfo);
-r_dir_file(domain, sysfs_esoc);
-r_dir_file(domain, sysfs_ssr);
-
-dontaudit domain kernel:system module_request;
-
-# Allow all domains read access to sysfs_thermal
-r_dir_file(domain, sysfs_thermal);
-
-# Allow domain to read /vendor -> /system/vendor
-allow domain system_file:lnk_file getattr;
-
-allow { domain - appdomain } debug_gralloc_prop:file r_file_perms;
-
-not_full_treble(`allow domain vendor_file:dir r_dir_perms;')
-
-# Added now for smoother UI
-# Remove this after HIDL implementation
-userdebug_or_eng(`
-allow domain hal_graphics_composer:fd use;
-allow domain qti_debugfs:dir search;
-')
-dontaudit domain persist_dpm_prop:file r_file_perms;

common/dpmd.te

@@ -1,83 +0,0 @@
-#dpmd as domain
-#type dpmd, domain, mlstrustedsubject;
-#type dpmd_exec, exec_type, vendor_file_type, file_type;
-#file_type_auto_trans(dpmd, socket_device, dpmwrapper_socket);
-#init_daemon_domain(dpmd)
-#net_domain(dpmd)
-#allow dpmd {
- #   dpmd_exec
- #   system_file
-#}:file x_file_perms;
-
-#allow dpmd to access dpm_data_file
-
-#allow dpmd dpmd_data_file:file create_file_perms;
-#allow dpmd dpmd_data_file:dir create_dir_perms;
-
-allow dpmd persist_dpm_prop:file r_file_perms;
-
-allow dpmd sysfs_wake_lock:file rw_file_perms;
-
-allow dpmd sysfs_data:dir r_dir_perms;
-
-allow dpmd sysfs_data:file r_file_perms;
-
-#r_dir_file(dpmd,proc_net)
-
-#allow dpmd self:capability {
- #   setuid
-  #  setgid
-   # dac_override
-#    net_raw chown
- #   fsetid
-  #  net_admin
-   # sys_module
-#}; #Need to check on it . It was present earlier
-
-#socket, self
-allow dpmd smem_log_device:chr_file rw_file_perms;
-#wakelock_use(dpmd) # it was present earlier
-
-set_prop(dpmd, system_prop)
-set_prop(dpmd, ctl_default_prop)
-#misc.
-#allow dpmd vendor_shell_exec:file rx_file_perms;
-
-#permission to unlink dpmwrapper socket
-#allow dpmd socket_device:dir remove_name;
-
-#permission to communicate with cnd_socket for installing iptable rules
-#unix_socket_connect(dpmd, cnd, cnd);
-
-#allow dpmd to create socket
-#allow dpmd self:socket create_socket_perms_no_ioctl;
-#allow dpmd self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
-
-#allow dpmd to write to /proc/net/sys
-#allow dpmd proc_net:file write;
-
-#allow dpmd get appname and use inet socket.
-#dpmd_socket_perm(appdomain)
-#dpmd_socket_perm(system_server)
-#dpmd_socket_perm(mediaserver)
-#dpmd_socket_perm(mtp)
-#dpmd_socket_perm(wfdservice)
-#dpmd_socket_perm(drmserver)
-#dpmd_socket_perm(netd)
-
-#explicitly allow udp socket permissions for appdomain
-#allow dpmd appdomain:udp_socket rw_socket_perms;
-
-#Allow dpmd to acquire lock for iptables
-allow dpmd system_file:file lock;
-
-#Allow dpmd to connect to hal_dpmQMiMgr
-allow dpmd hal_dpmqmi_hwservice:hwservice_manager find;
-get_prop(dpmd, hwservicemanager_prop)
-binder_call(dpmd,hal_dpmQmiMgr)
-hwbinder_use(dpmd)
-
-#diag
-userdebug_or_eng(`
-    diag_use(dpmd)
-')

common/drmserver.te

@@ -1,5 +0,0 @@
-#Address denial logs for drm server accessing firmware file
-r_dir_file(drmserver, firmware_file)
-
-#Address denial logs for drm server accessing qseecom driver
-allow drmserver tee_device:chr_file rw_file_perms;

common/dtsconfigurator.te

@@ -1,8 +0,0 @@
-type dtsconfigurator, domain;
-type dtsconfigurator_exec, exec_type, vendor_file_type, file_type;
-
-#started by init
-init_daemon_domain(dtsconfigurator)
-
-allow dtsconfigurator audio_device:dir r_dir_perms;
-allow dtsconfigurator audio_device:chr_file rw_file_perms;

common/dtseagleservice.te

@@ -1,22 +0,0 @@
-type dtseagleservice, domain;
-type dtseagleservice_exec, exec_type, vendor_file_type, file_type;
-
-#Allow for transition from init domain to dtseagleservice
-init_daemon_domain(dtseagleservice)
-
-#Allow dtseagleservice to use Binder IPC
-#binder_use(dtseagleservice)
-
-#Allow dtseagleservice to interact with apps
-binder_call(dtseagleservice, platform_app)
-binder_call(dtseagleservice, system_app)
-
-# Mark dtseagleservice as a Binder service domain
-#binder_service(dtseagleservice)
-
-#Allow dtseagleservice to be registered with service manager
-allow dtseagleservice dtseagleservice_service:service_manager add;
-
-#Allow access to audio drivers
-allow dtseagleservice audio_device:dir r_dir_perms;
-allow dtseagleservice audio_device:chr_file rw_file_perms;

common/energyawareness.te

@@ -1,16 +0,0 @@
-type energyawareness, domain;
-type energyawareness_exec, exec_type, vendor_file_type, file_type;
-
-#started by init
-init_daemon_domain(energyawareness)
-
-#allow access to pta and uio interface
-allow energyawareness { pta_device uio_device }:chr_file rw_file_perms;
-
-allow energyawareness self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-allow energyawareness self:capability net_admin;
-
-allow energyawareness sysfs_ea:file w_file_perms;
-
-r_dir_file(energyawareness, sysfs_ea)

common/esepmdaemon.te

@@ -1,56 +0,0 @@
-# Copyright (c) 2016, The Linux Foundation. All rights reserved.
-
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#    * Redistributions of source code must retain the above copyright
-#      notice, this list of conditions and the following disclaimer.
-#    * Redistributions in binary form must reproduce the above
-#      copyright notice, this list of conditions and the following
-#      disclaimer in the documentation and/or other materials provided
-#      with the distribution.
-#    * Neither the name of The Linux Foundation nor the names of its
-#      contributors may be used to endorse or promote products derived
-#      from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-type esepmdaemon, domain;
-type esepmdaemon_exec, exec_type, vendor_file_type, file_type;
-
-#Allow for transition from init domain to esepmdaemon
-init_daemon_domain(esepmdaemon)
-
-#Allow esepmdaemon to use Binder IPC
-vndbinder_use(esepmdaemon)
-
-#Allow apps to interact with esepmdaemon
-binder_call(esepmdaemon, system_app)
-
-#Mark esepmdaemon as a Binder service domain
-#binder_service(esepmdaemon)
-
-#Allow esepmdaemon to be registered with service manager
-allow esepmdaemon esepmdaemon_service:service_manager add;
-
-#Allow access to nfc device
-allow esepmdaemon nfc_device:chr_file rw_file_perms;
-
-# Allow esepmdaemon to load firmware images
-r_dir_file(esepmdaemon, firmware_file);
-
-# Allow esepmdaemon to interract with ion_device
-allow esepmdaemon ion_device:chr_file r_file_perms;
-
-# Allow esepmdaemon to interract with qseecom
-allow esepmdaemon tee_device:chr_file rw_file_perms;

common/fidodaemon.te

@@ -1,27 +0,0 @@
-type fidodaemon, domain;
-type fidodaemon_exec, exec_type, vendor_file_type, file_type;
-
-#Allow for transition from init domain to fidodaemon
-init_daemon_domain(fidodaemon)
-
-#Allow fidodaemon to use Binder IPC
-#binder_use(fidodaemon)
-
-#Allow apps to interact with fidodaemon
-binder_call(fidodaemon, platform_app)
-binder_call(fidodaemon, system_app)
-
-#Mark fidodaemon as a Binder service domain
-#binder_service(fidodaemon)
-
-#Allow fidodaemon to be registered with service manager
-allow fidodaemon fidodaemon_service:service_manager add;
-
-#Allow communication with init over property server
-unix_socket_connect(fidodaemon, property, init);
-
-#Allow access to tee device
-allow fidodaemon tee_device:chr_file rw_file_perms;
-
-#Allow access to firmware
-r_dir_file(fidodaemon, firmware_file)

common/file.te

@@ -1,285 +0,0 @@
-# Default type for anything under /firmware.
-type firmware_file, fs_type, contextmount_type;
-
-#Define the qmux socket type
-type qmuxd_socket, file_type;
-
-#Define the netmgrd socket type
-type netmgrd_socket, file_type;
-
-#Define the pps socket type
-type pps_socket, file_type;
-
-# Define cnd socket and data file type
-type cnd_socket, file_type, mlstrustedobject;
-type cnd_data_file, file_type;
-
-# Define dpmd data file type
-#type dpmd_socket, file_type;
-#type dpmwrapper_socket, file_type, mlstrustedobject;
-#type dpmd_data_file, file_type, data_file_type;
-#typealias system_app_data_file alias dpmd_app_data_file;
-#typealias system_app_data_file alias qtitetherservice_app_data_file;
-
-#Define the timeout for platform specific transports
-type sysfs_hsic_modem_wait, sysfs_type, fs_type;
-type sysfs_smd_open_timeout, sysfs_type, fs_type;
-
-#Define the files written during the operation of netmgrd and qmuxd
-type netmgrd_data_file, file_type, data_file_type;
-type data_test_data_file, file_type, data_file_type;
-type sysrq_trigger_proc, fs_type, mlstrustedobject;
-# Persist file types
-type persist_file, file_type;
-type persist_bluetooth_file, file_type;
-type persist_data_file, file_type;
-type persist_drm_file, file_type;
-type data_qsee_file, file_type;
-type data_qtee_file, file_type, data_file_type;
-type persist_misc_file, file_type;
-type persist_bms_file, file_type;
-type persist_secnvm_file, file_type;
-
-type diag_data_file, file_type, data_file_type;
-
-#file type for restricting proc read by audiod
-type proc_audiod, fs_type;
-
-#file type for irqbalance socket
-type msm_irqbalance_socket, file_type;
-
-# Sensor file types
-type sensors_socket, file_type;
-type sensors_data_file, file_type, data_file_type;
-type sensors_persist_file, file_type;
-
-#type for thermal-engine
-type thermal_socket, file_type;
-#type for uart
-type sysfs_msmuart_file, sysfs_type, fs_type;
-
-# Storage RFS file types
-type rfs_file, file_type, data_file_type;
-type rfs_system_file, file_type;
-type rfs_shared_hlos_file, file_type, data_file_type;
-
-#mm-pp-daemon file type for sysfs access
-#type sysfs_leds, fs_type, sysfs_type;
-
-#Define the files written during the operation of mm-pp-daemon
-type data_ad_calib_cfg, file_type, data_file_type;
-
-#SurfaceFlinger file type for sysfs access
-type sysfs_graphics, sysfs_type, fs_type;
-
-# USB/battery power supply type for hvdcp/quickcharge
-type sysfs_usb_supply, sysfs_type, fs_type;
-type sysfs_battery_supply, sysfs_type, fs_type;
-type sysfs_usbpd_device, sysfs_type, fs_type;
-
-#Define the files written during the operation of mpdecision
-type sysfs_mpdecision, fs_type, sysfs_type;
-type sysfs_rqstats, fs_type, sysfs_type;
-type sysfs_cpu_online, fs_type, sysfs_type;
-type mpctl_socket, file_type, mlstrustedobject;
-type mpctl_data_file, file_type, data_file_type;
-
-type sysfs_devfreq, fs_type, sysfs_type;
-type sysfs_lpm, fs_type, sysfs_type;
-type sysfs_mmc_host, fs_type, sysfs_type;
-type sysfs_scsi_host, fs_type, sysfs_type;
-type sysfs_cpu_boost, fs_type, sysfs_type;
-type sysfs_msm_perf, fs_type, sysfs_type;
-type sysfs_memory, fs_type, sysfs_type;
-
-#define the files writer during the operation of app state changes
-type gamed_socket, file_type;
-
-#define the files writter during the operatio of iop
-type iop_socket, file_type;
-type iop_data_file, file_type, data_file_type;
-
-# SPSS Apps images location
-type spss_data_file, file_type, data_file_type;
-
-#mm-qcamera-daemon socket
-type camera_socket, file_type;
-
-#Socket node needed by ims_data daemon
-type ims_socket, file_type;
-
-#mink-lowi-interface-daemon (mlid) socket
-type mlid_socket, file_type, mlstrustedobject;
-
-#ssg qmi gateway daemon socket
-type ssgqmig_socket, file_type, mlstrustedobject;
-
-#ssg tz daemon socket
-type ssgtzd_socket, file_type, mlstrustedobject;
-
-#location file types
-type location_data_file, file_type, data_file_type;
-type location_socket, file_type;
-type location_app_data_file, file_type, data_file_type;
-
-#File types required by mdm-helper
-type sysfs_esoc, sysfs_type, fs_type;
-type sysfs_ssr,  sysfs_type, fs_type;
-type sysfs_ssr_toggle,  sysfs_type, file_type;
-type sysfs_hsic, sysfs_type, fs_type;
-type sysfs_hsic_host_rdy, sysfs_type, file_type;
-
-# Files accessed by qcom-system-daemon
-type sysfs_socinfo, fs_type, sysfs_type;
-
-#Define the sysfs files for usb_uicc_daemon
-type sysfs_usb_uicc, sysfs_type, fs_type;
-
-type qlogd_socket, file_type, mlstrustedobject;
-type qlogd_data_file, file_type;
-#Defines the files (configs, dumps, etc) used by display processes
-type display_misc_file, file_type, data_file_type;
-
-#Define the files for the operation of QDCM
-type persist_display_file, file_type;
-
-# IPA file types
-type ipacm_socket, file_type;
-type ipacm_data_file, file_type;
-
-# Port-bridge file types
-type port_bridge_data_file, file_type, data_file_type;
-
-type fm_data_file, file_type, data_file_type;
-
-#Define the files written during the operation of mmi
-type mmi_data_file, file_type, data_file_type;
-
-#bluetooth firmware file types
-type bt_firmware_file, fs_type, contextmount_type;
-
-#needed by vold
-type  proc_dirty_ratio, fs_type;
-
-#File types by mmi
-type mmi_socket, file_type;
-
-# hbtp config file
-type hbtp_cfg_file, file_type;
-type hbtp_log_file, file_type;
-type hbtp_kernel_sysfs, file_type, sysfs_type;
-
-#Define the files written during the operation of usf
-type usf_data_file, file_type, data_file_type;
-type persist_usf_file, file_type;
-
-#qfp-daemon
-type qfp-daemon_data_file, file_type, data_file_type;
-type persist_qti_fp_file, file_type;
-
-# dts notifier files
-type dts_data_file, file_type, data_file_type;
-
-#qsee_svc_app file types
-type qsee_svc_app_data_file, file_type, data_file_type;
-
-# imshelper_app file types
-type imshelper_app_data_file, file_type, data_file_type;
-
-# RIDL data files
-type RIDL_data_file, file_type, data_file_type;
-type RIDL_socket, file_type;
-
-# qti_logkit data files (privileged and public)
-type qti_logkit_priv_data_file, file_type, data_file_type;
-type qti_logkit_pub_data_file, file_type, data_file_type;
-type qti_logkit_priv_socket, file_type;
-type qti_logkit_pub_socket, file_type, mlstrustedobject;
-
-# used for /dsp files
-type adsprpcd_file, file_type, mlstrustedobject;
-
-# audio pp notifier files
-type audio_pp_data_file, file_type, data_file_type;
-
-#mdtp_svc_app file types
-type mdtp_svc_app_data_file, file_type, data_file_type;
-
-# subsystem_ramdump files
-type ssr_ramdump_data_file, file_type, data_file_type;
-
-# Regionalization files
-type regionalization_file, file_type;
-
-# /data/system/swap/swapfile - swapfile
-type swap_data_file, file_type, data_file_type;
-
-# dynamic nv files
-type dynamic_nv_data_file, file_type, data_file_type;
-
-# Wifi Data file
-type wifi_vendor_data_file, file_type, data_file_type;
-type wifi_vendor_wpa_socket, file_type;
-type wifi_vendor_hostapd_socket, file_type;
-
-# wififtmd socket file
-type wififtmd_socket, file_type;
-
-type persist_alarm_file, file_type;
-
-type persist_time_file, file_type;
-
-# kgsl file type for sysfs access
-type sysfs_kgsl, sysfs_type, fs_type;
-
-# secure touch files
-type sysfs_securetouch, fs_type, sysfs_type;
-
-#data sysfs  files
-type sysfs_data, fs_type, sysfs_type;
-
-#diag sysfs files
-type sysfs_diag, fs_type, sysfs_type;
-
-#laser sysfs files
-type sysfs_laser, fs_type, sysfs_type;
-
-# QDMA data files
-type qdma_data_file, file_type, data_file_type;
-type qdma_app_data_file, file_type, data_file_type;
-
-# path to debugfs use this whic should be only used
-# in debug builds
-type qti_debugfs, fs_type, debugfs_type;
-
-# vendor radio files
-type vendor_radio_data_file, file_type, data_file_type;
-
-#irq balance sysfs type
-type sysfs_irqbalance , sysfs_type, fs_type;
-
-# vpp files
-type vpp_data_file, file_type, data_file_type;
-type persist_vpp_file, file_type;
-# vendor camera files
-type vendor_camera_data_file, file_type, data_file_type;
-
-# wigig, fstman
-type sysfs_bond0, fs_type, sysfs_type;
-type sysfs_wigig, fs_type, sysfs_type;
-
-# wigig_hostapd
-type wigig_hostapd_socket, file_type;
-
-# ea sysfs files
-type sysfs_ea, fs_type, sysfs_type;
-
-#audio sysfs files
-type sysfs_audio, fs_type, sysfs_type;
-
-# lpm sysfs files
-type sysfs_msm_stats, fs_type, sysfs_type;
-type sysfs_msm_power, fs_type, sysfs_type;
-
-# Data type for QVOP
-type qvop-daemon_data_file, file_type, data_file_type;

common/file_contexts

@@ -1,596 +0,0 @@
-###################################
-# Dev nodes
-#
-/dev/adsprpc-smd                                u:object_r:qdsp_device:s0
-/dev/cpu_dma_latency                            u:object_r:device_latency:s0
-/dev/diag                                       u:object_r:diag_device:s0
-/dev/hsicctl.*                                  u:object_r:hsic_device:s0
-/dev/kgsl-3d0                                   u:object_r:gpu_device:s0
-/dev/mhi_pipe_.*                                u:object_r:mhi_device:s0
-/dev/bhi                                        u:object_r:bhi_device:s0
-/dev/msm_.*                                     u:object_r:audio_device:s0
-/dev/wcd_dsp0_control                           u:object_r:audio_device:s0
-/dev/wcd-dsp-glink                              u:object_r:audio_device:s0
-/dev/usf1                                       u:object_r:usf_device:s0
-/dev/msm_dsps                                   u:object_r:sensors_device:s0
-/dev/msm_thermal_query                          u:object_r:thermal_device:s0
-/dev/nfc-nci                                    u:object_r:nfc_device:s0
-/dev/nq-nci                                     u:object_r:nfc_device:s0
-/dev/qseecom                                    u:object_r:tee_device:s0
-/dev/spcom                                      u:object_r:spcom_device:s0
-/dev/sp_kernel                                  u:object_r:skp_device:s0
-/dev/sp_ssr                                     u:object_r:sp_ssr_device:s0
-/dev/sec_nvm_sp_kernel                          u:object_r:sec_nvm_device:s0
-/dev/sec_nvm_jcos                               u:object_r:sec_nvm_device:s0
-/dev/sec_nvm_spiris                             u:object_r:sec_nvm_device:s0
-/dev/sec_nvm_keymaster                          u:object_r:sec_nvm_device:s0
-/dev/sec_nvm_iuicc                              u:object_r:sec_nvm_device:s0
-/dev/sp_keymaster                               u:object_r:sp_keymaster_device:s0
-/dev/cryptoapp                                  u:object_r:cryptoapp_device:s0
-/dev/qsee_ipc_irq_spss                          u:object_r:qsee_ipc_irq_spss_device:s0
-/dev/radio0                                     u:object_r:fm_radio_device:s0
-/dev/btpower                                    u:object_r:bt_device:s0
-/dev/rtc0                                       u:object_r:rtc_device:s0
-/dev/sdsprpc-smd                                u:object_r:dsp_device:s0
-/dev/sensors                                    u:object_r:sensors_device:s0
-/dev/smd.*                                      u:object_r:smd_device:s0
-/dev/smem_log                                   u:object_r:smem_log_device:s0
-/dev/ttyHSL0                                    u:object_r:console_device:s0
-/dev/ttyMSM0                                    u:object_r:console_device:s0
-/dev/ttyHS[0-9]*                                u:object_r:serial_device:s0
-/dev/ttyGS0                                     u:object_r:gadget_serial_device:s0
-/dev/usb_ext_chg                                u:object_r:hvdcp_device:s0
-/dev/media([0-9])+                              u:object_r:video_device:s0
-/dev/jpeg[0-9]*                                 u:object_r:video_device:s0
-/dev/v4l-subdev.*                               u:object_r:video_device:s0
-/dev/vm_bms                                     u:object_r:vm_bms_device:s0
-/dev/battery_data                               u:object_r:battery_data_device:s0
-/dev/block/mmcblk1                              u:object_r:sd_device:s0
-/dev/block/mmcblk1p1                            u:object_r:sd_device:s0
-/dev/ccid_bridge                                u:object_r:usb_uicc_device:s0
-/dev/subsys_.*                                  u:object_r:ssr_device:s0
-/dev/ramdump_.*                                 u:object_r:ramdump_device:s0
-/dev/esoc.*                                     u:object_r:esoc_device:s0
-/dev/ks_hsic_bridge                             u:object_r:ksbridgehsic_device:s0
-/dev/efs_hsic_bridge                            u:object_r:efsbridgehsic_device:s0
-/dev/ipa                                        u:object_r:ipa_dev:s0
-/dev/wwan_ioctl                                 u:object_r:ipa_dev:s0
-/dev/ipaNatTable                                u:object_r:ipa_dev:s0
-/dev/rmnet_ctrl.*                               u:object_r:rmnet_device:s0
-/dev/dpl_ctrl                                   u:object_r:rmnet_device:s0
-/dev/wcnss_ctrl                                 u:object_r:wcnss_device:s0
-/dev/wcnss_wlan                                 u:object_r:wcnss_device:s0
-/dev/pta                                        u:object_r:pta_device:s0
-/dev/mdss_rotator                               u:object_r:graphics_device:s0
-/dev/hbtp_input                                 u:object_r:hbtp_device:s0
-/dev/hbtp_vm                                    u:object_r:hbtp_device:s0
-/dev/jdi-bu21150                                u:object_r:bu21150_device:s0
-/dev/avtimer                                    u:object_r:avtimer_device:s0
-/dev/coresight-stm                              u:object_r:qdss_device:s0
-/dev/coresight-tmc-etf                          u:object_r:qdss_device:s0
-/dev/coresight-tmc-etr                          u:object_r:qdss_device:s0
-/dev/coresight-tmc-etr-stream                   u:object_r:qdss_device:s0
-/dev/system_health_monitor                      u:object_r:system_health_monitor_device:s0
-/dev/qce                                        u:object_r:qce_device:s0
-/dev/msm-rng                                    u:object_r:rng_device:s0
-/dev/qbt1000                                    u:object_r:qbt1000_device:s0
-/dev/at_.*                                      u:object_r:at_device:s0
-/dev/sg.*                                       u:object_r:sg_device:s0
-/dev/dri/card0                                  u:object_r:graphics_device:s0
-/dev/dri/controlD64                             u:object_r:graphics_device:s0
-/dev/dri/renderD128                             u:object_r:graphics_device:s0
-/dev/wlan                                       u:object_r:wlan_device:s0
-/dev/bg_com_dev                                 u:object_r:bg_daemon_device:s0
-
-###################################
-# Dev block nodes
-#
-/dev/block/bootdevice/by-name/modemst1          u:object_r:modem_efs_partition_device:s0
-/dev/block/bootdevice/by-name/modemst2          u:object_r:modem_efs_partition_device:s0
-/dev/block/bootdevice/by-name/fsg               u:object_r:modem_efs_partition_device:s0
-/dev/block/bootdevice/by-name/fsc               u:object_r:modem_efs_partition_device:s0
-/dev/block/bootdevice/by-name/ssd               u:object_r:ssd_device:s0
-/dev/block/bootdevice/by-name/misc              u:object_r:misc_block_device:s0
-#/dev/block/mmcblk0p13                          u:object_r:bootselect_device:s0
-/dev/block/zram0                                u:object_r:swap_block_device:s0
-/dev/block/bootdevice/by-name/dip               u:object_r:dip_device:s0
-/dev/block/bootdevice/by-name/mdtp              u:object_r:mdtp_device:s0
-/dev/block/bootdevice/by-name/logdump           u:object_r:logdump_partition:s0
-
-###################################
-# Dev socket nodes
-#
-/dev/socket/qmux_audio(/.*)?                    u:object_r:qmuxd_socket:s0
-/dev/socket/qmux_bluetooth(/.*)?                u:object_r:qmuxd_socket:s0
-/dev/socket/qmux_gps(/.*)?                      u:object_r:qmuxd_socket:s0
-/dev/socket/qmux_radio(/.*)?                    u:object_r:qmuxd_socket:s0
-/dev/socket/qmux_nfc(/.*)?                      u:object_r:qmuxd_socket:s0
-/dev/socket/netmgr(/.*)?                        u:object_r:netmgrd_socket:s0
-/dev/socket/sensor_ctl_socket                   u:object_r:sensors_socket:s0
-/dev/socket/cnd                                 u:object_r:cnd_socket:s0
-/dev/socket/nims                                u:object_r:cnd_socket:s0
-/dev/socket/thermal-send-client                 u:object_r:thermal_socket:s0
-/dev/socket/thermal-recv-client                 u:object_r:thermal_socket:s0
-/dev/socket/thermal-recv-passive-client         u:object_r:thermal_socket:s0
-/dev/socket/thermal-send-rule                   u:object_r:thermal_socket:s0
-/dev/socket/ims_qmid                            u:object_r:ims_socket:s0
-/dev/socket/ims_datad                           u:object_r:ims_socket:s0
-/dev/socket/gamed                               u:object_r:gamed_socket:s0
-/dev/socket/iop                                 u:object_r:iop_socket:s0
-/dev/socket/qlogd                               u:object_r:qlogd_socket:s0
-/dev/socket/ipacm_log_file                      u:object_r:ipacm_socket:s0
-#/dev/socket/dpmd                                u:object_r:dpmd_socket:s0
-#/dev/socket/dpmwrapper                          u:object_r:dpmwrapper_socket:s0
-/dev/socket/pps                                 u:object_r:pps_socket:s0
-/dev/socket/rild2                               u:object_r:rild_socket:s0
-/dev/socket/rild2-debug                         u:object_r:rild_debug_socket:s0
-/dev/socket/rild-debug2                         u:object_r:rild_debug_socket:s0
-/dev/socket/rild3                               u:object_r:rild_socket:s0
-/dev/socket/rild3-debug                         u:object_r:rild_debug_socket:s0
-/dev/socket/rild-debug3                         u:object_r:rild_debug_socket:s0
-/dev/socket/msm_irqbalance                      u:object_r:msm_irqbalance_socket:s0
-/dev/socket/mlid                                u:object_r:mlid_socket:s0
-/dev/socket/ssgqmig                             u:object_r:ssgqmig_socket:s0
-/dev/socket/ssgtzd                              u:object_r:ssgtzd_socket:s0
-/dev/socket/wififtmd_server                     u:object_r:wififtmd_socket:s0
-/dev/socket/wpa_wigig[0-9]                      u:object_r:wpa_socket:s0
-
-###################################
-# System files
-#
-/(vendor|system/vendor)/bin/ATFWD-daemon        u:object_r:atfwd_exec:s0
-/(vendor|system/vendor)/bin/PktRspTest          u:object_r:diag_exec:s0
-/(vendor|system/vendor)/bin/audiod              u:object_r:audiod_exec:s0
-/(vendor|system/vendor)/bin/nqnfcinfo           u:object_r:nqnfcinfo_exec:s0
-/(vendor|system/vendor)/bin/charger_monitor                     u:object_r:charger_monitor_exec:s0
-/(vendor|system/vendor)/bin/hvdcp_opti          u:object_r:hvdcp_exec:s0
-/(vendor|system/vendor)/bin/cnd                 u:object_r:cnd_exec:s0
-/(vendor|system/vendor)/bin/diag_callback_client                u:object_r:diag_exec:s0
-/(vendor|system/vendor)/bin/diag_dci_sample                     u:object_r:diag_exec:s0
-/(vendor|system/vendor)/bin/diag_klog                           u:object_r:diag_exec:s0
-/(vendor|system/vendor)/bin/diag_mdlog                          u:object_r:qlogd_exec:s0
-/(vendor|system/vendor)/bin/drmdiagapp          u:object_r:diag_exec:s0
-/(vendor|system/vendor)/bin/diag_qshrink4_daemon                u:object_r:diag_exec:s0
-/(vendor|system/vendor)/bin/diag_socket_log                     u:object_r:diag_exec:s0
-/(vendor|system/vendor)/bin/diag_uart_log                       u:object_r:diag_exec:s0
-/(vendor|system/vendor)/bin/diag_buffering_test                 u:object_r:diag_exec:s0
-/(vendor|system/vendor)/bin/irsc_util                           u:object_r:irsc_util_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.sh              u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.class_core\.sh  u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.bt\.sh          u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.early_boot\.sh  u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.class_main\.sh        u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.post_boot\.sh   u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.sensors\.sh     u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.usb\.sh         u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.mdm\.sh                   u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.mdm\.crashdata\.sh        u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.syspart_fixup\.sh   u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/hcidump.sh                      u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/hsic\.control\.bt\.sh           u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.ath3k\.bt\.sh             u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.crda\.sh                  u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.coex\.sh            u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.debug-sdm660\.sh    u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.debug\.sh           u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.efs\.sync\.sh       u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qti\.fm\.sh               u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.sdio\.sh            u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.uicc\.sh            u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qcom\.wifi\.sh            u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/init\.qti\.ims\.sh              u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/qca6234-service.sh              u:object_r:qti_init_shell_exec:s0
-/(vendor|system/vendor)/bin/mm-pp-daemon        u:object_r:mm-pp-daemon_exec:s0
-/(vendor|system/vendor)/bin/mm-pp-dpps          u:object_r:mm-pp-daemon_exec:s0
-/(vendor|system/vendor)/bin/mmi                 u:object_r:mmi_exec:s0
-/(vendor|system/vendor)/bin/mpdecision          u:object_r:mpdecision_exec:s0
-/(vendor|system/vendor)/bin/gamed               u:object_r:gamed_exec:s0
-/(vendor|system/vendor)/bin/msm_irqbalance	u:object_r:msm_irqbalanced_exec:s0
-/(vendor|system/vendor)/bin/imsdatadaemon       u:object_r:ims_exec:s0
-/(vendor|system/vendor)/bin/imsqmidaemon        u:object_r:ims_exec:s0
-/(vendor|system/vendor)/bin/ims_rtp_daemon      u:object_r:hal_imsrtp_exec:s0
-/(vendor|system/vendor)/bin/netmgrd             u:object_r:netmgrd_exec:s0
-/(vendor|system/vendor)/bin/qmuxd               u:object_r:qmuxd_exec:s0
-/(vendor|system/vendor)/bin/port-bridge         u:object_r:port-bridge_exec:s0
-/(vendor|system/vendor)/bin/sensors.qcom        u:object_r:sensors_exec:s0
-/(vendor|system/vendor)/bin/test_diag           u:object_r:diag_exec:s0
-/(vendor|system/vendor)/bin/thermal-engine      u:object_r:thermal-engine_exec:s0
-/(vendor|system/vendor)/bin/vm_bms                              u:object_r:vm_bms_exec:s0
-/(vendor|system/vendor)/bin/mm-qcamera-daemon   u:object_r:mm-qcamerad_exec:s0
-/(vendor|system/vendor)/bin/qfp-daemon          u:object_r:qfp-daemon_exec:s0
-/(vendor|system/vendor)/bin/qvop-daemon         u:object_r:qvop-daemon_exec:s0
-/system/rfs.*                                   u:object_r:rfs_system_file:s0
-/(vendor|system/vendor)/bin/time_daemon         u:object_r:time_daemon_exec:s0
-/(vendor|system/vendor)/bin/rmt_storage         u:object_r:rmt_storage_exec:s0
-/(vendor|system/vendor)/bin/rfs_access          u:object_r:rfs_access_exec:s0
-/(vendor|system/vendor)/bin/tftp_server         u:object_r:rfs_access_exec:s0
-/(vendor|system/vendor)/bin/hvdcp                               u:object_r:hvdcp_exec:s0
-/(vendor|system/vendor)/bin/qseecomd            u:object_r:tee_exec:s0
-/(vendor|system/vendor)/bin/bg_daemon           u:object_r:bg_daemon_exec:s0
-/(vendor|system/vendor)/bin/spdaemon            u:object_r:spdaemon_exec:s0
-/(vendor|system/vendor)/bin/cnss-daemon         u:object_r:wcnss_service_exec:s0
-/(vendor|system/vendor)/bin/hostapd_cli         u:object_r:hostapd_exec:s0
-/(vendor|system/vendor)/bin/adsprpcd            u:object_r:adsprpcd_exec:s0
-/(vendor|system/vendor)/bin/wpa_cli             u:object_r:wcnss_service_exec:s0
-/(vendor|system/vendor)/bin/mdm_helper          u:object_r:mdm_helper_exec:s0
-/(vendor|system/vendor)/bin/mdm_helper_proxy    u:object_r:mdm_helper_exec:s0
-/(vendor|system/vendor)/bin/ks                                  u:object_r:mdm_helper_exec:s0
-/(vendor|system/vendor)/bin/pm-service          u:object_r:per_mgr_exec:s0
-/(vendor|system/vendor)/bin/pm-proxy            u:object_r:per_mgr_exec:s0
-/(vendor|system/vendor)/bin/pd-mapper           u:object_r:pd_mapper_exec:s0
-/(vendor|system/vendor)/bin/pd-api-test         u:object_r:pd_mapper_exec:s0
-/(vendor|system/vendor)/bin/usb_uicc_client                     u:object_r:usb_uicc_daemon_exec:s0
-/(vendor|system/vendor)/bin/qcom-system-daemon  u:object_r:qcomsysd_exec:s0
-/(vendor|system/vendor)/bin/poweroffhandler                     u:object_r:poweroffhandler_exec:s0
-/(vendor|system/vendor)/xbin/qlogd                              u:object_r:qlogd_exec:s0
-/(vendor|system/vendor)/bin/ipacm                               u:object_r:ipacm_exec:s0
-/(vendor|system/vendor)/bin/ipacm-diag          u:object_r:ipacm-diag_exec:s0
-/(vendor|system/vendor)/bin/dpmQmiMgr           u:object_r:hal_dpmQmiMgr_exec:s0
-#/(vendor|system/vendor)/bin/dpmd                                u:object_r:dpmd_exec:s0
-/(vendor|system/vendor)/bin/ssr_setup           u:object_r:ssr_setup_exec:s0
-/(vendor|system/vendor)/bin/subsystem_ramdump   u:object_r:subsystem_ramdump_exec:s0
-/(vendor|system/vendor)/bin/ssr_diag            u:object_r:ssr_diag_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.0-service-qti u:object_r:hal_gnss_qti_exec:s0
-/(vendor|system/vendor)/bin/hw/vendor\.qti\.gnss@1\.0-service u:object_r:hal_gnss_qti_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.0-service-qti  u:object_r:hal_bluetooth_qti_exec:s0
-/(vendor|system/vendor)/bin/hw/vendor\.display\.color@1\.0-service            u:object_r:hal_display_color_default_exec:s0
-/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.perf@1\.0-service       u:object_r:hal_perf_default_exec:s0
-/(vendor|system/vendor)/bin/ssgqmigd            u:object_r:ssgqmigd_exec:s0
-/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.iop@1\.0-service        u:object_r:hal_iop_default_exec:s0
-/(vendor|system/vendor)/bin/mlid                u:object_r:mlid_exec:s0
-/(vendor|system/vendor)/bin/ssgtzd              u:object_r:ssgtzd_exec:s0
-/(vendor|system/vendor)/bin/hw/vendor\.qti\.esepowermanager@1\.0-service u:object_r:hal_esepowermanager_qti_exec:s0
-/(vendor|system/vendor)/bin/loc_launcher        u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/lowi-server         u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/xtwifi-inet-agent   u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/xtwifi-client       u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/garden_app          u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/DR_AP_Service       u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/slim_daemon         u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/xtra-daemon         u:object_r:location_exec:s0
-/(vendor|system/vendor)/bin/energy-awareness    u:object_r:energyawareness_exec:s0
-/(vendor|system/vendor)/bin/fidodaemon          u:object_r:fidodaemon_exec:s0
-/(vendor|system/vendor)/bin/esepmdaemon         u:object_r:esepmdaemon_exec:s0
-/(vendor|system/vendor)/bin/secotad             u:object_r:secotad_exec:s0
-/(vendor|system/vendor)/bin/qseeproxydaemon     u:object_r:qseeproxy_exec:s0
-/(vendor|system/vendor)/bin/dts_configurator    u:object_r:dtsconfigurator_exec:s0
-/(vendor|system/vendor)/bin/dts_eagle_service   u:object_r:dtseagleservice_exec:s0
-/(vendor|system/vendor)/bin/qti                 u:object_r:qti_exec:s0
-/(vendor|system/vendor)/bin/wcnss_service       u:object_r:wcnss_service_exec:s0
-/(vendor|system/vendor)/bin/hbtp_daemon         u:object_r:hbtp_exec:s0
-/(vendor|system/vendor)/bin/touch_fusion        u:object_r:touchfusion_exec:s0
-/(vendor|system/vendor)/bin/seemp_healthd       u:object_r:seemp_health_daemon_exec:s0
-/(vendor|system/vendor)/bin/sapd                                u:object_r:sapd_exec:s0
-/(vendor|system/vendor)/bin/btnvtool            u:object_r:btnvtool_exec:s0
-/(vendor|system/vendor)/bin/btsnoop                             u:object_r:btsnoop_exec:s0
-/(vendor|system/vendor)/bin/bt_logger                           u:object_r:bt_logger_exec:s0
-/system/bin/wfdservice                          u:object_r:wfdservice_exec:s0
-/(vendor|system/vendor)/bin/wifidisplayhalservice               u:object_r:wifidisplayhalservice_qti_exec:s0
-/(vendor|system/vendor)/bin/wcnss_filter        u:object_r:wcnss_filter_exec:s0
-/(vendor|system/vendor)/bin/fmhal_service                       u:object_r:fmhal_service_exec:s0
-/(vendor|system/vendor)/bin/usf_epos            u:object_r:usf_exec:s0
-/(vendor|system/vendor)/bin/usf_gesture         u:object_r:usf_exec:s0
-/(vendor|system/vendor)/bin/usf_hovering        u:object_r:usf_exec:s0
-/(vendor|system/vendor)/bin/usf_p2p             u:object_r:usf_exec:s0
-/(vendor|system/vendor)/bin/usf_proximity       u:object_r:usf_exec:s0
-/(vendor|system/vendor)/bin/usf_sync_gesture    u:object_r:usf_exec:s0
-/(vendor|system/vendor)/bin/usf_sw_calib        u:object_r:usf_exec:s0
-/(vendor|system/vendor)/bin/usf_pairing         u:object_r:usf_exec:s0
-/(vendor|system/vendor)/bin/usf_tester          u:object_r:usf_exec:s0
-/(vendor|system/vendor)/bin/LKCore              u:object_r:qti_logkit_exec:s0
-/(vendor|system/vendor)/bin/tbaseLoader         u:object_r:tbaseLoader_exec:s0
-/(vendor|system/vendor)/bin/mcStarter           u:object_r:mcStarter_exec:s0
-/(vendor|system/vendor)/bin/fstman              u:object_r:fstman_exec:s0
-/(vendor|system/vendor)/bin/wigighalsvc         u:object_r:wigighalsvc_exec:s0
-/(vendor|system/vendor)/bin/mdtpd               u:object_r:mdtpdaemon_exec:s0
-/(vendor|system/vendor)/bin/wifi_ftmd           u:object_r:wifi_ftmd_exec:s0
-/(vendor|system/vendor)/bin/fingerprint.qcom    u:object_r:fps_hal_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.keymaster@3\.0-service-qti u:object_r:hal_keymaster_qti_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.gatekeeper@1\.0-service-qti u:object_r:hal_gatekeeper_qti_exec:s0
-/(vendor|system/vendor)/bin/hw/vendor\.nxp\.hardware\.nfc@1\.0-service     u:object_r:hal_nfc_default_exec:s0
-/(vendor|system/vendor)/bin/qdmastatsd          u:object_r:qdmastatsd_exec:s0
-/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.alarm@1\.0-service      u:object_r:hal_alarm_qti_default_exec:s0
-/(vendor|system/vendor)/bin/imsrcsd             u:object_r:hal_rcsservice_exec:s0
-/(vendor|system/vendor)/bin/vppservice          u:object_r:vppservice_exec:s0
-/(vendor|system/vendor)/bin/hw/vendor\.qti\.hardware\.qteeconnector@1\.0-service u:object_r:hal_qteeconnector_qti_exec:s0
-/(vendor|system/vendor)/bin/fm_qsoc_patches     u:object_r:fm_qsoc_patches_exec:s0
-
-###################################
-# sysfs files
-#
-/sys/class/graphics/fb0/mdp/caps                                    u:object_r:sysfs_graphics:s0
-/sys/class/thermal(/.*)?                                            u:object_r:sysfs_thermal:s0
-/sys/devices/[^/]+bcl[^/]+(/.*)?                                    u:object_r:sysfs_thermal:s0
-/sys/devices/f9200000.*/power_supply/usb(/.*)?                      u:object_r:sysfs_usb_supply:s0
-/sys/devices/msm_dwc3/power_supply/usb(/.*)?                        u:object_r:sysfs_usb_supply:s0
-/sys/devices/msm_otg/power_supply/usb(/.*)?                         u:object_r:sysfs_usb_supply:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb2/power_supply/usb(/.*)?        u:object_r:sysfs_usb_supply:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb2/power_supply/pc_port(/.*)?    u:object_r:sysfs_usb_supply:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.i2c/i2c-[0-9]+/[0-9]+-[0-9]+/[a-z0-9]+.i2c:qcom,[a-z0-9]+@[0-9]:qcom,smb[0-9]+-charger@[0-9]+/power_supply/parallel(/.*)?    u:object_r:sysfs_usb_supply:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,usb-pdphy@[0-9]+/usbpd/usbpd[0-9](/.*)?    u:object_r:sysfs_usbpd_device:s0
-/sys/devices/platform/battery_current_limit                         u:object_r:sysfs_thermal:s0
-/sys/devices/qpnp-charger.*/power_supply/battery(/.*)?              u:object_r:sysfs_battery_supply:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,qpnp-smb2/power_supply/battery(/.*)?    u:object_r:sysfs_battery_supply:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,spmi/spmi-[0-9]/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qpnp,fg/power_supply/bms(/.*)?               u:object_r:sysfs_battery_supply:s0
-/sys/class/qcom-battery(/.*)?              u:object_r:sysfs_battery_supply:s0
-/sys/devices(/platform)?/soc/qpnp-linear-charger-[a-z0-9]+/power_supply/battery(/.*)?    u:object_r:sysfs_battery_supply:s0
-/sys/devices(/platform)?/soc/qpnp-vm-bms-[a-z0-9]+/power_supply/bms(/.*)?    u:object_r:sysfs_battery_supply:s0
-/sys/kernel/irq_helper/irq_blacklist_on                             u:object_r:sysfs_irqbalance:s0
-/sys/devices/virtual/graphics/fb([0-3])+/idle_time                  u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/dynamic_fps                u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/product_description        u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/vendor_name                u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/hdcp/tp                    u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_panel_status        u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/hsicctl/hsicctl1[0-9]/modem_wait               u:object_r:sysfs_hsic_modem_wait:s0
-/sys/devices/virtual/hsicctl/hsicctl[0-9]/modem_wait                u:object_r:sysfs_hsic_modem_wait:s0
-/sys/devices/virtual/net/bond0/bonding/queue_id                     u:object_r:sysfs_bond0:s0
-/sys/devices/virtual/net/bond0/queues/rx-0/rps_cpus                 u:object_r:sysfs_bond0:s0
-/sys/devices/virtual/smdpkt/smdcntl1[0-9]/open_timeout              u:object_r:sysfs_smd_open_timeout:s0
-/sys/devices/virtual/smdpkt/smdcntl[0-9]/open_timeout               u:object_r:sysfs_smd_open_timeout:s0
-/sys/devices/virtual/thermal(/.*)?                                  u:object_r:sysfs_thermal:s0
-/sys/module/msm_serial_hs/parameters/debug_mask                     u:object_r:sysfs_msmuart_file:s0
-/sys/module/msm_thermal(/.*)?                                       u:object_r:sysfs_thermal:s0
-/sys/module/msm_thermal/core_control/cpus_offlined                  u:object_r:sysfs_mpdecision:s0
-/sys/devices/f9a55000.*/power_supply/usb(/.*)?                      u:object_r:sysfs_usb_supply:s0
-/sys/devices/virtual/graphics/fb([0-3])+/hpd                        u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/res_info                   u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/s3d_mode                   u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_panel_info          u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_type                u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_split               u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/show_blank_event           u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/bl_event                   u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/ad_event                   u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/ad_bl_event                u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/hist_event                 u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/vsync_event                u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/lineptr_event              u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/idle_notify                u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_thermal_level       u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/idle_power_collapse        u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/mode                       u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/name                       u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/connected                  u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/msm_cmd_autorefresh_en     u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/mdp/bw_mode_bitmap         u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/edid_modes                 u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/hdcp2p2(/.*)               u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/scan_info                  u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/edid_3d_modes              u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_dfps_mode           u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_src_split_info      u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/hdr_stream                 u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/cec(/.*)                   u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/msmfb_b10(/.*)             u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/modes                      u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/edid_raw_data              u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/rotator/mdss_rotator/caps                      u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/workqueue/kgsl-events/cpumask                  u:object_r:sysfs_kgsl:s0
-/sys/devices/virtual/workqueue/kgsl-events/nice                     u:object_r:sysfs_kgsl:s0
-/sys/devices/virtual/workqueue/kgsl-workqueue/cpumask               u:object_r:sysfs_kgsl:s0
-/sys/devices/virtual/workqueue/kgsl-workqueue/nice                  u:object_r:sysfs_kgsl:s0
-/sys/class/graphics/fb([0-3])+/mdp/caps                             u:object_r:sysfs_graphics:s0
-/sys/class/graphics/fb([0-3])+/ad                                   u:object_r:sysfs_graphics:s0
-/sys/devices(/platform)?/soc/[0-9a-z]+.qcom,spmi/spmi-[0-9]+/spmi[0-9]+-[0-9]+/[0-9a-z]+.qcom,spmi:qcom,pmi[0-9]+@[0-9]+:qcom,leds@[a-z0-9]+(/.*)? u:object_r:sysfs_graphics:s0
-/sys/devices/platform/soc/[a-z0-9]+.qcom,spmi/spmi-0/spmi0-0[0-9]/[a-z0-9]+.qcom,spmi:qcom,[a-z0-9]+@[0-9]:qcom,haptics@c000/leds/vibrator(/.*)?   u:object_r:sysfs_leds:s0
-/sys/devices/platform/soc/ae00000.qcom,mdss_mdp/backlight(/.*)?     u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/switch/hdmi(/.*)?                              u:object_r:sysfs_graphics:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,mdss_mdp/[a-z0-9]+.qcom,mdss_mdp:qcom,mdss_fb_primary/leds/lcd-backlight(/.*)?   u:object_r:sysfs_graphics:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,mdss_mdp/caps           u:object_r:sysfs_graphics:s0
-/sys/devices/soc/[a-z0-9]+.qcom,mdss_mdp/bw_mode_bitmap             u:object_r:sysfs_graphics:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,mdss_mdp/bw_mode_bitmap             u:object_r:sysfs_graphics:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,mdss_cam/video4linux/video[0-33]/name(/.*)?   u:object_r:sysfs_graphics:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,mdss_rotator/video4linux/video[0-33]/name(/.*)?   u:object_r:sysfs_graphics:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,mdss_rotator/caps       u:object_r:sysfs_graphics:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,vidc/video4linux/video[0-33]/name(/.*)?   u:object_r:video_device:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+.qcom,cci/[a-z0-9]+.qcom,cci:qcom,camera@[0-2]/video4linux/video[0-33]/name(/.*)?   u:object_r:sysfs_graphics:s0
-/sys/bus/platform/drivers/xhci_msm_hsic(/.*)?                       u:object_r:sysfs_hsic:s0
-/sys/devices/msm_hsic_host/host_ready                               u:object_r:sysfs_hsic_host_rdy:s0
-/sys/bus/esoc(/.*)?                                                 u:object_r:sysfs_esoc:s0
-/sys/bus/msm_subsys(/.*)?                                           u:object_r:sysfs_ssr:s0
-/sys/devices(/platform)?/soc/[a-z0-9\.:]+,[a-z0-9\-]+/subsys[0-9]+/name         u:object_r:sysfs_ssr:s0
-/sys/module/ccid_bridge(/.*)?                                       u:object_r:sysfs_usb_uicc:s0
-/sys/bus/msm_subsys/devices/subsys0/restart_level                   u:object_r:sysfs_ssr_toggle:s0
-/sys/bus/msm_subsys/devices/subsys1/restart_level                   u:object_r:sysfs_ssr_toggle:s0
-/sys/bus/msm_subsys/devices/subsys2/restart_level                   u:object_r:sysfs_ssr_toggle:s0
-/sys/bus/msm_subsys/devices/subsys3/restart_level                   u:object_r:sysfs_ssr_toggle:s0
-/sys/bus/msm_subsys/devices/subsys4/restart_level                   u:object_r:sysfs_ssr_toggle:s0
-/sys/devices/soc0/.*                                                u:object_r:sysfs_socinfo:s0
-/sys/devices/soc/soc:qcom,ipa_fws@[a-f0-9]+/subsys0/name            u:object_r:sysfs_data:s0
-/sys/devices/soc/soc:hbtp/secure_touch                              u:object_r:hbtp_kernel_sysfs:s0
-/sys/devices/soc/soc:hbtp/secure_touch_enable                       u:object_r:hbtp_kernel_sysfs:s0
-/sys/devices/soc/soc:hbtp/secure_touch_userspace                    u:object_r:hbtp_kernel_sysfs:s0
-/sys/kernel/hbtp/display_pwr                                        u:object_r:hbtp_kernel_sysfs:s0
-/sys/firmware/devicetree/base/cpus(/.*)?                            u:object_r:sysfs_devices_system_cpu:s0
-/sys/devices/vendor/vendor:bt_wcn3990/extldo                        u:object_r:sysfs_bluetooth_writable:s0
-/sys/devices/vendor/vendor:bt_wcn3990/rfkill/rfkill0/state          u:object_r:sysfs_bluetooth_writable:s0
-/sys/devices/bt_qca6174/extldo                                      u:object_r:sysfs_bluetooth_writable:s0
-/sys/devices/bt_qca6174/rfkill/rfkill0/state                        u:object_r:sysfs_bluetooth_writable:s0
-/sys/module/diagchar(/.*)?                                          u:object_r:sysfs_diag:s0
-/sys/devices/virtual/xt_hardidletimer/timers(/.*)?                  u:object_r:sysfs_data:s0
-/sys/devices/virtual/xt_idletimer/timers(/.*)?                      u:object_r:sysfs_data:s0
-
-/sys/devices(/platform)?/soc/soc:qcom,cpubw/devfreq/soc:qcom,cpubw(/.*)? u:object_r:sysfs_devfreq:s0
-/sys/devices(/platform)?/soc/soc:qcom,gpubw/devfreq/soc:qcom,gpubw(/.*)? u:object_r:sysfs_devfreq:s0
-/sys/devices(/platform)?/soc/soc:qcom,llccbw/devfreq/soc:qcom,llccbw(/.*)? u:object_r:sysfs_devfreq:s0
-/sys/devices(/platform)?/soc/soc:qcom,l3-cpu[0-9]/devfreq/soc:qcom,l3-cpu[0-9](/.*)? u:object_r:sysfs_devfreq:s0
-/sys/devices(/platform)?/soc/[a-f0-9]+.ufshc/clkscale_enable        u:object_r:sysfs_scsi_host:s0
-/sys/devices(/platform)?/soc/[a-f0-9]+/host0/scsi_host/host0(/.*)?  u:object_r:sysfs_scsi_host:s0
-/sys/module/lpm_levels/parameters(/.*)?                             u:object_r:sysfs_lpm:s0
-/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/kgsl/kgsl-3d0(/.*)? u:object_r:sysfs_kgsl:s0
-/sys/devices(/platform)?/soc/[a-f0-9]+.qcom,kgsl-3d0/devfreq/[a-f0-9]+.qcom,kgsl-3d0(/.*)? u:object_r:sysfs_kgsl:s0
-
-/sys/devices(/platform)?/soc/[a-f0-9]+.sdhci/mmc_host/mmc0/clk_scaling(/.*)? u:object_r:sysfs_mmc_host:s0
-/sys/module/cpu_boost(/.*)?                                         u:object_r:sysfs_cpu_boost:s0
-/sys/module/msm_performance(/.*)?                                   u:object_r:sysfs_msm_perf:s0
-/sys/kernel/mm/ksm(/.*)?                                            u:object_r:sysfs_memory:s0
-/sys/devices/virtual/input/input[0-9]+/do_flush                   u:object_r:sysfs_laser:s0
-/sys/devices/virtual/input/input[0-9]+/enable_ps_sensor           u:object_r:sysfs_laser:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+\.qcom,pcie/pci[0-9:]+/[0-9:\.]+/[0-9:\.]+/wil6210/fst_link_loss            u:object_r:sysfs_wigig:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+\.qcom,pcie/pci[0-9:]+/[0-9:\.]+/[0-9:\.]+/wil6210/thermal_throttling       u:object_r:sysfs_wigig:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+\.qcom,pcie/pci[0-9:]+/[0-9:\.]+/[0-9:\.]+/net/wigig0/queues/rx-0/rps_cpus  u:object_r:sysfs_wigig:s0
-/sys/devices(/platform)?/soc/[a-z0-9]+\.qcom,pcie/pci[0-9:]+/[0-9:\.]+/[0-9:\.]+/net/wigig0/gro_flush_timeout     u:object_r:sysfs_wigig:s0
-/sys/module/msm_core(/.*)?                                          u:object_r:sysfs_ea:s0
-/sys/module/lpm_stats(/.*)?                                         u:object_r:sysfs_msm_stats:s0
-/sys/module/lpm_level(/.*)?                                         u:object_r:sysfs_msm_power:s0
-
-###################################
-# data files
-#
-/data/connectivity(/.*)?                                            u:object_r:cnd_data_file:s0
-/data/vendor/connectivity(/.*)?                                     u:object_r:cnd_data_file:s0
-/data/data_test(/.*)?                                               u:object_r:data_test_data_file:s0
-/data/diag_log(/.*)?                                                u:object_r:diag_data_file:s0
-/data/misc/sensors(/.*)?                                            u:object_r:sensors_data_file:s0
-/data/rfs.*                                                         u:object_r:rfs_file:s0
-/data/hlos_rfs(/.*)?                                                u:object_r:rfs_shared_hlos_file:s0
-/data/camera(/.*)?                                                  u:object_r:camera_socket:s0
-/data/vendor/misc/qti_fp(/.*)?                                      u:object_r:qfp-daemon_data_file:s0
-/data/misc/qvop(/.*)?                                               u:object_r:qvop-daemon_data_file:s0
-/data/system/sensors(/.*)?                                          u:object_r:sensors_data_file:s0
-/data/vendor/time(/.*)?                                             u:object_r:time_data_file:s0
-/data/nfc(/.*)?                                                     u:object_r:nfc_data_file:s0
-/data/vendor/perfd(/.*)?                                            u:object_r:mpctl_data_file:s0
-/data/vendor/iop(/.*)?                                                u:object_r:iop_data_file:s0
-/data/vendor/display(/.*)?                                          u:object_r:display_misc_file:s0
-/data/vendor/ipa(/.*)?                                              u:object_r:ipacm_data_file:s0
-/data/misc/qsee(/.*)?                                               u:object_r:data_qsee_file:s0
-/data/vendor/qtee(/.*)?                                             u:object_r:data_qtee_file:s0
-/data/misc/spss(/.*)?                                               u:object_r:spss_data_file:s0
-/data/vendor/location(/.*)?                                         u:object_r:location_data_file:s0
-/data/vendor/location/mq/location-mq-s                              u:object_r:location_socket:s0
-/data/vendor/location/mq/alarm_svc                                  u:object_r:location_socket:s0
-/data/FTM_AP(/.*)?                                                  u:object_r:mmi_data_file:s0
-/data/(misc|vendor)/hbtp(/.*)?                                      u:object_r:hbtp_log_file:s0
-/data/misc/qlogd(/.*)?                                              u:object_r:qlogd_data_file:s0
-/data/usf(/.*)?                                                     u:object_r:usf_data_file:s0
-/data/misc/dts(/.*)?                                                u:object_r:dts_data_file:s0
-/data/vendor/qti-logkit(/.*)?                                       u:object_r:qti_logkit_priv_data_file:s0
-/data/vendor/qti-logkit/shared-public(/.*)?                         u:object_r:qti_logkit_pub_data_file:s0
-/data/vendor/qti-logkit/logdata(/.*)?                               u:object_r:qti_logkit_pub_data_file:s0
-/data/vendor/qti-logkit/socket-privileged(/.*)?                     u:object_r:qti_logkit_priv_socket:s0
-/data/vendor/qti-logkit/socket-public(/.*)?                         u:object_r:qti_logkit_pub_socket:s0
-/data/misc/radio(/.*)?                                              u:object_r:radio_data_file:s0
-/data/vendor/radio(/.*)?                                            u:object_r:vendor_radio_data_file:s0
-/data/vendor/netmgr(/.*)?                                           u:object_r:netmgrd_data_file:s0
-/data/vendor/port_bridge(/.*)?                                      u:object_r:port_bridge_data_file:s0
-/data/misc/fm(/.*)?                                                 u:object_r:fm_data_file:s0
-/data/misc/audio_pp(/.*)?                                           u:object_r:audio_pp_data_file:s0
-/data/ramdump(/.*)?                                                 u:object_r:ssr_ramdump_data_file:s0
-/data/system/swap(/.*)?                                             u:object_r:swap_data_file:s0
-/data/vendor/wifi(/.*)?                                             u:object_r:wifi_vendor_data_file:s0
-/data/vendor/wifi/sockets(/.*)?                                     u:object_r:wifi_vendor_wpa_socket:s0
-/data/vendor/wifi/hostapd(/.*)?                                     u:object_r:wifi_vendor_hostapd_socket:s0
-/data/misc/wifi/nvbin(/.*)?                                         u:object_r:dynamic_nv_data_file:s0
-/data/vendor/wifi/wigig_sockets(/.*)?                               u:object_r:wpa_socket:s0
-/data/vendor/wifi/wigig_sockets/wpa_ctrl.*                          u:object_r:wifi_vendor_wpa_socket:s0
-/data/vendor/qdmastats(/.*)?                                        u:object_r:qdma_data_file:s0
-/data/vendor/qdma(/.*)?                                             u:object_r:qdma_data_file:s0
-/data/vendor/ramdump/bluetooth(/.*)?                                u:object_r:bluetooth_data_file:s0
-/data/vendor/ramdump/bluetooth/logs(/.*)?                           u:object_r:bluetooth_logs_data_file:s0
-/data/vendor/vpp(/.*)?                                              u:object_r:vpp_data_file:s0
-/data/vendor/camera(/.*)?                                           u:object_r:vendor_camera_data_file:s0
-/data/vendor/wifi/wigig_hostapd(/.*)?                               u:object_r:wigig_hostapd_socket:s0
-/data/vendor/media(/.*)?                                            u:object_r:media_data_file:s0
-
-###################################
-# persist files
-#
-/persist(/.*)?                                                      u:object_r:persist_file:s0
-/persist/bluetooth(/.*)?                                            u:object_r:persist_bluetooth_file:s0
-/persist/drm(/.*)?                                                  u:object_r:persist_drm_file:s0
-/persist/sensors(/.*)?                                              u:object_r:sensors_persist_file:s0
-/persist/alarm(/.*)?                                                u:object_r:persist_alarm_file:s0
-/persist/time(/.*)?                                                 u:object_r:persist_time_file:s0
-/persist/data(/.*)?                                                 u:object_r:persist_drm_file:s0
-/persist/data/tz(/.*)?                                              u:object_r:persist_drm_file:s0
-/persist/data/sfs(/.*)?                                             u:object_r:persist_drm_file:s0
-/persist/qti_fp(/.*)?                                               u:object_r:persist_qti_fp_file:s0
-/persist/usf(/.*)?                                                  u:object_r:persist_usf_file:s0
-/persist/hlos_rfs(/.*)?                                             u:object_r:rfs_shared_hlos_file:s0
-/persist/display(/.*)?                                              u:object_r:persist_display_file:s0
-/persist/rfs.*                                                      u:object_r:rfs_file:s0
-/persist/speccfg(/.*)?                                              u:object_r:regionalization_file:s0
-/persist/misc(/.*)?                                                 u:object_r:persist_misc_file:s0
-/persist/bms(/.*)?                                                  u:object_r:persist_bms_file:s0
-/persist/vpp(/.*)?                                                  u:object_r:persist_vpp_file:s0
-/persist/secnvm(/.*)?                                               u:object_r:persist_secnvm_file:s0
-
-###################################
-# etc files
-#
-/vendor/etc/hbtp/*                                                  u:object_r:hbtp_cfg_file:s0
-
-###################################
-# adsp files
-#
-/dsp(/.*)?                                                          u:object_r:adsprpcd_file:s0
-
-###################################
-# cache files
-#
-/cache/FTM_AP(/.*)?                                                 u:object_r:mmi_data_file:s0
-
-###################################
-# vendor files
-#
-/data/vendor/misc/audio(/.*)?   u:object_r:audio_data_file:s0
-/vendor/package(/.*)?                                               u:object_r:regionalization_file:s0
-/vendor/package(/.*)?/overlay(/.*)?                                 u:object_r:vendor_overlay_file:s0
-/vendor/package(/.*)?/app(/.*)?                                     u:object_r:vendor_app_file:s0
-
-# same-process HAL files and their dependencies
-#
-/vendor/lib(64)?/hw/gralloc\.msm8998\.so   u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libqdMetaData\.so         u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libqservice\.so           u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libqdutils\.so            u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libadreno_utils\.so       u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libgsl\.so                u:object_r:same_process_hal_file:s0
-
-/vendor/lib(64)?/hw/vulkan\.msm8998\.so    u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libEGL_adreno\.so         u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libGLESv1_CM_adreno\.so   u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libGLESv2_adreno\.so      u:object_r:same_process_hal_file:s0
-
-/vendor/lib(64)?/libdrmutils\.so           u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libdrm\.so                u:object_r:same_process_hal_file:s0
-
-/vendor/lib(64)?/libavenhancements\.so     u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libgrallocutils\.so       u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libExtendedExtractor.so   u:object_r:same_process_hal_file:s0
-# RenderScript dependencies.
-# To test: run cts -m CtsRenderscriptTestCases
-/vendor/lib(64)?/libRSDriver_adreno\.so     u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libCB\.so                  u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libllvm-qgl\.so            u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libbccQTI\.so              u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libllvm-qcom\.so           u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/librs_adreno\.so           u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/librs_adreno_sha1\.so      u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libqti-perfd-client\.so    u:object_r:same_process_hal_file:s0
-# perf-hal client lib (included by libqti-perfd-client.so)
-/vendor/lib(64)?/vendor\.qti\.hardware\.perf@1\.0_vendor\.so    u:object_r:same_process_hal_file:s0
-
-# libGLESv2_adreno depends on this
-/vendor/lib(64)?/libllvm-glnext\.so         u:object_r:same_process_hal_file:s0
-
-# libOpenCL and its dependencies
-/vendor/lib(64)?/libOpenCL\.so              u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libq3dtools_adreno\.so     u:object_r:same_process_hal_file:s0
-
-#Loaded by native loader (zygote) for all processes
-/vendor/lib(64)?/libhalide_hexagon_host\.so u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libadsprpc\.so             u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libcdsprpc\.so             u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libsdsprpc\.so             u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/libdiag\.so                u:object_r:same_process_hal_file:s0
-
-###################################
-# firmware images
-#
-/vendor/firmware(/.*)?                                              u:object_r:firmware_file:s0
-/system/etc/firmware(/.*)?                                          u:object_r:firmware_file:s0
-/system/vendor/firmware(/.*)?                                       u:object_r:firmware_file:s0
-/firmware/image(/.*)?                                               u:object_r:firmware_file:s0

common/fingerprintd.te

@@ -1,30 +0,0 @@
-# Copyright (c) 2015, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-#==========================fingerprintd================================
-allow fingerprintd iqfp_service:service_manager find;
-binder_call(fingerprintd, qfp-daemon);

common/fstman.te

@@ -1,71 +0,0 @@
-# Copyright (c) 2015,2017, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-type fstman, domain;
-type fstman_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(fstman)
-net_domain(fstman)
-
-# fstman requires special network privileges.
-# access traffic control (TC) for marking packets to identify from
-# which slave interface they arrive, drop multicast packets and
-# duplicate packets. This requires the net_raw capability.
-# network admin operations mainly on the bonding driver:
-# interface up/down, add/remove slave interfaces, set queue parameters
-# This requires the net_admin capability.
-allow fstman self:capability { net_admin net_raw };
-
-# netlink socket is used to access traffic control (TC)
-allow fstman self:netlink_route_socket nlmsg_write;
-
-# allow privileged socket operations: interface up/down, bond interface management
-allowxperm fstman self:udp_socket ioctl { SIOCGIFFLAGS SIOCSIFFLAGS SIOCSIFTXQLEN SIOCBONDENSLAVE SIOCBONDRELEASE SIOCETHTOOL};
-
-# need access to bond0 sysfs in order to manage attached interfaces
-allow fstman sysfs_bond0:file rw_file_perms;
-
-# need access to wigig sysfs in order to control fst_link_loss
-allow fstman sysfs_wigig:file rw_file_perms;
-
-# create/read fstman configuration file (/data/vendor/wifi/fstman.ini)
-r_dir_file(fstman, wifi_vendor_data_file)
-allow fstman wifi_vendor_data_file:dir rw_dir_perms;
-allow fstman wifi_vendor_data_file:file create_file_perms;
-
-# fstman needs to communicate with wpa_supplicant and hostapd using socket
-# for managing FST state
-allow fstman { hal_wifi_supplicant hostapd }:unix_dgram_socket sendto;
-# supplicant interface sockets
-allow fstman wifi_vendor_wpa_socket:dir rw_dir_perms;
-allow fstman wifi_vendor_wpa_socket:sock_file create_file_perms;
-# supplicant global socket
-allow fstman wpa_socket:dir rw_dir_perms;
-allow fstman wpa_socket:sock_file create_file_perms;
-# hostapd global socket
-allow fstman wifi_vendor_hostapd_socket:dir rw_dir_perms;
-allow fstman wifi_vendor_hostapd_socket:sock_file create_file_perms;

common/genfs_contexts

@@ -1,7 +0,0 @@
-genfscon proc /asound/card0/state u:object_r:proc_audiod:s0
-genfscon proc /sys/vm/dirty_ratio  u:object_r:proc_dirty_ratio:s0
-genfscon sysfs /module/msm_performance/workload_modes u:object_r:sysfs_msm_perf:s0
-genfscon sysfs /devices/soc/soc:qcom,cpubw/devfreq/soc:qcom,cpubw/bw_hwmon u:object_r:sysfs_devfreq:s0
-genfscon debugfs /kgsl/proc u:object_r:qti_debugfs:s0
-genfscon sysfs /kernel/wcd_cpe0 u:object_r:sysfs_audio:s0
-genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_thermal:s0

common/hal_audio.te

@@ -1,56 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#    * Redistributions of source code must retain the above copyright
-#      notice, this list of conditions and the following disclaimer.
-#    * Redistributions in binary form must reproduce the above
-#      copyright notice, this list of conditions and the following
-#      disclaimer in the documentation and/or other materials provided
-#      with the distribution.
-#    * Neither the name of The Linux Foundation nor the names of its
-#      contributors may be used to endorse or promote products derived
-#      from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-
-# Allow hal_audio to read soundcard state under /proc/asound
-allow hal_audio proc_audiod:file r_file_perms;
-
-allow hal_audio_default audio_data_file:dir rw_dir_perms;
-allow hal_audio_default audio_data_file:file create_file_perms;
-
-# Allow hal_audio_default to read sysfs_thermal dir/files for speaker protection
-r_dir_file(hal_audio_default, sysfs_thermal)
-
-userdebug_or_eng(`
-  diag_use(hal_audio)
-  #Allow access to debug fs
-  allow hal_audio_default debugfs:dir r_dir_perms;
-  allow hal_audio_default qti_debugfs:dir r_dir_perms;
-  allow hal_audio_default qti_debugfs:file rw_file_perms;
-')
-
-#Allow access to firmware
-allow hal_audio firmware_file:dir r_dir_perms;
-allow hal_audio firmware_file:file r_file_perms;
-#Split A2dp specific
-binder_call(hal_audio,bluetooth)
-
-#for perf hal call
-hal_client_domain(hal_audio_default, hal_perf)
-#allow acess to wcd_cpe
-allow hal_audio sysfs_audio:file rw_file_perms;
-allow hal_audio sysfs_audio:dir r_dir_perms ;

common/hal_bluetooth.te

@@ -1,30 +0,0 @@
-# Copyright (c) 2017 The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-allow hal_bluetooth {
-    smd_device
-}:chr_file rw_file_perms;

common/hal_bootctl.te

@@ -1,62 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# These are the permissions required to use the boot_control HAL implemented
-# here: hardware/qcom/bootctrl/boot_control.c
-
-# Getting and setting GPT attributes for the bootloader iterates over all the
-# partition names in the block_device directory /dev/block/.../by-name
-allow hal_bootctl block_device:dir { open read search };
-
-# Allow boot_control_hal to get attributes on all the A/B partitions.
-allow hal_bootctl {
-  custom_ab_block_device
-  xbl_block_device
-  boot_block_device
-  ssd_device
-  modem_block_device
-  system_block_device
-  mdtp_device
-}:blk_file { getattr };
-
-# Allow the boot_control_hal to edit the attributes stored in the GPT.
-allow hal_bootctl gpt_block_device:blk_file rw_file_perms;
-allow hal_bootctl root_block_device:blk_file rw_file_perms;
-
-# Allow boot_control_hal to access /dev/sgN devices (generic SCSI) to write the
-# A/B slot selection for the XBL partition. Allow also to issue a
-# UFS_IOCTL_QUERY ioctl.
-allow hal_bootctl sg_device:chr_file rw_file_perms;
-allow hal_bootctl sysfs:dir r_dir_perms;
-
-# The sys_rawio denial message is benign, and shows up due to a capability()
-# call made by the scsi driver to check for CAP_SYS_RAWIO. Not having this
-# does not result in a error
-dontaudit hal_bootctl self:capability sys_rawio;
-
-# Allow boot_control_hal to write to the XBL devices.
-allow hal_bootctl xbl_block_device:blk_file rw_file_perms;

common/hal_camera.te

@@ -1,70 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#    * Redistributions of source code must retain the above copyright
-#      notice, this list of conditions and the following disclaimer.
-#    * Redistributions in binary form must reproduce the above
-#      copyright notice, this list of conditions and the following
-#      disclaimer in the documentation and/or other materials provided
-#      with the distribution.
-#    * Neither the name of The Linux Foundation nor the names of its
-#      contributors may be used to endorse or promote products derived
-#      from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-allow hal_camera qdisplay_service:service_manager find;
-#allow hal_camera surfaceflinger_service:service_manager find;
-# added now for camera functionality. This should be using HIDL
-#userdebug_or_eng(`
-#binder_use(hal_camera)
-#')
-binder_call(hal_camera, surfaceflinger)
-set_prop(hal_camera, camera_prop)
-allow hal_camera gpu_device:chr_file rw_file_perms;
-allow hal_camera sysfs:file r_file_perms;
-
-#changes to access laser device
-allow hal_camera input_device:chr_file r_file_perms;
-r_dir_file(hal_camera, input_device);
-allow hal_camera sysfs_laser:file w_file_perms;
-r_dir_file(hal_camera, sysfs_laser);
-
-vndbinder_use(hal_camera);
-hal_client_domain(hal_camera_default, hal_perf)
-
-#needed for full_treble
-binder_call(hal_camera, hal_graphics_composer_default)
-allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
-
-allow hal_camera persist_file:dir r_dir_perms;
-r_dir_file(hal_camera, sensors_persist_file);
-r_dir_file(hal_camera_default, sysfs_graphics)
-#allow hal_camera to access Isensormanager
-allow hal_camera fwk_sensor_hwservice:hwservice_manager find;
-binder_call(hal_camera, system_server)
-
-# from sensors team
-
-allow hal_camera self:socket create_socket_perms;
-allowxperm hal_camera self:socket ioctl msm_sock_ipc_ioctls;
-
-allow hal_camera_default sysfs_data:file read;
-allow hal_camera sysfs_data:file r_file_perms;
-
-allow hal_camera vendor_camera_data_file:dir w_dir_perms;
-allow hal_camera vendor_camera_data_file:sock_file write;
-unix_socket_send(hal_camera, camera, mm-qcamerad)
-unix_socket_connect(hal_camera, thermal, thermal-engine)

common/hal_display_color.te

@@ -1,51 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#    * Redistributions of source code must retain the above copyright
-#      notice, this list of conditions and the following disclaimer.
-#    * Redistributions in binary form must reproduce the above
-#      copyright notice, this list of conditions and the following
-#      disclaimer in the documentation and/or other materials provided
-#      with the distribution.
-#    * Neither the name of The Linux Foundation nor the names of its
-#      contributors may be used to endorse or promote products derived
-#      from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# Define domain
-type hal_display_color_default, domain;
-hal_server_domain(hal_display_color_default, hal_display_color)
-type hal_display_color_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_display_color_default)
-
-# Allow hwbinder call from hal client to server
-binder_call(hal_display_color_client, hal_display_color_server)
-
-# Add hwservice related rules
-add_hwservice(hal_display_color_server, hal_display_color_hwservice)
-allow hal_display_color_client hal_display_color_hwservice:hwservice_manager find;
-
-# Rule for vndbinder usage
-allow hal_display_color qdisplay_service:service_manager find;
-vndbinder_use(hal_display_color);
-binder_call(hal_display_color, hal_graphics_composer)
-
-# Rule for pps socket usage
-unix_socket_connect(hal_display_color, pps, mm-pp-daemon)
-
-#Add rules for postproc hal
-add_hwservice(hal_display_color_server, hal_display_postproc_hwservice)
-allow hal_display_postproc_client hal_display_postproc_hwservice:hwservice_manager find;

common/hal_graphics_composer.te

@@ -1,89 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#    * Redistributions of source code must retain the above copyright
-#      notice, this list of conditions and the following disclaimer.
-#    * Redistributions in binary form must reproduce the above
-#      copyright notice, this list of conditions and the following
-#      disclaimer in the documentation and/or other materials provided
-#      with the distribution.
-#    * Neither the name of The Linux Foundation nor the names of its
-#      contributors may be used to endorse or promote products derived
-#      from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# This should be using hw binder. Added now for smoother UI
-#userdebug_or_eng(`
-#binder_use(hal_graphics_composer)
-#')
-
-userdebug_or_eng(`
-    diag_use(hal_graphics_composer)
-')
-allow hal_graphics_composer sdm_idle_time_prop:file r_file_perms;
-allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow hal_graphics_composer sysfs_graphics:dir r_dir_perms;
-allow hal_graphics_composer sysfs_graphics:file rw_file_perms;
-
-# Rules for brightness change during display calibration
-allow hal_graphics_composer sysfs_leds:dir r_dir_perms;
-allow hal_graphics_composer sysfs_leds:file rw_file_perms;
-allow hal_graphics_composer sysfs_leds:lnk_file read;
-
-# Rules for vdnbinder
-allow hal_graphics_composer_default qdisplay_service:service_manager { add find };
-#binder_service(hal_graphics_composer_default);
-vndbinder_use(hal_graphics_composer_default);
-
-# Allow video node access
-allow hal_graphics_composer video_device:chr_file rw_file_perms;
-allow hal_graphics_composer video_device:dir r_dir_perms;
-
-# Allow reading/writing to '/data/vendor/display/*'
-allow hal_graphics_composer display_misc_file:dir create_dir_perms;
-allow hal_graphics_composer display_misc_file:file create_file_perms;
-
-# Allow reading/writing to 'persist/display/*'
-allow hal_graphics_composer persist_display_file:dir rw_dir_perms;
-allow hal_graphics_composer persist_display_file:file create_file_perms;
-
-# Allow only directory search to '/persist'
-allow hal_graphics_composer persist_file:dir r_dir_perms;
-
-# Allow dir search in '/oem'
-allow hal_graphics_composer oemfs:dir r_dir_perms;
-
-# Allow pps socket access
-#unix_socket_connect(hal_graphics_composer, pps, mm-pp-daemon)
-
-# TBD: remove when dependency on libpowermanager is removed
-#allow hal_graphics_composer power_service:service_manager find;
-
-# allow composer client to find display config service.
-allow hal_display_config_client hal_display_config_hwservice:hwservice_manager find;
-
-# allow composer to register display config
-add_hwservice(hal_graphics_composer_server, hal_display_config_hwservice);
-
-# Allow hwbinder call from hal client to server
-binder_call(hal_display_config_client, hal_display_config_server)
-
-# Allow composer access to perf
-hal_client_domain(hal_graphics_composer_default, hal_perf)
-
-# Access /dev/graphics/fb0.
-allow hal_graphics_composer graphics_device:chr_file rw_file_perms;
-allow hal_graphics_composer graphics_device:dir r_dir_perms;

common/hal_memtrack.te

@@ -1,32 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-#
-# # Redistribution and use in source and binary forms, with or without
-# # modification, are permitted provided that the following conditions are
-# # met:
-# #    * Redistributions of source code must retain the above copyright
-# #      notice, this list of conditions and the following disclaimer.
-# #    * Redistributions in binary form must reproduce the above
-# #      copyright notice, this list of conditions and the following
-# #      disclaimer in the documentation and/or other materials provided
-# #      with the distribution.
-# #    * Neither the name of The Linux Foundation nor the names of its
-# #      contributors may be used to endorse or promote products derived
-# #      from this software without specific prior written permission.
-# #
-# # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# # ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-#debugfs access to audio
-userdebug_or_eng(`
-allow hal_memtrack_default qti_debugfs:dir r_dir_perms;
-allow hal_memtrack_default qti_debugfs:file rw_file_perms;
-')

common/hal_nfc.te

@@ -1,33 +0,0 @@
-#Copyright (c) 2017, The Linux Foundation. All rights reserved.
-#
-#Redistribution and use in source and binary forms, with or without
-#modification, are permitted provided that the following conditions are
-#met:
-#    * Redistributions of source code must retain the above copyright
-#      notice, this list of conditions and the following disclaimer.
-#    * Redistributions in binary form must reproduce the above
-#      copyright notice, this list of conditions and the following
-#      disclaimer in the documentation and/or other materials provided
-#      with the distribution.
-#    * Neither the name of The Linux Foundation nor the names of its
-#      contributors may be used to endorse or promote products derived
-#      from this software without specific prior written permission.
-#
-#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-#ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# Set NFC properties
-set_prop(hal_nfc, nfc_nq_prop)
-
-#Allow access to firmware
-allow hal_nfc firmware_file:dir r_dir_perms;
-allow hal_nfc firmware_file:file r_file_perms;

common/hal_perf_default.te

@@ -1,86 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-type hal_perf_default, domain;
-hal_server_domain_bypass(hal_perf_default, hal_perf)
-
-type hal_perf_default_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hal_perf_default)
-
-# Allow hwbinder call from hal client to server
-binder_call(hal_perf_client, hal_perf_server)
-
-# Add hwservice related rules
-add_hwservice(hal_perf_server, hal_perf_hwservice)
-allow hal_perf_client hal_perf_hwservice:hwservice_manager find;
-
-allow hal_perf cgroup:file r_file_perms;
-allow hal_perf_default proc:file rw_file_perms;
-allow hal_perf device_latency:chr_file rw_file_perms;
-allow hal_perf freq_prop:file r_file_perms;
-allow hal_perf_default mpctl_data_file:dir rw_dir_perms;
-allow hal_perf_default mpctl_data_file:file create_file_perms;
-
-allow hal_perf {
-    sysfs_devices_system_cpu
-    sysfs_mpdecision
-    cpuctl_device
-    sysfs_devfreq
-    sysfs_mmc_host
-    sysfs_scsi_host
-    sysfs_kgsl
-    sysfs_cpu_boost
-    sysfs_msm_perf
-    sysfs_memory
-    sysfs_graphics
-    sysfs
-    sysfs_lpm
-    sysfs_battery_supply
-}:dir r_dir_perms;
-
-allow hal_perf {
-    sysfs_devices_system_cpu
-    sysfs_mpdecision
-    cpuctl_device
-    sysfs_kgsl
-    sysfs_cpu_boost
-    sysfs_msm_perf
-    sysfs_memory
-    sysfs_graphics
-    sysfs_scsi_host
-    sysfs_devfreq
-    sysfs_mmc_host
-    sysfs_lpm
-    sysfs_battery_supply
-}:file rw_file_perms;
-
-allow hal_perf {
-    sysfs_devfreq
-    sysfs_mmc_host
-    sysfs_scsi_host
-    sysfs_kgsl
-}:lnk_file r_file_perms;

common/hal_power.te

@@ -1,31 +0,0 @@
-# Copyright (c) 2017 The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-hal_client_domain(hal_power_default, hal_perf)
-allow hal_power {
-    hbtp_kernel_sysfs
-}:file rw_file_perms;

common/hal_qteeconnector_qti.te

@@ -1,64 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-#define the type
-type hal_qteeconnector_qti, domain;
-
-#mark the type as hal_server_domain
-hal_server_domain(hal_qteeconnector_qti, hal_qteeconnector)
-
-#allow the service to be started by init
-type hal_qteeconnector_qti_exec, exec_type, file_type, vendor_file_type;
-init_daemon_domain(hal_qteeconnector_qti)
-
-#allow the service to be added to hwservice list
-add_hwservice(hal_qteeconnector_qti, hal_qteeconnector_hwservice)
-
-#allow access to hal_allocator
-hal_client_domain(hal_qteeconnector_qti, hal_allocator)
-
-#allow access to ion device
-allow hal_qteeconnector ion_device:chr_file rw_file_perms;
-
-#Allow access to tee device
-allow hal_qteeconnector_qti tee_device:chr_file rw_file_perms;
-
-#Allow access to firmware
-allow hal_qteeconnector firmware_file:dir r_dir_perms;
-allow hal_qteeconnector firmware_file:file r_file_perms;
-
-#Allow access to session files
-allow hal_qteeconnector data_qtee_file:dir create_dir_perms;
-allow hal_qteeconnector data_qtee_file:file create_file_perms;
-
-#Allow access to qp_reqcancel socket
-allow hal_qteeconnector tee:unix_dgram_socket sendto;
-
-#Allow hal_qteeconnector client domain apps to find hwservice
-binder_call(hal_qteeconnector_client, hal_qteeconnector_server)
-binder_call(hal_qteeconnector_server, hal_qteeconnector_client)
-allow hal_qteeconnector_client hal_qteeconnector_hwservice:hwservice_manager find;

common/hal_rcsservice.te

@@ -1,53 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-type hal_rcsservice, domain;
-type hal_rcsservice_exec, exec_type, vendor_file_type, file_type;
-
-# Started by init
-init_daemon_domain(hal_rcsservice)
-net_domain(hal_rcsservice)
-
-# use hwBinder for imsrcsd
-hwbinder_use(hal_rcsservice)
-# add IUceSerive Hidl interface
-add_hwservice(hal_rcsservice, hal_imsrcsd_hwservice)
-get_prop(hal_rcsservice, hwservicemanager_prop)
-
-# allow read datad property
-get_prop(hal_rcsservice, qcom_ims_prop)
-# allow imsrcsd to connect to imsdatad over socket
-unix_socket_connect(hal_rcsservice, ims, ims)
-
-#diag
-userdebug_or_eng(`
-  diag_use(hal_rcsservice)
-')
-
-allow hal_rcsservice sysfs_data:file r_file_perms;
-binder_call(hal_rcsservice, dataservice_app)
-get_prop(hal_rcsservice, persist_dpm_prop)

common/hal_sensors.te

@@ -1,39 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#    * Redistributions of source code must retain the above copyright
-#      notice, this list of conditions and the following disclaimer.
-#    * Redistributions in binary form must reproduce the above
-#      copyright notice, this list of conditions and the following
-#      disclaimer in the documentation and/or other materials provided
-#      with the distribution.
-#    * Neither the name of The Linux Foundation nor the names of its
-#      contributors may be used to endorse or promote products derived
-#      from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-
-userdebug_or_eng(`
-    diag_use(hal_sensors)
-')
-allow hal_sensors persist_file:dir r_dir_perms;
-allow hal_sensors self:socket create_socket_perms;
-allowxperm hal_sensors self:socket ioctl msm_sock_ipc_ioctls;
-allow hal_sensors sysfs_socinfo:file r_file_perms;
-
-allow hal_sensors sensors_persist_file:dir create_dir_perms;
-allow hal_sensors sensors_persist_file:file create_file_perms;
-allow hal_sensors sysfs_data:file r_file_perms;

common/hal_thermal_default.te

@@ -1,29 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# access to /proc/stat
-allow hal_thermal  proc_stat:file r_file_perms;

common/hal_voiceprint.te

@@ -1,44 +0,0 @@
-# Copyright (c) 2017 The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# IPC
-binder_call(hal_voiceprint_client, hal_voiceprint_server)
-binder_call(hal_voiceprint_server, hal_voiceprint_client)
-
-add_hwservice(hal_voiceprint_server, hal_voiceprint_hwservice)
-allow hal_voiceprint_client hal_voiceprint_hwservice:hwservice_manager find;
-
-# read dir
-allow hal_voiceprint qvop-daemon_data_file: file create_file_perms;
-
-# r/w/u contents
-allow hal_voiceprint qvop-daemon_data_file: dir rw_dir_perms;
-
-# memory alloc
-allow hal_voiceprint ion_device:chr_file r_file_perms;
-
-r_dir_file(hal_voiceprint, cgroup)

common/hal_wifi.te

@@ -1,35 +0,0 @@
-#Copyright (c) 2017, The Linux Foundation. All rights reserved.
-#
-#Redistribution and use in source and binary forms, with or without
-#modification, are permitted provided that the following conditions are
-#met:
-#    * Redistributions of source code must retain the above copyright
-#      notice, this list of conditions and the following disclaimer.
-#    * Redistributions in binary form must reproduce the above
-#      copyright notice, this list of conditions and the following
-#      disclaimer in the documentation and/or other materials provided
-#      with the distribution.
-#    * Neither the name of The Linux Foundation nor the names of its
-#      contributors may be used to endorse or promote products derived
-#      from this software without specific prior written permission.
-#
-#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-#ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#
-#
-
-allow hal_wifi wlan_device:chr_file rw_file_perms;
-allow hal_wifi self:capability sys_module;
-allow hal_wifi kernel:key search;
-allow hal_wifi vendor_file:system module_load;
-not_full_treble(`allow hal_wifi system_file:system module_load';)
-allow hal_wifi proc_modules:file r_file_perms;

common/hbtp.te

@@ -1,52 +0,0 @@
-# Policies for hbtp (host based touch processing)
-type hbtp, domain;
-type hbtp_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hbtp)
-hal_server_domain(hbtp, hal_hbtp)
-# Allow access for /dev/hbtp_input and /dev/jdi-bu21150
-allow hbtp { hbtp_device qdsp_device dsp_device bu21150_device }:chr_file rw_file_perms;
-
-allow hbtp hbtp_log_file:dir rw_dir_perms;
-allow hbtp hbtp_log_file:file create_file_perms;
-
-allow hbtp hbtp_cfg_file:dir r_dir_perms;
-allow hbtp hbtp_cfg_file:file r_file_perms;
-
-allow hbtp firmware_file:dir r_dir_perms;
-allow hbtp firmware_file:file r_file_perms;
-
-allow hbtp sysfs_usb_supply:file r_file_perms;
-allow hbtp sysfs_usb_supply:dir r_dir_perms;
-
-allow hbtp hbtp_kernel_sysfs:file rw_file_perms;
-
-allow hbtp sysfs_graphics:file r_file_perms;
-allow hbtp sysfs_graphics:dir r_dir_perms;
-
-allow hbtp sysfs_battery_supply:file r_file_perms;
-allow hbtp sysfs_battery_supply:dir r_dir_perms;
-
-allow hbtp ion_device:chr_file r_file_perms;
-
-allow hbtp self:netlink_kobject_uevent_socket { create read setopt bind };
-
-# Allow the service to access wakelock sysfs
-allow hbtp sysfs_wake_lock:file r_file_perms;
-
-# Allow the service to change to system from root
-allow hbtp self:capability { setgid setuid };
-
-# Allow load touch driver as touchPD
-r_dir_file(hbtp, adsprpcd_file)
-
-# Allow the service to access wakelock capability
-wakelock_use(hbtp)
-
-# Allow hwbinder call from hal client to server and vice-versa
-binder_call(hal_hbtp_client, hal_hbtp_server)
-binder_call(hal_hbtp_server, hal_hbtp_client)
-
-# Allow hwservice related rules
-add_hwservice(hal_hbtp_server, hal_hbtp_hwservice)
-allow hal_hbtp_client hal_hbtp_hwservice:hwservice_manager find;
-hal_client_domain(hbtp, hal_allocator);

common/healthd.te

@@ -1,14 +0,0 @@
-r_dir_file(healthd, sysfs_battery_supply)
-r_dir_file(healthd, sysfs_usb_supply)
-r_dir_file(healthd, sysfs_thermal);
-r_dir_file(healthd, persist_file);
-
-#allow healthd read rtc device file
-allow healthd rtc_device:chr_file r_file_perms;
-allow healthd persist_bms_file:dir rw_dir_perms;
-allow healthd persist_bms_file:file create_file_perms;
-
-allow healthd {
-    sysfs_battery_supply
-    sysfs_usb_supply
-}:file rw_file_perms;

common/hostapd.te

@@ -1,59 +0,0 @@
-# Copyright (c) 2015,2017, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# Allow hostapd_cli to work. hostapd_cli creates a socket in
-# /data/misc/wifi/sockets which hostapd communicates with.
-userdebug_or_eng(`
-  unix_socket_send(hostapd, wifi_vendor_wpa, su)
-')
-
-binder_call(hostapd, cnd)
-unix_socket_connect(hostapd, cnd, cnd)
-unix_socket_send(hostapd, cnd, cnd)
-allow hostapd cnd:{
-          fifo_file
-          netlink_route_socket
-          netlink_tcpdiag_socket
-          unix_stream_socket} { read write };
-allow hostapd cnd:fifo_file r_file_perms;
-allow hostapd smem_log_device:chr_file rw_file_perms;
-allow hostapd fstman:unix_dgram_socket sendto;
-allow hostapd wifi_vendor_data_file:dir w_dir_perms;
-allow hostapd wifi_vendor_data_file:file create_file_perms;
-allow hostapd wifi_vendor_hostapd_socket:dir w_dir_perms;
-allow hostapd wifi_vendor_hostapd_socket:sock_file create_file_perms;
-# wigig_hostapd has its own directory for sockets,
-# in order to prevent conflicts with wifi hostapd
-# allow wigig_hostapd to create the directory holding its control socket
-allow hostapd wigig_hostapd_socket:dir create_dir_perms;
-# wigig_hostapd needs to create, bind to, read and write its control socket
-allow hostapd wigig_hostapd_socket:sock_file create_file_perms;
-# allow wigig_hostapd to send replies to wigighalsvc
-allow hostapd wigighalsvc:unix_dgram_socket sendto;
-# allow hostapd to attach to fstman socket
-allow hostapd wpa_socket:dir r_dir_perms;
-allow hostapd wpa_socket:sock_file rw_file_perms;

common/hvdcp.te

@@ -1,30 +0,0 @@
-# HVDVP quickcharge
-type hvdcp, domain;
-type hvdcp_exec, exec_type, vendor_file_type, file_type;
-
-# Make transition to its own HVDCP domain from init
-init_daemon_domain(hvdcp)
-
-# Add rules for access permissions
-allow hvdcp hvdcp_device:chr_file rw_file_perms;
-allow hvdcp {
-    sysfs_battery_supply
-    sysfs_usb_supply
-    sysfs_usbpd_device
-}:dir r_dir_perms;
-
-allow hvdcp {
-    sysfs_battery_supply
-    sysfs_usb_supply
-    sysfs_usbpd_device
-}:file rw_file_perms;
-
-allow hvdcp self:capability { setgid setuid };
-allow hvdcp self:capability2 wake_alarm;
-allow hvdcp kmsg_device:chr_file rw_file_perms;
-allow hvdcp cgroup:dir { create add_name };
-allow hvdcp self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow hvdcp sysfs_battery_supply:file setattr;
-allow hvdcp sysfs_usb_supply:file setattr;
-allow hvdcp sysfs_usbpd_device:file setattr;
-wakelock_use(hvdcp)

common/hwservice.te

@@ -1,45 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-type hal_display_color_hwservice, hwservice_manager_type;
-type hal_display_config_hwservice, hwservice_manager_type;
-type hal_display_postproc_hwservice, hwservice_manager_type;
-type hal_hbtp_hwservice, hwservice_manager_type;
-type hal_dpmqmi_hwservice, hwservice_manager_type;
-type hal_imsrtp_hwservice, hwservice_manager_type;
-type hal_perf_hwservice, hwservice_manager_type, untrusted_app_visible_hwservice;
-type wifidisplayhalservice_hwservice, hwservice_manager_type;
-type hal_iop_hwservice, hwservice_manager_type;
-type hal_alarm_qti_hwservice, hwservice_manager_type;
-type hal_cne_hwservice, hwservice_manager_type;
-type hal_imsrcsd_hwservice, hwservice_manager_type;
-type hal_ipacm_hwservice, hwservice_manager_type;
-type hal_vpp_hwservice, hwservice_manager_type;
-type hal_wigig_hwservice, hwservice_manager_type;
-type hal_qteeconnector_hwservice, hwservice_manager_type;
-type hal_esepowermanager_hwservice, hwservice_manager_type;
-type hal_voiceprint_hwservice, hwservice_manager_type;

common/hwservice_contexts

@@ -1,68 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-vendor.qti.hardware.fingerprint::IQtiExtendedFingerprint     u:object_r:hal_fingerprint_hwservice:s0
-vendor.qti.hardware.radio.am::IQcRilAudio                    u:object_r:hal_telephony_hwservice:s0
-vendor.qti.hardware.radio.config::IConfig                    u:object_r:hal_telephony_hwservice:s0
-vendor.qti.hardware.radio.ims::IImsRadio                     u:object_r:hal_telephony_hwservice:s0
-vendor.qti.hardware.radio.qcrilhook::IQtiOemHook             u:object_r:hal_telephony_hwservice:s0
-vendor.qti.hardware.radio.qtiradio::IQtiRadio                u:object_r:hal_telephony_hwservice:s0
-vendor.qti.hardware.radio.lpa::IUimLpa                       u:object_r:hal_telephony_hwservice:s0
-vendor.qti.hardware.radio.uim_remote_client::IUimRemoteServiceClient    u:object_r:hal_telephony_hwservice:s0
-vendor.qti.hardware.radio.uim_remote_server::IUimRemoteServiceServer    u:object_r:hal_telephony_hwservice:s0
-vendor.qti.hardware.radio.uim::IUim                          u:object_r:hal_telephony_hwservice:s0
-vendor.qti.hardware.radio.atcmdfwd::IAtCmdFwd                u:object_r:hal_atfwd_hwservice:s0
-vendor.display.color::IDisplayColor                          u:object_r:hal_display_color_hwservice:s0
-vendor.display.config::IDisplayConfig                        u:object_r:hal_display_config_hwservice:s0
-vendor.display.postproc::IDisplayPostproc                    u:object_r:hal_display_postproc_hwservice:s0
-vendor.qti.gnss::ILocHidlGnss                                u:object_r:hal_gnss_hwservice:s0
-vendor.nxp.hardware.nfc::INqNfc                              u:object_r:hal_nfc_hwservice:s0
-vendor.qti.hardware.improvetouch.touchcompanion::ITouchCompanion       u:object_r:hal_hbtp_hwservice:s0
-vendor.qti.hardware.improvetouch.gesturemanager::IGestureManager       u:object_r:hal_hbtp_hwservice:s0
-vendor.qti.hardware.improvetouch.blobmanager::IBlobManager             u:object_r:hal_hbtp_hwservice:s0
-com.qualcomm.qti.dpm.api::IdpmQmi                            u:object_r:hal_dpmqmi_hwservice:s0
-vendor.qti.imsrtpservice::IRTPService                        u:object_r:hal_imsrtp_hwservice:s0
-com.qualcomm.qti.bluetooth_audio::IBluetoothAudio            u:object_r:hal_audio_hwservice:s0
-com.qualcomm.qti.ant::IAntHci                                u:object_r:hal_bluetooth_hwservice:s0
-vendor.qti.hardware.fm::IFmHci                               u:object_r:hal_bluetooth_hwservice:s0
-vendor.qti.hardware.perf::IPerf                              u:object_r:hal_perf_hwservice:s0
-com.qualcomm.qti.wifidisplayhal::IHDCPSession                u:object_r:wifidisplayhalservice_hwservice:s0
-vendor.qti.hardware.iop::IIop                                u:object_r:hal_iop_hwservice:s0
-com.qualcomm.qti.wifidisplayhal::IDSManager                  u:object_r:wifidisplayhalservice_hwservice:s0
-vendor.qti.hardware.alarm::IAlarm                            u:object_r:hal_alarm_qti_hwservice:s0
-android.hardware.tetheroffload.config::IOffloadConfig        u:object_r:hal_ipacm_hwservice:s0
-android.hardware.tetheroffload.control::IOffloadControl      u:object_r:hal_ipacm_hwservice:s0
-com.qualcomm.qti.uceservice::IUceService                     u:object_r:hal_imsrcsd_hwservice:s0
-com.qualcomm.qti.imscmservice::IImsCmService                 u:object_r:hal_imsrcsd_hwservice:s0
-com.quicinc.cne.api::IApiService                             u:object_r:hal_cne_hwservice:s0
-com.quicinc.cne.server::IServer                              u:object_r:hal_cne_hwservice:s0
-vendor.qti.hardware.vpp::IHidlVppService                     u:object_r:hal_vpp_hwservice:s0
-vendor.qti.hardware.wigig.supptunnel::ISuppTunnelProvider    u:object_r:hal_wigig_hwservice:s0
-vendor.qti.hardware.qteeconnector::IAppConnector             u:object_r:hal_qteeconnector_hwservice:s0
-vendor.qti.hardware.qteeconnector::IGPAppConnector           u:object_r:hal_qteeconnector_hwservice:s0
-vendor.qti.esepowermanager::IEsePowerManager                 u:object_r:hal_esepowermanager_hwservice:s0
-vendor.qti.voiceprint::IQtiVoicePrintService                 u:object_r:hal_voiceprint_hwservice:s0

common/ims.te

@@ -1,70 +0,0 @@
-#integrated sensor process
-type ims, domain;
-type ims_exec, exec_type, vendor_file_type, file_type;
-
-# Started by init
-init_daemon_domain(ims)
-net_domain(ims)
-
-# Talk to qmuxd
-qmux_socket(ims)
-
-allow ims self:capability net_bind_service;
-
-# Use generic netlink socket
-allow ims self:{
-    netlink_socket
-    socket
-    netlink_generic_socket
-} create_socket_perms_no_ioctl;
-
-# To run NDC command
-allow ims {
-    vendor_shell_exec
-    system_file
-    # IMS route installation
-    wcnss_service_exec
-    # for WPA supplicant comment to remove compilation issue
-    #wpa_exec
-}:file rx_file_perms;
-
-# Talk to netd via netd_socket
-unix_socket_connect(ims, netd, netd)
-
-# Talk to qumuxd via ims_socket
-unix_socket_connect(ims, ims, qmuxd)
-
-set_prop(ims, qcom_ims_prop)
-
-# permissions needed for IMS to connect and interact with WPA supplicant
-# comment to remove compilation
-#unix_socket_send(ims, wpa, wpa)
-allow ims wpa_socket:dir w_dir_perms;
-allow ims wpa_socket:sock_file { create unlink setattr };
-allow ims wifi_data_file:dir r_dir_perms;
-
-# permissions for communication with CNE in LBO use case
-unix_socket_connect(ims, cnd, cnd)
-
-#Allow access to netmgrd socket
-netmgr_socket(ims);
-
-# Inherit and use open files from radio.
-allow ims radio:fd use;
-
-#diag
-userdebug_or_eng(`
-    diag_use(ims)
-')
-allow ims self:{ socket udp_socket } ioctl;
-# ioctlcmd=c302
-allowxperm ims self:socket ioctl msm_sock_ipc_ioctls;
-# ioctlcmd=89fd
-allowxperm ims self:udp_socket ioctl priv_sock_ioctls;
-allow ims sysfs:file r_file_perms;
-allow ims sysfs_data:file r_file_perms;
-hwbinder_use(ims)
-get_prop(ims, hwservicemanager_prop)
-get_prop(ims, qcom_ims_prop)
-allow ims hal_cne_hwservice:hwservice_manager find;
-binder_call(ims, cnd)

common/init.te

@@ -1,52 +0,0 @@
-# Adding allow rule for search on /fuse
-allow init fuse:dir { search mounton };
-allow init self:capability sys_module;
-allow init {
-    adsprpcd_file
-    cache_file
-    persist_file
-    storage_file
-}:dir mounton;
-allow init kmsg_device:chr_file write;
-
-#Allow triggering IPA FWs loading
-allow init ipa_dev:chr_file write;
-
-#For insmod to search module key for signature verification
-allow init kernel:key search;
-
-#For sdcard
-allow init tmpfs:lnk_file create_file_perms;
-
-#Certain domains needs LD_PRELOAD passed from init
-#allow it for most domain. Do not honor LD_PRELOAD
-#for lmkd
-#allow init { domain -lmkd }:process noatsecure;
-
-#For configfs file permission
-allow init configfs:dir r_dir_perms;
-allow init configfs:file { rw_file_perms link };
-allow init configfs:lnk_file create_file_perms;
-
-#Allow init to mount non-hlos partitions in A/B builds
-allow init firmware_file:dir { mounton };
-allow init bt_firmware_file:dir { mounton };
-
-#dontaudit non configfs usb denials
-dontaudit init sysfs:dir write;
-
-#load /vendor/lib/modules/qca_cld3/qca_cld3_wlan.ko
-#load /vendor/lib/modules/wil6210.ko
-allow init vendor_file:system module_load;
-
-#Needed for restorecon. Init already has these permissions
-#for generic block devices, but is unable to access those
-#which have a custom lable added by us.
-allow init {
-    custom_ab_block_device
-    boot_block_device
-    xbl_block_device
-    ssd_device
-    modem_block_device
-    mdtp_device
-}:{ blk_file lnk_file } relabelto;

common/init_shell.te

@@ -1,240 +0,0 @@
-# Restricted domain for shell processes spawned by init.
-# Normally these are shell commands or scripts invoked via sh
-# from an init*.rc file.  No service should ever run in this domain.
-type qti_init_shell, domain;
-type qti_init_shell_exec, exec_type, vendor_file_type,file_type;
-
-init_daemon_domain(qti_init_shell)
-
-domain_auto_trans(init, vendor_shell_exec, qti_init_shell)
-
-# For executing init shell scripts (init.qcom.early_boot.sh)
-allow qti_init_shell qti_init_shell_exec:file { rx_file_perms entrypoint };
-#execute init scripts
-allow qti_init_shell vendor_shell_exec:file {rx_file_perms entrypoint };
-allow qti_init_shell vendor_toolbox_exec:file  rx_file_perms;
-
-# For getting idle_time value
-# this is needed for dynamic_fps and bw_mode_bitmap
-allow qti_init_shell sysfs_graphics:file {rw_file_perms setattr};
-allow qti_init_shell sysfs:file setattr;
-
-allow qti_init_shell persist_file:dir w_dir_perms;
-allow qti_init_shell persist_file:file create_file_perms;
-allow qti_init_shell smd_device:chr_file rw_file_perms;
-
-# Run helpers from / or /system without changing domain.
-allow qti_init_shell { system_file rootfs vendor_shell_exec }:file execute_no_trans;
-
-# For accessing fmradio device node
-allow qti_init_shell fm_radio_device:chr_file r_file_perms;
-
-#give permission to read/write fm dir for calibration file
-allow qti_init_shell fm_data_file: dir rw_dir_perms;
-
-#allow shell to access /dev/vm_bms
-allow qti_init_shell vm_bms_device:chr_file getattr;
-
-# create/open, read/write permission for fm calibration file.
-allow qti_init_shell fm_data_file: file create_file_perms;
-
-allow qti_init_shell gpu_device:chr_file getattr;
-
-# for insmod of iris ko, this is needed.
-# dac_read/override is needed for scripts to do chown/mkdir which is
-# needed by most of the services
-# fowner and fsetid are needed for chmod display nodes.
-allow qti_init_shell self:capability {
-    sys_module
-    net_admin
-    chown
-    fowner
-    fsetid
-    dac_override
-    dac_read_search
-    sys_admin
-};
-
-# For  property starting with hw
-# freq_prop - for setting frequency from postboot script
-# perfd_prop - for setting ctl.perfd property from postboot script
-# mpdecision_prop - for setting ctl.mpdecision property from postboot script
-# bluetooth_prop - for setting bt related properties from postboot script
-# uicc_prop - for access to UICC property
-# ctl_qmuxd_prop/ctl_netmgrd_prop - Needed in order to set properties on qmuxd and netmgrd processes
-# rmnet_mux_prop - Needed to set persist.rmnet.mux property
-# sys_usb_controller_prop - Needed to set sys.usb.controller property
-# sys_usb_configfs_prop - Needed to set sys.usb.configfs property
-set_prop(qti_init_shell, system_prop)
-set_prop(qti_init_shell, freq_prop)
-set_prop(qti_init_shell, perfd_prop)
-set_prop(qti_init_shell, gamed_prop)
-set_prop(qti_init_shell, mpdecision_prop)
-set_prop(qti_init_shell, bluetooth_prop)
-set_prop(qti_init_shell, config_prop)
-set_prop(qti_init_shell, sensors_prop)
-set_prop(qti_init_shell, msm_irqbalance_prop)
-set_prop(qti_init_shell, msm_irqbl_sdm630_prop)
-set_prop(qti_init_shell, ipacm_prop)
-set_prop(qti_init_shell, ipacm-diag_prop)
-set_prop(qti_init_shell, qti_prop)
-set_prop(qti_init_shell, ctl_rildaemon_prop)
-set_prop(qti_init_shell, uicc_prop)
-set_prop(qti_init_shell, ctl_qmuxd_prop)
-set_prop(qti_init_shell, ctl_netmgrd_prop)
-set_prop(qti_init_shell, ctl_port-bridge_prop)
-set_prop(qti_init_shell, sdm_idle_time_prop)
-set_prop(qti_init_shell, sf_lcd_density_prop)
-set_prop(qti_init_shell, scr_enabled_prop)
-set_prop(qti_init_shell, opengles_prop)
-set_prop(qti_init_shell, mdm_helper_prop)
-set_prop(qti_init_shell, fm_prop)
-set_prop(qti_init_shell, usf_prop)
-set_prop(qti_init_shell, qemu_hw_mainkeys_prop)
-set_prop(qti_init_shell, alarm_boot_prop)
-set_prop(qti_init_shell, boot_animation_prop)
-set_prop(qti_init_shell, debug_gralloc_prop)
-userdebug_or_eng(`
-# Needed for starting console in userdebug mode
-set_prop(qti_init_shell, ctl_console_prop)
-set_prop(qti_init_shell, coresight_prop)
-')
-set_prop(qti_init_shell, rmnet_mux_prop)
-set_prop(qti_init_shell, ctl_hbtp_prop)
-#Needed for starting vm_bms executable post-boot
-set_prop(qti_init_shell, vm_bms_prop)
-set_prop(qti_init_shell, sys_usb_controller_prop)
-set_prop(qti_init_shell, sys_usb_configfs_prop)
-#Needed for setting hwui properties in post_boot
-set_prop(qti_init_shell, hwui_prop)
-set_prop(qti_init_shell, graphics_vulkan_prop)
-#Needed for setting bservice properties from post_boot
-set_prop(qti_init_shell, bservice_prop)
-#Needed for setting DSR properties from post_boot
-set_prop(qti_init_shell, reschedule_service_prop)
-
-allow qti_init_shell efs_boot_dev:blk_file r_file_perms;
-
-# For hci_comm_init
-allow qti_init_shell { serial_device userdebug_or_eng(`qdss_device') }:chr_file rw_file_perms;
-
-
-allow qti_init_shell {
-    { sysfs_type - usermodehelper }
-    sysfs_devices_system_cpu
-    sysfs_thermal
-    sysfs_lowmemorykiller
-}:file w_file_perms;
-
-r_dir_file(qti_init_shell, sysfs_thermal)
-r_dir_file(qti_init_shell, sysfs_type)
-allow qti_init_shell sysfs_socinfo:file write;
-allow qti_init_shell sysfs:{ dir file lnk_file } relabelfrom;
-allow qti_init_shell sysfs_devices_system_cpu: { dir file lnk_file } relabelto;
-# Check if /dev/sensors or /dev/msm_dsps present
-allow qti_init_shell sensors_data_file:dir r_dir_perms;
-allow qti_init_shell sensors_device:chr_file r_file_perms;
-
-# To start sensors for DSPS enabled platforms
-r_dir_file(qti_init_shell, persist_file)
-r_dir_file(qti_init_shell, sensors_persist_file)
-r_dir_file(qti_init_shell, persist_bluetooth_file)
-allow qti_init_shell sensors_persist_file:file setattr;
-
-# To start of selected USF based calculators
-r_dir_file(qti_init_shell, usf_data_file)
-allow qti_init_shell usf_data_file:file w_file_perms;
-r_dir_file(qti_init_shell, persist_usf_file)
-allow qti_init_shell persist_usf_file:dir w_dir_perms;
-allow qti_init_shell usf_data_file:dir create_dir_perms;
-allow qti_init_shell usf_data_file:{ file lnk_file } create_file_perms;
-
-# To check if /system/bin/msm_irqbalance is persent in the device
-allow qti_init_shell msm_irqbalanced_exec:file getattr;
-
-# To write to /data/vendor/perfd
-allow qti_init_shell mpctl_data_file:dir w_dir_perms;
-allow qti_init_shell mpctl_data_file:file { write getattr unlink };
-
-allow qti_init_shell { proc proc_net}:file write;
-allow qti_init_shell proc_net:file r_file_perms;
-
-allow qti_init_shell radio_data_file:dir create_dir_perms;
-allow qti_init_shell radio_data_file:file create_file_perms;
-
-allow qti_init_shell graphics_device:dir create_dir_perms;
-allow qti_init_shell graphics_device:lnk_file create_file_perms;
-
-# To create sensor dir inside /data/misc/
-allow qti_init_shell system_data_file:dir create_dir_perms;
-
-#insmod of ko from scripts need kernel key search
-allow qti_init_shell kernel:key search;
-
-# To change owner of /sys/devices/virtual/hsicctl/hsicctl0/modem_wait to radio
-allow qti_init_shell sysfs_hsic_modem_wait:file { r_file_perms setattr };
-
-# To change owner/permissions of secure touch sysfs files
-r_dir_file(qti_init_shell, sysfs_securetouch)
-
-# core-ctl
-allow qti_init_shell cgroup:dir add_name;
-
-# To allow copy for mbn files
-r_dir_file(qti_init_shell, firmware_file)
-
-# /dev/block/zram0
-allow qti_init_shell block_device:dir r_dir_perms;
-allow qti_init_shell swap_block_device:blk_file rw_file_perms;
-
-# /data/system/swap/swapfile
-allow qti_init_shell swap_data_file:dir rw_dir_perms;
-allow qti_init_shell swap_data_file:file create_file_perms;
-
-#For configfs permission
-allow qti_init_shell configfs:dir r_dir_perms;
-allow qti_init_shell configfs:file rw_file_perms;
-
-#Allow read permissions to read adj
-allow qti_init_shell sysfs_lowmemorykiller:file read;
-
-allow qti_init_shell persist_alarm_file:dir r_dir_perms;
-allow qti_init_shell persist_alarm_file:file r_file_perms;
-
-#Allow /sys access to write zram disksize
-allow qti_init_shell sysfs_zram:dir r_dir_perms;
-allow qti_init_shell sysfs_zram:file w_file_perms;
-
-# To get GPU frequencies
-allow qti_init_shell sysfs_kgsl:file r_file_perms;
-
-allow qti_init_shell proc:file r_file_perms;
-allow qti_init_shell rootfs:file r_file_perms;
-allow qti_init_shell sysfs:file r_file_perms;
-
-allow qti_init_shell rmnet_mux_prop:file r_file_perms;
-
-r_dir_file(qti_init_shell, sysfs_devfreq)
-allow qti_init_shell sysfs_devfreq:file w_file_perms;
-
-allow qti_init_shell vendor_radio_data_file:dir create_dir_perms;
-allow qti_init_shell vendor_radio_data_file:file create_file_perms;
-
-set_prop(qti_init_shell, vendor_rild_libpath_prop);
-set_prop(qti_init_shell, system_radio_prop)
-
-allow qti_init_shell fm_qsoc_patches_exec:file rx_file_perms;
-
-# rules for vm_bms
-allow qti_init_shell {
-    sysfs_battery_supply
-    sysfs_usb_supply
-}:dir r_dir_perms;
-
-allow qti_init_shell {
-    sysfs_battery_supply
-    sysfs_usb_supply
-}:file rw_file_perms;
-
-allow qti_init_shell sysfs_battery_supply:file setattr;
-allow qti_init_shell sysfs_usb_supply:file setattr;

common/installd.te

@@ -1,3 +0,0 @@
-allow installd { imshelper_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file qdma_app_data_file} :dir { create_dir_perms relabelfrom relabelto };
-allow installd { imshelper_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file qdma_app_data_file} :lnk_file { create_file_perms relabelfrom relabelto };
-allow installd { imshelper_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file qdma_app_data_file} :{ file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };

common/ioctl_defines

@@ -1,82 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#    * Redistributions of source code must retain the above copyright
-#      notice, this list of conditions and the following disclaimer.
-#    * Redistributions in binary form must reproduce the above
-#      copyright notice, this list of conditions and the following
-#      disclaimer in the documentation and/or other materials provided
-#      with the distribution.
-#    * Neither the name of The Linux Foundation nor the names of its
-#      contributors may be used to endorse or promote products derived
-#      from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# gpu_device ioctls defined in the kernel in include/uapi/linux/msm_kgsl.h
-define(`IOCTL_KGSL_DEVICE_GETPROPERTY', `0x00000902')
-define(`IOCTL_KGSL_DEVICE_WAITTIMESTAMP', `0x00000906')
-define(`IOCTL_KGSL_DEVICE_WAITTIMESTAMP_CTXTID', `0x00000907')
-define(`IOCTL_KGSL_RINGBUFFER_ISSUEIBCMDS', `0x00000910')
-define(`IOCTL_KGSL_CMDSTREAM_READTIMESTAMP', `0x00000911')
-define(`IOCTL_KGSL_CMDSTREAM_FREEMEMONTIMESTAMP', `0x00000912')
-define(`IOCTL_KGSL_DRAWCTXT_CREATE', `0x00000913')
-define(`IOCTL_KGSL_DRAWCTXT_DESTROY', `0x00000914')
-define(`IOCTL_KGSL_MAP_USER_MEM', `0x00000915')
-define(`IOCTL_KGSL_CMDSTREAM_READTIMESTAMP_CTXTID', `0x00000916')
-define(`IOCTL_KGSL_CMDSTREAM_FREEMEMONTIMESTAMP_CTXTID', `0x00000917')
-define(`IOCTL_KGSL_SHAREDMEM_FROM_PMEM', `0x00000920')
-define(`IOCTL_KGSL_SHAREDMEM_FREE', `0x00000921')
-define(`IOCTL_KGSL_DRAWCTXT_BIND_GMEM_SHADOW', `0x00000922')
-define(`IOCTL_KGSL_SHAREDMEM_FROM_VMALLOC', `0x00000923')
-define(`IOCTL_KGSL_SHAREDMEM_FLUSH_CACHE', `0x00000924')
-define(`IOCTL_KGSL_DRAWCTXT_SET_BIN_BASE_OFFSET', `0x00000925')
-define(`IOCTL_KGSL_CMDWINDOW_WRITE', `0x0000092e')
-define(`IOCTL_KGSL_GPUMEM_ALLOC', `0x0000092f')
-define(`IOCTL_KGSL_CFF_SYNCMEM', `0x00000930')
-define(`IOCTL_KGSL_CFF_USER_EVENT', `0x00000931')
-define(`IOCTL_KGSL_SETPROPERTY', `0x00000932')
-define(`IOCTL_KGSL_TIMESTAMP_EVENT', `0x00000933')
-define(`IOCTL_KGSL_GPUMEM_ALLOC_ID', `0x00000934')
-define(`IOCTL_KGSL_GPUMEM_FREE_ID', `0x00000935')
-define(`IOCTL_KGSL_GPUMEM_GET_INFO', `0x00000936')
-define(`IOCTL_KGSL_GPUMEM_SYNC_CACHE', `0x00000937')
-define(`IOCTL_KGSL_PERFCOUNTER_GET', `0x00000938')
-define(`IOCTL_KGSL_PERFCOUNTER_PUT', `0x00000939')
-define(`IOCTL_KGSL_PERFCOUNTER_QUERY', `0x0000093a')
-define(`IOCTL_KGSL_PERFCOUNTER_READ', `0x0000093b')
-define(`IOCTL_KGSL_GPUMEM_SYNC_CACHE_BULK', `0x0000093c')
-define(`IOCTL_KGSL_SUBMIT_COMMANDS', `0x0000093d')
-define(`IOCTL_KGSL_SYNCSOURCE_CREATE', `0x00000940')
-define(`IOCTL_KGSL_SYNCSOURCE_DESTROY', `0x00000941')
-define(`IOCTL_KGSL_SYNCSOURCE_CREATE_FENCE', `0x00000942')
-define(`IOCTL_KGSL_SYNCSOURCE_SIGNAL_FENCE', `0x00000943')
-define(`IOCTL_KGSL_CFF_SYNC_GPUOBJ', `0x00000944')
-define(`IOCTL_KGSL_GPUOBJ_ALLOC', `0x00000945')
-define(`IOCTL_KGSL_GPUOBJ_FREE', `0x00000946')
-define(`IOCTL_KGSL_GPUOBJ_INFO', `0x00000947')
-define(`IOCTL_KGSL_GPUOBJ_IMPORT', `0x00000948')
-define(`IOCTL_KGSL_GPUOBJ_SYNC', `0x00000949')
-define(`IOCTL_KGSL_GPU_COMMAND', `0x0000094a')
-define(`IOCTL_KGSL_PREEMPTIONCOUNTER_QUERY', `0x0000094b')
-define(`IOCTL_KGSL_GPUOBJ_SET_INFO', `0x0000094c')
-
-# socket ioctls defined in the kernel in include/uapi/linux/msm_ipc.h
-define(`IPC_ROUTER_IOCTL_GET_VERSION', `0x0000c300')
-define(`IPC_ROUTER_IOCTL_GET_MTU', `0x0000c301')
-define(`IPC_ROUTER_IOCTL_LOOKUP_SERVER', `0x0000c302')
-define(`IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE', `0x0000c303')
-define(`IPC_ROUTER_IOCTL_BIND_CONTROL_PORT', `0x0000c304')
-define(`IPC_ROUTER_IOCTL_CONFIG_SEC_RULES', `0x0000c305')

common/ioctl_macros

@@ -1,79 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#    * Redistributions of source code must retain the above copyright
-#      notice, this list of conditions and the following disclaimer.
-#    * Redistributions in binary form must reproduce the above
-#      copyright notice, this list of conditions and the following
-#      disclaimer in the documentation and/or other materials provided
-#      with the distribution.
-#    * Neither the name of The Linux Foundation nor the names of its
-#      contributors may be used to endorse or promote products derived
-#      from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-define(`gpu_ioctls', `{
-IOCTL_KGSL_DEVICE_GETPROPERTY
-IOCTL_KGSL_DEVICE_WAITTIMESTAMP_CTXTID
-IOCTL_KGSL_DRAWCTXT_CREATE
-IOCTL_KGSL_DRAWCTXT_DESTROY
-IOCTL_KGSL_MAP_USER_MEM
-IOCTL_KGSL_SHAREDMEM_FREE
-IOCTL_KGSL_SETPROPERTY
-IOCTL_KGSL_TIMESTAMP_EVENT
-IOCTL_KGSL_PERFCOUNTER_GET
-IOCTL_KGSL_PERFCOUNTER_PUT
-IOCTL_KGSL_SYNCSOURCE_CREATE
-IOCTL_KGSL_SYNCSOURCE_DESTROY
-IOCTL_KGSL_SYNCSOURCE_CREATE_FENCE
-IOCTL_KGSL_SYNCSOURCE_SIGNAL_FENCE
-IOCTL_KGSL_GPUOBJ_ALLOC
-IOCTL_KGSL_GPUOBJ_FREE
-IOCTL_KGSL_GPUOBJ_INFO
-IOCTL_KGSL_GPUOBJ_IMPORT
-IOCTL_KGSL_GPUOBJ_SYNC
-IOCTL_KGSL_GPU_COMMAND
-}')
-
-define(`msm_sock_ipc_ioctls', `{
-IPC_ROUTER_IOCTL_GET_VERSION
-IPC_ROUTER_IOCTL_GET_MTU
-IPC_ROUTER_IOCTL_LOOKUP_SERVER
-IPC_ROUTER_IOCTL_GET_CURR_PKT_SIZE
-IPC_ROUTER_IOCTL_BIND_CONTROL_PORT
-IPC_ROUTER_IOCTL_CONFIG_SEC_RULES
-}')
-
-define(`rmnet_sock_ioctls', `{
-SIOCDEVPRIVATE_1
-SIOCDEVPRIVATE_2
-SIOCDEVPRIVATE_3
-SIOCDEVPRIVATE_4
-SIOCDEVPRIVATE_5
-SIOCDEVPRIVATE_6
-SIOCDEVPRIVATE_7
-SIOCDEVPRIVATE_8
-SIOCDEVPRIVATE_9
-SIOCDEVPRIVATE_A
-SIOCDEVPRIVATE_B
-SIOCDEVPRIVATE_C
-SIOCDEVPRIVATE_D
-}')
-
-define(`wlan_sock_ioctls', `{
-SIOCSIWPRIV
-SIOCIWFIRSTPRIV_15
-}')

common/ipacm.te

@@ -1,38 +0,0 @@
-# General definitions
-type ipacm, domain;
-type ipacm-diag, domain;
-type ipacm_exec, exec_type, vendor_file_type, file_type;
-type ipacm-diag_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(ipacm)
-init_daemon_domain(ipacm-diag)
-
-# associate netdomain to use for accessing internet sockets
-net_domain(ipacm)
-
-userdebug_or_eng(`
-  # Allow using the logging file between ipacm and ipacm-diag
-  unix_socket_send(ipacm, ipacm, ipacm-diag)
-  diag_use(ipacm-diag)
-')
-
-# Allow operations with /dev/ipa, /dev/wwan_ioctl and /dev/ipaNatTable
-allow ipacm ipa_dev:chr_file rw_file_perms;
-
-# Allow receiving NETLINK messages
-allow ipacm ipacm:{
-    netlink_route_socket
-    netlink_socket
-    # Allow querying the network stack via IOCTLs
-    udp_socket
-    netlink_generic_socket
-} create_socket_perms_no_ioctl;
-
-# Allow creating and modifying the PID file
-allow ipacm ipacm_data_file:dir w_dir_perms;
-allow ipacm ipacm_data_file:file create_file_perms;
-
-# To register ipacm to hwbinder
-add_hwservice(ipacm, hal_ipacm_hwservice)
-hwbinder_use(ipacm)
-get_prop(ipacm, hwservicemanager_prop)
-binder_call(ipacm, system_server)

common/irsc_util.te

@@ -1,12 +0,0 @@
-type irsc_util, domain;
-type irsc_util_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(irsc_util)
-
-userdebug_or_eng(`
-  #domain_auto_trans(vendor_shell, irsc_util_exec, irsc_util)
-  #domain_auto_trans(adbd, irsc_util_exec, irsc_util)
-')
-
-allow irsc_util irsc_util:socket { create ioctl };
-allowxperm irsc_util self:socket ioctl msm_sock_ipc_ioctls;
-allow irsc_util devpts:chr_file rw_file_perms;

common/kernel.te

@@ -1,10 +0,0 @@
-allow kernel block_device:blk_file rw_file_perms;
-
-userdebug_or_eng(`
- #allow kernel self:capability { dac_read_search dac_override };
-  allow kernel self:socket create_socket_perms_no_ioctl;
-  r_dir_file(kernel, qti_debugfs);
-')
-
-# Access firmware_file
-r_dir_file(kernel, firmware_file)

common/keystore.te

@@ -1,2 +0,0 @@
-# Allow keystore to operate using qseecom_device
-allow keystore tee_device:chr_file rw_file_perms;

common/location.te

@@ -1,85 +0,0 @@
-# location - Location daemon
-type location, domain;
-type location_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(location)
-net_domain(location)
-
-# Socket is created by the daemon, not by init, and under /data/gps,
-# not under /dev/socket.
-type_transition location location_data_file:sock_file location_socket;
-
-qmux_socket(location)
-#binder_use(location)
-binder_call(location, system_server)
-wakelock_use(location)
-
-allow location location_data_file:dir create_dir_perms;
-allow location location_data_file:{ file fifo_file } create_file_perms;
-allow location location_data_file:sock_file write;
-allow location location_exec:file x_file_perms;
-allow location location_socket:sock_file create_file_perms;
-allow location self:capability { setuid setgid net_admin net_bind_service };
-allow location self:{
-    socket
-    netlink_socket
-    netlink_generic_socket
-} create_socket_perms_no_ioctl;
-
-unix_socket_connect(location, sensors, sensors)
-allow location sensors_device:chr_file r_file_perms;
-allow location sensors_socket:sock_file rw_file_perms;
-allow location vendor_shell_exec:file rx_file_perms;
-
-#allow location system_server:unix_stream_socket { read write connectto};
-
-# For interfacing with the device sensorservice
-# permission check for slim daemon
-#allow location { sensorservice_service permission_service }:service_manager find;
-
-hwbinder_use(location)
-get_prop(location, hwservicemanager_prop)
-
-allow location fwk_sensor_hwservice:hwservice_manager find;
-
-allow location sensors_persist_file:dir r_dir_perms;
-allow location sensors_persist_file:file r_file_perms;
-
-#wifi
-userdebug_or_eng(`
-allow location wifi_data_file:dir create_dir_perms;
-#allow location wifi_data_file:sock_file create_file_perms;
-allow location su:unix_dgram_socket sendto;
-')
-# comment to remove compilation issue
-#unix_socket_send(wpa, location, location)
-#allow location wpa:unix_dgram_socket sendto;
-allow location wpa_socket:dir rw_dir_perms;
-allow location wpa_socket:sock_file create_file_perms;
-
-allow location rfs_shared_hlos_file:dir r_dir_perms;
-allow location rfs_shared_hlos_file:file rw_file_perms;
-
-dontaudit location domain:dir r_dir_perms;
-r_dir_file(location, netmgrd)
-allow location persist_file:dir r_dir_perms;
-
-#Allow access to netmgrd socket
-netmgr_socket(location);
-
-#Allow access to properties
-set_prop(location, location_prop);
-
-#diag
-userdebug_or_eng(`
-    diag_use(location)
-')
-allow location sysfs:file r_file_perms;
-allow location sysfs_data:file r_file_perms;
-allow location self:socket ioctl;
-# ioctlcmd=c304
-allowxperm location self:socket ioctl msm_sock_ipc_ioctls;
-allow location self:udp_socket ioctl;
-allow location wifi_prop:file r_file_perms;
-# Replace this with macro
-allowxperm location self:udp_socket ioctl priv_sock_ioctls;

common/location_app.te

@@ -1,33 +0,0 @@
-type location_app, domain;
-app_domain(location_app)
-binder_use(location_app)
-hal_client_domain(location_app, hal_gnss)
-
-qmux_socket(location_app)
-
-net_domain(location_app)
-
-#Permissions for JDWP
-userdebug_or_eng(`
-  allow location_app { adbd su }:unix_stream_socket connectto;
-  allow location_app mediaserver_service:service_manager find;
-  allow location_app audioserver_service:service_manager find;
-  diag_use(location_app)
-')
-
-allow location_app surfaceflinger_service:service_manager find;
-allow location_app location_app_data_file:dir create_dir_perms;
-allow location_app location_app_data_file:file create_file_perms ;
-allow location_app location_data_file:dir rw_dir_perms;
-allow location_app location_data_file:sock_file create_file_perms;
-allow location_app self:socket create_socket_perms;
-#allow location_app system_app_data_file:dir r_dir_perms;
-allow location_app anr_data_file:dir rw_dir_perms;
-allow location_app anr_data_file:file rw_file_perms;
-allow location_app { app_api_service activity_service }:service_manager find;
-# ioctlcmd=c302
-allowxperm location_app self:socket ioctl msm_sock_ipc_ioctls;
-allow location_app sysfs:file r_file_perms;
-allow location_app sysfs_data:file r_file_perms;
-get_prop(location_app, debug_gralloc_prop)
-unix_socket_connect(location_app, dpmtcm, dpmd)

common/logd.te

@@ -1 +0,0 @@
-r_dir_file(logd, location_app)

common/mcStarter.te

@@ -1,10 +0,0 @@
-# mobicore daemon
-type mcStarter, domain;
-type mcStarter_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(mcStarter)
-
-# Allow Mobicore to use qseecom services for loading the app
-allow mcStarter tee_device:chr_file rw_file_perms;
-
-# Allow Mobicore to access the firmware files
-r_dir_file(mcStarter, firmware_file)

common/mdm_helper.te

@@ -1,54 +0,0 @@
-#Policy for mdm_helper
-#mdm_helper - mdm_helper domain
-type mdm_helper, domain;
-type mdm_helper_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(mdm_helper);
-
-#block_suspend capability is needed by kickstart(ks)
-wakelock_use(mdm_helper)
-
-#Needed to power on the peripheral
-allow mdm_helper ssr_device:chr_file r_file_perms;
-
-#Needed to access the esoc device to control the mdm
-allow mdm_helper esoc_device:dir r_dir_perms;
-allow mdm_helper esoc_device:chr_file rw_file_perms;
-
-#Needed to detect presence of hsic bridge and to xfer images
-allow mdm_helper ksbridgehsic_device:chr_file rw_file_perms;
-
-#Needed to detect efs sync and for kickstart to run the efs sync server
-allow mdm_helper efsbridgehsic_device:chr_file rw_file_perms;
-
-#Needed for communication with the HSIC driver
-r_dir_file(mdm_helper, sysfs_hsic)
-allow mdm_helper sysfs_hsic:file w_file_perms;
-
-#Needed by libmdmdetect to figure out the system configuration
-r_dir_file(mdm_helper, sysfs_esoc)
-
-#Needed by libmdmdetect to get system information regarding subsystems and to check their states
-r_dir_file(mdm_helper, sysfs_ssr)
-
-#Needed in order to run kickstart
-allow mdm_helper shell:fd use;
-allow mdm_helper vendor_shell_exec:file rx_file_perms;
-allow mdm_helper { system_file mdm_helper_exec }:file x_file_perms;
-
-#Needed by ks in order to access the efs sync partitions.
-allow mdm_helper block_device:dir rw_dir_perms;
-allow mdm_helper efs_boot_dev:blk_file rw_file_perms;
-
-#Needed to inform the hsic driver that mdm has booted up
-allow mdm_helper sysfs:file w_file_perms;
-
-#Needed in order to access the firmware partition
-r_dir_file(mdm_helper, firmware_file)
-
-#Needed in order to collect ramdumps
-allow mdm_helper tombstone_data_file:dir create_dir_perms;
-allow mdm_helper tombstone_data_file:file create_file_perms;
-
-#Needed to allow boot over PCIe
-allow mdm_helper bhi_device:chr_file rw_file_perms;
-allow mdm_helper mhi_device:chr_file rw_file_perms;

common/mdtp.te

@@ -1,92 +0,0 @@
-# Copyright (c) 2015, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-type mdtpdaemon, domain;
-type mdtpdaemon_exec, exec_type, vendor_file_type, file_type;
-
-allow mdtpdaemon self:capability {
-    setuid
-    setgid
-};
-
-userdebug_or_eng(`
-    #Needed for kill(pid, 0) existance test
-    allow mdtpdaemon su:process signull;
-    allow mdtpdaemon self:capability kill;
-    diag_use(mdtpdaemon)
-')
-
-#Allow for transition from init domain to mdtpdaemon
-init_daemon_domain(mdtpdaemon)
-
-#Allow mdtpdaemon to use Binder IPC
-#binder_use(mdtpdaemon)
-
-#Mark mdtpdaemon as a Binder service domain
-#binder_service(mdtpdaemon)
-
-#Allow mdtpdaemon to be registered with service manager
-#allow mdtpdaemon mdtpdaemon_service:service_manager { add find };
-
-#Allow apps to interact with mdtpdaemon
-binder_call(mdtpdaemon, platform_app)
-
-#Allow access to firmware
-r_dir_file(mdtpdaemon, firmware_file)
-
-#Allow access to qsee directories
-allow mdtpdaemon data_qsee_file:dir create_dir_perms;
-allow mdtpdaemon data_qsee_file:file create_file_perms;
-
-#Allow access to qsee fifos
-allow mdtpdaemon data_qsee_file:fifo_file create_file_perms;
-
-#Allow access to tee device
-allow mdtpdaemon tee_device:chr_file rw_file_perms;
-
-# Provide access to block devices
-allow mdtpdaemon block_device:dir r_dir_perms;
-allow mdtpdaemon mdtp_device:blk_file rw_file_perms;
-allow mdtpdaemon system_block_device:blk_file r_file_perms;
-
-# Provide access to QTI Crypto driver for MDTP
-# allow mdtpdaemon qce_device:chr_file rw_file_perms;
-
-# Provide read access to all /system files for MDTP file-to-block-mapping
-r_dir_file(mdtpdaemon, exec_type)
-r_dir_file(mdtpdaemon, system_file)
-
-# Provide mdtpd ability to access QMUXD/IPCRouter for QMI
-qmux_socket(mdtpdaemon);
-allow mdtpdaemon self:socket create_socket_perms;
-allowxperm mdtpdaemon self:socket ioctl msm_sock_ipc_ioctls;
-
-# Provide tee ability to run executables in rootfs for MDTP
-allow mdtpdaemon rootfs:file x_file_perms;
-allow mdtpdaemon ion_device:chr_file r_file_perms;
-allow mdtpdaemon sysfs:file r_file_perms;
-allow mdtpdaemon sysfs_data:file r_file_perms;

common/mediacodec.te

@@ -1,80 +0,0 @@
-#copyright (c) 2016, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#
-# Copyright (c) 2015-2016 Dolby Laboratories, Inc. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-#mediacodec need intraction with audio device nodes
-allow mediacodec audio_device:chr_file rw_file_perms;
-
-#allow mediacodec to access adsprpcd
-r_dir_file(mediacodec, adsprpcd_file);
-r_dir_file(mediacodec, firmware_file);
-
-#Allow mediacodec to access proc_net files
-allow mediacodec proc_net:file r_file_perms;
-
-allow mediacodec system_file:dir r_dir_perms;
-allow mediacodec qdsp_device:chr_file r_file_perms;
-
-#Allow mediacodec to access service manager wfdnativemm_service
-allow mediacodec wfdnativemm_service:service_manager find;
-hal_client_domain(mediacodec, wifidisplayhalservice)
-
-allow mediacodec media_data_file:dir create_dir_perms;
-allow mediacodec media_data_file:file create_file_perms;
-
-# DOLBY_START
-#allow mediacodec audioserver_service:service_manager find;
-set_prop(mediacodec, dolby_prop)
-# DOLBY_END
-allow mediacodec debug_gralloc_prop:file r_file_perms;
-vndbinder_use(mediacodec);
-hwbinder_use(mediacodec);
-hal_client_domain(mediacodec, hal_vpp)
-hal_client_domain(mediacodec, hal_perf)

common/mediaserver.te

@@ -1,66 +0,0 @@
-# allow mediaserver to communicate with cnd
-#unix_socket_connect(mediaserver, cnd, cnd)
-
-#unix_socket_send(mediaserver, camera, mm-qcamerad)
-
-allow mediaserver tee_device:chr_file rw_file_perms;
-allow mediaserver qdsp_device:chr_file r_file_perms;
-
-allow mediaserver self:socket create_socket_perms_no_ioctl;
-
-binder_call(mediaserver, rild)
-
-#qmux_socket(mediaserver)
-allow mediaserver camera_data_file:sock_file w_file_perms;
-
-userdebug_or_eng(`
-  allow mediaserver camera_data_file:dir rw_dir_perms;
-  allow mediaserver camera_data_file:file create_file_perms;
-  # Access to audio
-  allow mediaserver qti_debugfs:file rw_file_perms;
-')
-
-r_dir_file(mediaserver, sysfs_esoc)
-#allow mediaserver system_app_data_file:file rw_file_perms;
-
-# allow mediaserver to write DTS files
-allow mediaserver dts_data_file:dir rw_dir_perms;
-allow mediaserver dts_data_file:file create_file_perms;
-
-# allow poweroffhandler to binder mediaserver
-binder_call(mediaserver, poweroffhandler);
-
-
-# for thermal sock files
-#unix_socket_connect(mediaserver, thermal, thermal-engine)
-
-#This is required for thermal sysfs access
-r_dir_file(mediaserver, sysfs_thermal);
-
-#allow mediaserver to communicate with timedaemon
-#allow mediaserver time_daemon:unix_stream_socket connectto;
-
-# Allow mediaserver to create socket files for audio arbitration
-allow mediaserver audio_data_file:sock_file { create setattr unlink };
-allow mediaserver audio_data_file:dir remove_name;
-
-# Allow mediaserver to create audio pp files
-allow mediaserver audio_pp_data_file:dir rw_dir_perms;
-allow mediaserver audio_pp_data_file:file create_file_perms;
-
-#Allow mediaserver to set camera  properties
-allow mediaserver camera_prop:property_service set;
-
-#Allow mediaserver access mmi_data_file
-allow mediaserver mmi_data_file:file r_file_perms;
-
-#allow mediaserver to access wfdservice
-binder_call(mediaserver, wfdservice)
-
-#allow mediaserver to access adsprpcd
-r_dir_file(mediaserver, adsprpcd_file);
-
-# allow mediaserver to communicate with bootanim
-binder_call(mediaserver, bootanim);
-
-allow mediaserver surfaceflinger:unix_stream_socket rw_socket_perms;

common/mm-pp-daemon.te

@@ -1,77 +0,0 @@
-type mm-pp-daemon, domain;
-type mm-pp-daemon_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(mm-pp-daemon)
-
-#Need to use fb ioctls to communicate with kernel
-allow mm-pp-daemon graphics_device:chr_file rw_file_perms;
-allow mm-pp-daemon graphics_device:dir r_dir_perms;
-
-# Allow reading/writing to '/persist/display/*'
-# The color config file is dynamically created
-allow mm-pp-daemon persist_display_file:dir rw_dir_perms;
-allow mm-pp-daemon persist_display_file:file create_file_perms;
-
-# Allow for directory search only to '/persist'
-allow mm-pp-daemon persist_file:dir search;
-
-# Allow reading/writing data config files
-allow mm-pp-daemon display_misc_file:dir create_dir_perms;
-allow mm-pp-daemon display_misc_file:file create_file_perms;
-
-# Allow read to sensor device and read/write to sensor socket
-allow mm-pp-daemon sensors_device:chr_file r_file_perms;
-allow mm-pp-daemon sensors_socket:sock_file rw_file_perms;
-allow mm-pp-daemon sensors:unix_stream_socket connectto;
-
-
-# Rule for IPC communication
-allow mm-pp-daemon qdisplay_service:service_manager find;
-vndbinder_use(mm-pp-daemon)
-hal_client_domain(mm-pp-daemon, hal_graphics_composer)
-allow mm-pp-daemon fwk_sensor_hwservice:hwservice_manager find;
-# Allow service manager to find surface flinger service,
-# sensorservice service, permission_service, and power service (for
-# acquire wakelock)
-#allow mm-pp-daemon { surfaceflinger_service sensorservice_service
-#    permission_service power_service }:service_manager find;
-# Allow mm-pp-daemon to call binder for screen refresh
-#binder_use(mm-pp-daemon)
-binder_call(mm-pp-daemon, system_server)
-
-userdebug_or_eng(`
-  # This allows pp-daemon to use shell commands to blank
-  # the display - it uses input keyevent to do this
-  allow mm-pp-daemon { vendor_shell_exec
-                      #zygote_exec 
-  }:file rx_file_perms;
-  allow mm-pp-daemon system_file:file x_file_perms;
-  allow mm-pp-daemon self:process ptrace;
-
-
-  # This allow pp-daemon access to diag
-  diag_use(mm-pp-daemon)
-')
-
-# Allow mm-pp-daemon to change the brightness
-allow mm-pp-daemon sysfs_leds:dir r_dir_perms;
-allow mm-pp-daemon sysfs_leds:file rw_file_perms;
-allow mm-pp-daemon sysfs_leds:lnk_file read;
-allow mm-pp-daemon sysfs_graphics:dir r_dir_perms;
-allow mm-pp-daemon sysfs_graphics:file rw_file_perms;
-allow mm-pp-daemon sysfs_data:file r_file_perms;
-
-userdebug_or_eng(`
-set_prop(mm-pp-daemon, debug_prop)
-')
-
-# Allow socket calls in pp-daemon
-unix_socket_connect(mm-pp-daemon, pps, init)
-
-allow mm-pp-daemon init:unix_stream_socket { listen accept };
-
-# Allow connections between sensor manager and mm-pp-daemon
-#allow mm-pp-daemon system_server:unix_stream_socket rw_socket_perms;
-
-# access lcd-backlight
-r_dir_file(mm-pp-daemon, sysfs_leds)

common/mm-qcamerad.te

@@ -1,82 +0,0 @@
-type mm-qcamerad, domain;
-type mm-qcamerad_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(mm-qcamerad)
-
-#added to support EZTune for camera
-userdebug_or_eng(`
-  allow mm-qcamerad qti_debugfs:dir r_dir_perms;
-  allow mm-qcamerad qti_debugfs:file read;
-  allow mm-qcamerad camera_data_file:file create_file_perms;
-  #allow mm-qcamerad self:tcp_socket create_stream_socket_perms;
-  allow mm-qcamerad node:tcp_socket node_bind;
-
-  # IMS use camera daemon to make VT call
-  allow mm-qcamerad port:tcp_socket name_bind;
-  allow mm-qcamerad self:tcp_socket { accept listen };
-  allow mm-qcamerad camera_data_file:file create_file_perms;
-
-  # mm-qcamerad needs to set persist.camera. property
-  set_prop(mm-qcamerad, camera_prop)
-')
-
-#Communicate with user land process through domain socket
-#allow mm-qcamerad camera_socket:sock_file { create unlink write };
-allow mm-qcamerad camera_socket:dir w_dir_perms;
-unix_socket_connect(mm-qcamerad, sensors, sensors)
-
-#Allow connections between sensor manager and mm-qcamerad
-#allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms;
-binder_call(mm-qcamerad, system_server);
-#binder_use(mm-qcamerad);
-
-allow mm-qcamerad self:socket create_socket_perms_no_ioctl;
-allow mm-qcamerad persist_file:dir r_dir_perms;
-allow mm-qcamerad sensors_persist_file:dir r_dir_perms;
-allow mm-qcamerad sensors_persist_file:file r_file_perms;
-
-allow mm-qcamerad self:process execmem;
-
-# Interact with other media devices
-allow mm-qcamerad video_device:dir r_dir_perms;
-allow mm-qcamerad { gpu_device video_device sensors_device }:chr_file rw_file_perms;
-
-allow mm-qcamerad { surfaceflinger mediaserver cameraserver hal_camera }:fd use;
-
-allow mm-qcamerad camera_data_file:dir w_dir_perms;
-#allow mm-qcamerad camera_data_file:sock_file { create unlink };
-
-allow mm-qcamerad vendor_camera_data_file:dir w_dir_perms;
-allow mm-qcamerad vendor_camera_data_file:sock_file { create unlink };
-
-#Allows camera to call ADSP QDSP6 functionality
-allow mm-qcamerad qdsp_device:chr_file rw_file_perms;
-
-#Allows sensor service(running in camera daemon) to invoke service manager API
-#allow mm-qcamerad sensorservice_service:service_manager find;
-
-#allow mm-qcamerad to access /dsp
-r_dir_file(mm-qcamerad, adsprpcd_file);
-
-r_dir_file(mm-qcamerad, firmware_file)
-allow mm-qcamerad graphics_device:dir r_dir_perms;
-
-#Allow access to /dev/graphics/fb* for screen capture
-allow mm-qcamerad graphics_device:chr_file rw_file_perms;
-
-#Allow camera work normally in FFBM
-binder_call(mm-qcamerad, mmi);
-
-#Allow camera to access laser nodes
-allow mm-qcamerad input_device:dir r_dir_perms;
-allow mm-qcamerad input_device:chr_file r_file_perms;
-allow mm-qcamerad sysfs:file rw_file_perms;
-
-hal_client_domain(mm-qcamerad, hal_graphics_allocator)
-allow mm-qcamerad ion_device:chr_file rw_file_perms;
-
-# from sensors team
-
-allow mm-qcamerad self:socket create_socket_perms;
-allowxperm mm-qcamerad self:socket ioctl msm_sock_ipc_ioctls;
-
-allow mm-qcamerad sysfs_data:file r_file_perms;

common/mmi.te

@@ -1,143 +0,0 @@
-#integrated process
-type mmi, domain;
-type mmi_exec, exec_type, vendor_file_type, file_type;
-
-#started by init
-init_daemon_domain(mmi)
-
-#self capability
-allow mmi self:socket create_socket_perms_no_ioctl;
-allow mmi self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
-allow mmi self:udp_socket create_socket_perms_no_ioctl;
-allow mmi self:capability { sys_nice dac_override setuid setgid fowner chown fsetid kill net_admin sys_module net_raw};
-allow mmi self:capability2 wake_alarm;
-
-#For various devices
-allow mmi sysfs:file w_file_perms;
-allow mmi graphics_device:dir r_dir_perms;
-allow mmi graphics_device:chr_file rw_file_perms;
-allow mmi input_device:chr_file r_file_perms;
-allow mmi input_device:dir r_dir_perms;
-allow mmi nfc_device:chr_file rw_file_perms;
-allow mmi vendor_shell_exec:file rx_file_perms;
-wakelock_use(mmi)
-
-#FTM_AP folder permissions
-file_type_auto_trans(mmi, cache_file, mmi_data_file);
-allow mmi mmi_data_file:dir rw_dir_perms;
-allow mmi mmi_data_file:file create_file_perms;
-
-#socket
-allow mmi socket_device:dir w_dir_perms;
-
-#allow mmi set system prop,sensor need write persist
-set_prop(mmi, powerctl_prop)
-allow mmi persist_file:dir r_dir_perms;
-allow mmi sensors_persist_file:dir create_dir_perms;
-allow mmi sensors_persist_file:file create_file_perms;
-
-#wifi case
-allow mmi system_file:file x_file_perms;
-#allow mmi wpa_exec:file rx_file_perms;
-allow mmi wcnss_service_exec:file rx_file_perms;
-allow mmi kernel:key search;
-allow mmi kernel:system module_request;
-allow mmi vendor_toolbox_exec:file rx_file_perms;
-allow mmi system_file:system module_load;
-
-#audio case
-allow mmi audio_device:dir r_dir_perms;
-allow mmi audio_device:chr_file rw_file_perms;
-
-#FM case
-allow mmi fm_radio_device:chr_file r_file_perms;
-allow mmi fm_data_file:file r_file_perms;
-set_prop(mmi, fm_prop)
-set_prop(mmi, ctl_default_prop)
-#bluetooth case
-allow mmi bluetooth_data_file:dir rw_dir_perms;
-allow mmi bluetooth_data_file:file create_file_perms;
-set_prop(mmi, bluetooth_prop)
-allow mmi smd_device:chr_file rw_file_perms;
-allow mmi persist_bluetooth_file:file r_file_perms;
-allow mmi wcnss_filter:unix_stream_socket connectto;
-
-#GPS case
-allow mmi location_data_file:fifo_file create_file_perms;
-allow mmi location_data_file:dir create_dir_perms;
-allow mmi location_data_file:file create_file_perms;
-allow mmi mmi_socket:sock_file create_file_perms;
-type_transition mmi socket_device:sock_file mmi_socket;
-allow mmi location_exec:file rx_file_perms;
-allow mmi smem_log_device:chr_file rw_file_perms;
-allow mmi ssr_device:chr_file r_file_perms;
-
-#SD card case
-allow mmi sd_device:blk_file rw_file_perms;
-allow mmi block_device:blk_file getattr;
-allow mmi block_device:dir r_dir_perms;
-
-#camera
-allow mmi video_device:chr_file rw_file_perms;
-allow mmi camera_data_file:sock_file write;
-allow mmi camera_data_file:dir r_dir_perms;
-allow mmi mm-qcamerad:unix_dgram_socket sendto;
-
-#nfc case
-allow mmi nfc_data_file:dir rw_dir_perms;
-allow mmi nfc_data_file:file create_file_perms;
-
-#simcard
-qmux_socket(mmi);
-
-#allow mmi access chgdiabled prop
-set_prop(mmi, chgdiabled_prop)
-#Allow mmi operate on surfaceflinger
-allow mmi surfaceflinger:fd use;
-#allow mmi surfaceflinger_service:service_manager find;
-
-#Allow mmi operate on graphics
-hal_client_domain(mmi, hal_graphics_allocator);
-
-#Allow mmi operate on hwservicemanager
-hwbinder_use(hwservicemanager);
-get_prop(mmi, hwservicemanager_prop);
-
-#Allow mmi operate ion_device
-allow mmi ion_device:chr_file r_file_perms;
-
-#Allow mmi operate on graphics
-hal_client_domain(mmi, hal_graphics_allocator);
-
-#Allow mmi operate on hwservicemanager
-hwbinder_use(hwservicemanager);
-get_prop(mmi, hwservicemanager_prop);
-
-#Allow mmi operate ion_device
-allow mmi ion_device:chr_file r_file_perms;
-
-#Allow mmi to use IPC
-#binder_use(mmi)
-binder_call(mmi,surfaceflinger)
-
-#sensor cases
-unix_socket_connect(mmi, sensors, sensors);
-allow mmi sensors_device:chr_file r_file_perms;
-
-#logcat
-#domain_auto_trans(mmi, logcat_exec, logd);
-
-#access kmsg device for logging
-allow mmi kmsg_device:chr_file rw_file_perms;
-
-#mmi test
-unix_socket_connect(mmi, cnd, cnd);
-unix_socket_connect(mmi, netmgrd, netmgrd);
-net_domain(mmi);
-
-#allow mmi access boot mode switch
-set_prop(mmi, boot_mode_prop)
-#diag
-userdebug_or_eng(`
-    diag_use(mmi)
-')

common/modprobe.te

@@ -1,29 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-# #
-# # Redistribution and use in source and binary forms, with or without
-# # modification, are permitted provided that the following conditions are
-# # met:
-# #     * Redistributions of source code must retain the above copyright
-# #       notice, this list of conditions and the following disclaimer.
-# #     * Redistributions in binary form must reproduce the above
-# #       copyright notice, this list of conditions and the following
-# #       disclaimer in the documentation and/or other materials provided
-# #       with the distribution.
-# #     * Neither the name of The Linux Foundation nor the names of its
-# #       contributors may be used to endorse or promote products derived
-# #       from this software without specific prior written permission.
-# #
-# # THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# # WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# # ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# # CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# # SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# loading modules
-allow modprobe kernel:key search;

common/mpdecision.te

@@ -1,44 +0,0 @@
-type mpdecision, domain, mlstrustedsubject;
-type mpdecision_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(mpdecision)
-
-allow mpdecision {
-    sysfs_mpdecision
-    sysfs_devices_system_cpu
-    sysfs_cpu_online
-}:file rw_file_perms;
-
-#Allow mpdecision set cpu affinity
-allow mpdecision kernel:process setsched;
-
-#Allow writes to /dev/cpu_dma_latency
-allow mpdecision self: {
-    netlink_kobject_uevent_socket
-    socket
-} create_socket_perms_no_ioctl;
-
-allow mpdecision device_latency:chr_file w_file_perms;
-
-r_dir_file(mpdecision, sysfs_rqstats)
-allow mpdecision sysfs_rqstats:file w_file_perms;
-r_dir_file(mpdecision, sysfs_thermal)
-allow mpdecision sysfs_thermal:file write;
-
-#policies for mpctl
-#mpctl socket
-allow mpdecision self:capability { net_admin chown dac_override fsetid sys_nice };
-allow mpdecision mpctl_socket:dir rw_dir_perms;
-allow mpdecision mpctl_socket:sock_file create_file_perms;
-
-allow mpdecision sysfs:file w_file_perms;
-
-#default_values file
-allow mpdecision mpctl_data_file:dir rw_dir_perms;
-allow mpdecision mpctl_data_file:file create_file_perms;
-
-#allow poll of system_server status
-r_dir_file(mpdecision, system_server)
-
-#mpdecision set properties
-set_prop(mpdecision, mpdecision_prop)

common/msm_irqbalanced.te

@@ -1,16 +0,0 @@
-type msm_irqbalanced, domain;
-type msm_irqbalanced_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(msm_irqbalanced)
-
-allow msm_irqbalanced cgroup:dir { create add_name };
-allow msm_irqbalanced { proc sysfs_devices_system_cpu }:file w_file_perms;
-allow msm_irqbalanced self:capability { setuid setgid dac_override };
-r_dir_file(msm_irqbalanced, sysfs_rqstats);
-
-# access smp_affinity
-allow msm_irqbalanced proc:file r_file_perms;
-allow msm_irqbalanced proc_interrupts:file r_file_perms;
-allow msm_irqbalanced proc_stat:file r_file_perms;
-# irq_blacklist_on
-allow msm_irqbalanced sysfs_irqbalance:file r_file_perms;

common/net.te

@@ -1,5 +0,0 @@
-# allow netdomain access to cnd
-#unix_socket_connect(netdomain, cnd, cnd)
-
-# allow netdomain access to dpmd
-#unix_socket_connect(netdomain, dpmwrapper, dpmd)

common/netd.te

@@ -1,33 +0,0 @@
-#Policies for IPv6 tethering
-allow netd netd:capability { setgid setuid };
-dontaudit netd self:capability sys_module;
-binder_use(netd);
-allow netd qtitetherservice_service:service_manager find;
-
-allow netd netd:packet_socket create_socket_perms_no_ioctl;
-
-#unix_socket_connect(netd, cnd, cnd)
-
-allow netd wfdservice:fd use;
-#allow netd wfdservice:tcp_socket rw_socket_perms;
-hal_client_domain(netd, wifidisplayhalservice);
-
-# allow to read /data/misc/ipa/tether_stats file
-allow netd ipacm_data_file:dir r_dir_perms;
-allow netd ipacm_data_file:file r_file_perms;
-
-#allow netd to use privileged sock ioctls
-allowxperm netd self: { unix_stream_socket } ioctl priv_sock_ioctls;
-
-# needed for netd to start FST Manager via system property
-allow netd netd_prop:property_service set;
-
-allow netd self:capability fsetid;
-#allow netd hostapd:unix_dgram_socket sendto;
-
-# Allow netd to chmod dir /data/misc/dhcp
-allow netd dhcp_data_file:dir create_dir_perms;
-
-type_transition netd wifi_data_file:dir wpa_socket "sockets";
-allow netd wpa_socket:dir create_dir_perms;
-#allow netd wpa_socket:sock_file create_file_perms;

common/netmgrd.te

@@ -1,98 +0,0 @@
-type netmgrd, domain;
-type netmgrd_exec, exec_type, vendor_file_type, file_type;
-net_domain(netmgrd)
-init_daemon_domain(netmgrd)
-
-userdebug_or_eng(`
-  domain_auto_trans(shell, netmgrd_exec, netmgrd)
-  #domain_auto_trans(adbd, netmgrd_exec, netmgrd)
-  diag_use(netmgrd)
-  diag_use(netutils_wrapper)
-')
-
-#Allow files to be written during the operation of netmgrd
-file_type_auto_trans(netmgrd, system_data_file, data_test_data_file)
-
-#Allow netmgrd operations
-allow netmgrd netmgrd:capability {
-    net_raw
-    net_admin
-    sys_module
-    fsetid
-    setgid
-    setuid
-    setpcap
-};
-
-#Allow logging
-allow netmgrd smem_log_device:chr_file rw_file_perms;
-allow netmgrd netmgrd_data_file:file create_file_perms;
-allow netmgrd netmgrd_data_file:dir w_dir_perms;
-
-#Allow netutils usage
-use_netutils(netmgrd)
-allow netutils_wrapper netmgrd_data_file:file rw_file_perms;
-allow netutils_wrapper wcnss_service_exec:file rx_file_perms;
-
-#Allow operations on different types of sockets
-allow netmgrd netmgrd:rawip_socket { create getopt setopt write };
-allow netmgrd netmgrd:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_write nlmsg_read };
-allow netmgrd netmgrd:netlink_socket { write read create bind };
-allow netmgrd netmgrd:socket { create };
-allow netmgrd netmgrd:netlink_route_socket { setopt getattr write nlmsg_write };
-allow netmgrd self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow netmgrd self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read nlmsg_write };
-
-unix_socket_connect(netmgrd, cnd, cnd);
-
-qmux_socket(netmgrd);
-
-#Allow writing of ipv6 network properties
-allow netmgrd { proc_net sysfs }:file rw_file_perms;
-
-#Allow address configuration
-#Allow setting of DNS and GW Android properties
-set_prop(netmgrd, system_prop)
-set_prop(netmgrd, net_radio_prop)
-set_prop(netmgrd, xlat_prop)
-
-#Allow execution of commands in shell
-allow netmgrd system_file:file x_file_perms;
-
-allow netmgrd self:socket create_socket_perms;
-allow netmgrd sysfs_esoc:dir r_dir_perms;
-
-#Allow communication with netd
-#allow netmgrd netd_socket:sock_file w_file_perms;
-#r_dir_file(netmgrd, net_data_file)
-
-#Allow nemtgrd to use esoc api's to determine target
-allow netmgrd sysfs_esoc:lnk_file r_file_perms;
-
-r_dir_file(netmgrd, sysfs_ssr);
-
-allow netmgrd sysfs:file w_file_perms;
-allow netmgrd sysfs_data:file r_file_perms;
-
-#Acquire lock on /system/etc/xtables.lock
-#Required till netutils wrappers are available
-not_full_treble(`allow netmgrd system_file:file lock;')
-
-#Allow netmgrd to create netmgrd socket
-allow netmgrd netmgrd_socket:dir create_dir_perms;
-allow netmgrd netmgrd_socket:sock_file create_file_perms;
-
-allow netmgrd { wcnss_service_exec vendor_shell_exec vendor_toolbox_exec }:file rx_file_perms;
-
-#Allow netmgrd to use wakelock
-wakelock_use(netmgrd)
-
-allowxperm netmgrd self:udp_socket ioctl priv_sock_ioctls;
-allowxperm netmgrd self:udp_socket ioctl rmnet_sock_ioctls;
-allowxperm netmgrd self:socket ioctl msm_sock_ipc_ioctls;
-
-#Allow netmgrd to use netd HAL via HIDL
-get_prop(netmgrd, hwservicemanager_prop)
-hwbinder_use(netmgrd)
-binder_call(netmgrd, netd)
-allow netmgrd system_net_netd_hwservice:hwservice_manager find;

common/nfc.te

@@ -1,32 +0,0 @@
-#Copyright (c) 2017, The Linux Foundation. All rights reserved.
-#
-#Redistribution and use in source and binary forms, with or without
-#modification, are permitted provided that the following conditions are
-#met:
-#    * Redistributions of source code must retain the above copyright
-#      notice, this list of conditions and the following disclaimer.
-#    * Redistributions in binary form must reproduce the above
-#      copyright notice, this list of conditions and the following
-#      disclaimer in the documentation and/or other materials provided
-#      with the distribution.
-#    * Neither the name of The Linux Foundation nor the names of its
-#      contributors may be used to endorse or promote products derived
-#      from this software without specific prior written permission.
-#
-#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-#ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# Set NFC properties
-set_prop(nfc, nfc_nq_prop)
-#qmux_socket(nfc);
-#allow nfc nfc_data_file:file x_file_perms;
-allow nfc self:socket create_socket_perms_no_ioctl;

common/nqnfcinfo.te

@@ -1,39 +0,0 @@
-#Copyright (c) 2016, The Linux Foundation. All rights reserved.
-#
-#Redistribution and use in source and binary forms, with or without
-#modification, are permitted provided that the following conditions are
-#met:
-#    * Redistributions of source code must retain the above copyright
-#      notice, this list of conditions and the following disclaimer.
-#    * Redistributions in binary form must reproduce the above
-#      copyright notice, this list of conditions and the following
-#      disclaimer in the documentation and/or other materials provided
-#      with the distribution.
-#    * Neither the name of The Linux Foundation nor the names of its
-#      contributors may be used to endorse or promote products derived
-#      from this software without specific prior written permission.
-#
-#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-#ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-type nqnfcinfo, domain;
-type nqnfcinfo_exec, exec_type, vendor_file_type, file_type;
-
-# Started by init
-init_daemon_domain(nqnfcinfo)
-
-r_dir_file(nqnfcinfo, sysfs_socinfo);
-
-set_prop(nqnfcinfo, nfc_nq_prop);
-
-# Access device nodes inside /dev/nq-nci
-allow nqnfcinfo nfc_device:chr_file rw_file_perms;

common/peripheral_manager.te

@@ -1,32 +0,0 @@
-# Policy for peripheral_manager
-# per_mgr - peripheral_manager domain
-type per_mgr, domain;
-
-type per_mgr_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(per_mgr);
-
-# Needed for binder transactions
-use_per_mgr(per_mgr)
-allow per_mgr per_mgr_service:service_manager { add };
-
-allow per_mgr self:socket create_socket_perms;
-allowxperm per_mgr self:socket ioctl msm_sock_ipc_ioctls;
-
-
-# Needed by ipc_router
-allow per_mgr self:capability net_bind_service;
-
-# Needed to power on the peripheral
-allow per_mgr ssr_device:chr_file r_file_perms;
-
-# Needed by libmdmdetect to figure out the system configuration
-r_dir_file(per_mgr, sysfs_esoc)
-
-# Needed by libmdmdetect to get subsystem info and to check their states
-r_dir_file(per_mgr, sysfs_ssr)
-r_dir_file(per_mgr, firmware_file)
-r_dir_file(per_mgr, sysfs)
-allow per_mgr sysfs_data:file r_file_perms;
-
-# Set the peripheral state property
-set_prop(per_mgr, per_mgr_state_prop);

common/platform_app.te

@@ -1,30 +0,0 @@
-# Allow platform apps to interact with dtseagleservice
-binder_call(platform_app, dtseagleservice)
-
-# Allow platform apps to interact with fido daemon
-binder_call(platform_app, fidodaemon)
-
-# Allow platform apps to interact with secota daemon
-allow platform_app secotad_service:service_manager find;
-binder_call(platform_app, secotad)
-
-allow platform_app imsrcs_service:service_manager find;
-allow platform_app color_service:service_manager find;
-
-# Allow NFC service to be found
-allow platform_app nfc_service:service_manager find;
-
-#Allow platform apps to interact with seemp health daemon
-binder_call(platform_app, seemp_health_daemon)
-
-# Allow gba_auth_service to be found
-allow platform_app gba_auth_service:service_manager find;
-
-# Allow hbtp hal Service to be found
-hal_client_domain(platform_app, hal_hbtp)
-
-#get_prop(platform_app, bluetooth_prop)
-get_prop(platform_app, debug_gralloc_prop)
-
-#for perf-hal call
-hal_client_domain(platform_app, hal_perf)

common/port-bridge.te

@@ -1,32 +0,0 @@
-type port-bridge, domain;
-type port-bridge_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(port-bridge)
-
-userdebug_or_eng(`
-  domain_auto_trans(shell, port-bridge_exec, netmgrd)
-  #domain_auto_trans(adbd, port-bridge_exec, netmgrd)
-  diag_use(port-bridge)
-')
-
-# Allow operations on different types of sockets
-allow port-bridge port-bridge:netlink_kobject_uevent_socket { create bind read };
-
-# Allow process capabilities
-allow port-bridge port-bridge:capability dac_override;
-
-allow port-bridge {
-    # Allow operations on mhi transport
-    mhi_device
-    # Allow operations on gadget serial device
-    gadget_serial_device
-    # Allow operations on ATCoP g-link transport
-    at_device
-}:chr_file rw_file_perms;
-
-# Allow write permissions for log file
-allow port-bridge port_bridge_data_file:file create_file_perms;
-allow port-bridge port_bridge_data_file:dir w_dir_perms;
-
-#access ipa sysfs node
-allow port-bridge sysfs:file r_file_perms;
-allow port-bridge sysfs_data:file r_file_perms;

common/poweroffhandler.te

@@ -1,50 +0,0 @@
-# Copyright (c) 2016, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# poweroffhandler oneshot service
-type poweroffhandler, domain;
-type poweroffhandler_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(poweroffhandler)
-#binder_use(poweroffhandler)
-binder_call(poweroffhandler, surfaceflinger)
-allow poweroffhandler gpu_device:chr_file rw_file_perms;
-# /oem access
-allow poweroffhandler oemfs:dir r_dir_perms;
-allow poweroffhandler oemfs:file r_file_perms;
-
-allow poweroffhandler audio_device:dir r_dir_perms;
-allow poweroffhandler audio_device:chr_file rw_file_perms;
-
-# For regionalization
-allow poweroffhandler persist_file:dir r_dir_perms;
-allow poweroffhandler regionalization_file:dir r_dir_perms;
-allow poweroffhandler regionalization_file:file r_file_perms;
-
-#allow poweroffhandler {surfaceflinger_service mediaserver_service}:service_manager find;
-
-binder_call(poweroffhandler, mediaserver);

common/ppp.te

@@ -1,29 +0,0 @@
-#Copyright (c) 2015, The Linux Foundation. All rights reserved.
-#
-#Redistribution and use in source and binary forms, with or without
-#modification, are permitted provided that the following conditions are
-#met:
-#* Redistributions of source code must retain the above copyright
-#  notice, this list of conditions and the following disclaimer.
-#* Redistributions in binary form must reproduce the above
-#  copyright notice, this list of conditions and the following
-#  disclaimer in the documentation and/or other materials provided
-#  with the distribution.
-#* Neither the name of The Linux Foundation nor the names of its
-#  contributors may be used to endorse or promote products derived
-#  from this software without specific prior written permission.
-#
-#THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-#WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-#MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-#ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-#BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-#CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-#SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-#BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-#WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-#OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-#IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# allow VPN connection via L2TP
-allow ppp mtp:unix_stream_socket rw_socket_perms;

common/property.te

@@ -1,124 +0,0 @@
-# Copyright (c) 2015-2016 Dolby Laboratories, Inc. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# property for uicc_daemon
-type uicc_prop, property_type;
-type qcom_ims_prop, property_type;
-type ctl_qmuxd_prop, property_type;
-type ctl_netmgrd_prop, property_type;
-type ctl_port-bridge_prop, property_type;
-
-# property for LKCore ctl start
-type ctl_LKCore_prop, property_type;
-
-# properties for usf daemons
-type usf_prop, property_type;
-
-type freq_prop, property_type;
-type perfd_prop, property_type;
-type vm_bms_prop, property_type; #To start vm_bms
-type qti_prop, property_type;
-type ipacm_prop, property_type;
-type ipacm-diag_prop, property_type;
-type sensors_prop, property_type;
-type msm_irqbalance_prop, property_type;
-type msm_irqbl_sdm630_prop, property_type;
-type camera_prop, property_type;
-type spcomlib_prop, property_type;
-type sdm_idle_time_prop, property_type;
-type sf_lcd_density_prop, property_type;
-type scr_enabled_prop, property_type;
-type bg_daemon_prop, property_type;
-type opengles_prop, property_type;
-type mdm_helper_prop, property_type;
-type mpdecision_prop, property_type;
-type gamed_prop, property_type;
-
-#Needed for  ubwc support
-type debug_gralloc_prop, property_type;
-
-type fm_prop, property_type;
-type chgdiabled_prop, property_type;
-
-#properites for netd
-type netd_prop, property_type;
-
-type xlat_prop, property_type;
-
-# property for location
-type location_prop, property_type;
-
-#properites for init.qcom.sh script
-type rmnet_mux_prop, property_type;
-type qemu_hw_mainkeys_prop, property_type;
-type sys_usb_controller_prop, property_type;
-type sys_usb_configfs_prop, property_type;
-
-type sys_usb_tethering_prop, property_type;
-
-type coresight_prop, property_type;
-
-
-type ctl_hbtp_prop, property_type;
-type alarm_boot_prop, property_type;
-type boot_animation_prop, property_type;
-
-# DOLBY_START
-type dolby_prop, property_type;
-# DOLBY_END
-
-type wififtmd_prop, property_type;
-
-# WIGIG
-type wigig_prop, property_type;
-type fst_prop, property_type;
-type ctl_vendor_wigigsvc_prop, property_type;
-
-type alarm_handled_prop, property_type;
-type alarm_instance_prop, property_type;
-
-#HWUI property
-type hwui_prop, property_type;
-
-type graphics_vulkan_prop, property_type;
-
-#Bservice property
-type bservice_prop, property_type;
-
-#Delayed Service Reschedule property
-type reschedule_service_prop, property_type;
-
-#boot mode property
-type boot_mode_prop, property_type;
-#properties for nfc
-type nfc_nq_prop, property_type;
-type ppd_prop, property_type;
-type qemu_gles_prop, property_type;
-
-type vendor_rild_libpath_prop, property_type;
-
-#Peripheral manager
-type per_mgr_state_prop, property_type;
-
-type vendor_system_prop, property_type;

common/property_contexts

@@ -1,117 +0,0 @@
-# Copyright (c) 2015-2016 Dolby Laboratories, Inc. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-wc_transport.              u:object_r:bluetooth_prop:s0
-sys.usb_uicc.              u:object_r:uicc_prop:s0
-dolby.audio.               u:object_r:audio_prop:s0
-vendor.ims.                u:object_r:qcom_ims_prop:s0
-sys.ims.                   u:object_r:qcom_ims_prop:s0
-hw.fm.                     u:object_r:fm_prop:s0
-sys.usf.                   u:object_r:usf_prop:s0
-ro.qc.sdk.us.                 u:object_r:usf_prop:s0
-radio.atfwd.               u:object_r:radio_prop:s0
-ctl.qmuxd                  u:object_r:ctl_qmuxd_prop:s0
-ctl.netmgrd                u:object_r:ctl_netmgrd_prop:s0
-ctl.port-bridge            u:object_r:ctl_port-bridge_prop:s0
-ro.min_freq_0                 u:object_r:freq_prop:s0
-ro.min_freq_4                 u:object_r:freq_prop:s0
-ctl.perfd                  u:object_r:perfd_prop:s0
-ctl.gamed                  u:object_r:gamed_prop:s0
-ctl.iop                    u:object_r:perfd_prop:s0
-ctl.vm_bms                 u:object_r:vm_bms_prop:s0
-ro.qualcomm.bluetooth.        u:object_r:bluetooth_prop:s0
-ctl.ipacm                  u:object_r:ipacm_prop:s0
-ctl.ipacm-diag             u:object_r:ipacm-diag_prop:s0
-ctl.qti                    u:object_r:qti_prop:s0
-ctl.sensors                u:object_r:sensors_prop:s0
-ctl.vendor.msm_irqbalance         u:object_r:msm_irqbalance_prop:s0
-ctl.vendor.msm_irqbl_sdm630       u:object_r:msm_irqbl_sdm630_prop:s0
-ctl.msm_irqbal_lb          u:object_r:msm_irqbalance_prop:s0
-camera.                    u:object_r:camera_prop:s0
-persist.camera.            u:object_r:camera_prop:s0
-vendor.spcom.              u:object_r:spcomlib_prop:s0
-sdm.idle_time              u:object_r:sdm_idle_time_prop:s0
-ro.sf.lcd_density             u:object_r:sf_lcd_density_prop:s0
-ro.vendor.scr_enabled         u:object_r:scr_enabled_prop:s0
-vendor.bg_reset               u:object_r:bg_daemon_prop:s0
-ro.opengles.version           u:object_r:opengles_prop:s0
-ro.qualcomm.bt.hci_transport  u:object_r:bluetooth_prop:s0
-ctl.mdm_helper             u:object_r:mdm_helper_prop:s0
-ctl.mpdecision             u:object_r:mpdecision_prop:s0
-qualcomm.perf.cores_online u:object_r:mpdecision_prop:s0
-netd.fstman.               u:object_r:netd_prop:s0
-location.                  u:object_r:location_prop:s0
-qc.izat.                   u:object_r:location_prop:s0
-persist.rmnet.mux          u:object_r:rmnet_mux_prop:s0
-sys.usb.controller         u:object_r:sys_usb_controller_prop:s0
-sys.usb.configfs           u:object_r:sys_usb_configfs_prop:s0
-sys.usb.tethering          u:object_r:sys_usb_tethering_prop:s0
-qemu.hw.mainkeys           u:object_r:qemu_hw_mainkeys_prop:s0
-ro.dbg.coresight.cfg_file     u:object_r:coresight_prop:s0
-ctl.hbtp                   u:object_r:ctl_hbtp_prop:s0
-vendor.audio.sys.init             u:object_r:audio_prop:s0
-ro.alarm_boot                 u:object_r:alarm_boot_prop:s0
-debug.sf.nobootanimation   u:object_r:boot_animation_prop:s0
-debug.gralloc.             u:object_r:debug_gralloc_prop:s0
-persist.net.doxlat         u:object_r:xlat_prop:s0
-# DOLBY_START
-dolby.                     u:object_r:dolby_prop:s0
-# DOLBY_END
-wifi.ftmd.                 u:object_r:wififtmd_prop:s0
-ro.bluetooth.              u:object_r:bluetooth_prop:s0
-# WIGIG
-persist.vendor.wigig.       u:object_r:wigig_prop:s0
-vendor.wigig.               u:object_r:wigig_prop:s0
-ctl.vendor.wigig_supplicant u:object_r:ctl_vendor_wigigsvc_prop:s0
-ctl.vendor.wigig_hostapd    u:object_r:ctl_vendor_wigigsvc_prop:s0
-
-persist.vendor.fst.         u:object_r:fst_prop:s0
-ro.alarm_handled           u:object_r:alarm_handled_prop:s0
-ro.alarm_instance          u:object_r:alarm_instance_prop:s0
-#HWUI Property
-ro.hwui.texture_cache_size u:object_r:hwui_prop:s0
-#Bservice Property
-ro.vendor.qti.sys.fw.bservice_ u:object_r:bservice_prop:s0
-#Delayed Service Restart Property
-ro.vendor.qti.am.reschedule_service u:object_r:reschedule_service_prop:s0
-persist.graphics.vulkan.disable     u:object_r:graphics_vulkan_prop:s0
-#boot mode property
-sys.boot_mode              u:object_r:boot_mode_prop:s0
-# GPU
-ro.gpu.available_frequencies u:object_r:freq_prop:s0
-# NFC
-sys.nfc.nq.                u:object_r:nfc_nq_prop:s0
-ctl.ppd                    u:object_r:ppd_prop:s0
-qemu.gles                  u:object_r:qemu_gles_prop:s0
-# LKCore start
-ctl.vendor.LKCore-dbg      u:object_r:ctl_LKCore_prop:s0
-ctl.vendor.LKCore-rel      u:object_r:ctl_LKCore_prop:s0
-vendor.rild.libpath        u:object_r:vendor_rild_libpath_prop:s0
-# Peripheral Manager
-vendor.peripheral.         u:object_r:per_mgr_state_prop:s0
-
-persist.vendor.radio       u:object_r:radio_prop:s0
-vendor.radio               u:object_r:radio_prop:s0
-ro.vendor.ril.             u:object_r:radio_prop:s0
-persist.vendor.sys.        u:object_r:vendor_system_prop:s0

common/qcomsysd.te

@@ -1,32 +0,0 @@
-#Policy file for qcom-system-daemon
-#qcomsysd = qcom-system-daemon domain
-type qcomsysd, domain;
-type qcomsysd_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(qcomsysd);
-
-#Needed for logging
-allow qcomsysd smem_log_device:chr_file rw_file_perms;
-
-#Needed to read/write cookies to the misc partition
-allow qcomsysd block_device:dir r_dir_perms;
-allow qcomsysd {
-    #Needed to access the bootselect partition
-    bootselect_device
-}:blk_file rw_file_perms;
-
-#Needed to get image info from socinfo
-r_dir_file(qcomsysd, sysfs_socinfo)
-allow qcomsysd sysfs_socinfo:file w_file_perms;
-
-allow qcomsysd self:capability { dac_override sys_boot };
-use_per_mgr(qcomsysd);
-#allow qcomsysd access boot mode switch
-set_prop(qcomsysd, boot_mode_prop);
-
-#diag
-userdebug_or_eng(`
-    diag_use(qcomsysd)
-    set_prop(qcomsysd, powerctl_prop)
-    allow qcomsysd sysfs:file rw_file_perms;
-    allow qcomsysd sysfs_data:file r_file_perms;
-')

common/qdmastatsd.te

@@ -1,89 +0,0 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-type qdmastatsd, domain, mlstrustedsubject;
-type qdmastatsd_exec, file_type, vendor_file_type, exec_type;
-
-init_daemon_domain(qdmastatsd)
-
-allow qdmastatsd qdma_data_file:file create_file_perms;
-allow qdmastatsd qdma_data_file:dir create_dir_perms;
-
-# access to /sys/class/power_supply/bms/charge_counter
-# access to /sys/class/power_supply/battery/capacity
-# access to /sys/class/power_supply/battery/status
-allow qdmastatsd sysfs_battery_supply:{file lnk_file} r_file_perms;
-allow qdmastatsd sysfs_battery_supply:dir r_dir_perms;
-
-# /sys/class/kgsl/kgsl-3d0/gpu_busy_percentage
-# /sys/class/kgsl/kgsl-3d0/gpuclk
-# /sys/class/kgsl/kgsl-3d0/gpu_clock_stats
-# /sys/class/kgsl/kgsl-3d0/num_pwrlevels
-# /sys/class/kgsl/kgsl-3d0/gpu_available_frequencies
-allow qdmastatsd sysfs_kgsl:{file lnk_file} r_file_perms;
-allow qdmastatsd sysfs_kgsl:dir r_dir_perms;
-
-# /sys/class/leds/lcd-backlight/brightness
-allow qdmastatsd sysfs_leds:{file lnk_file} r_file_perms;
-allow qdmastatsd sysfs_leds:dir r_dir_perms;
-allow qdmastatsd sysfs_graphics:{file lnk_file} r_file_perms;
-allow qdmastatsd sysfs_graphics:dir r_dir_perms;
-
-# access to /sys/devices/system/cpu/possible
-allow qdmastatsd sysfs_devices_system_cpu:file r_file_perms;
-allow qdmastatsd sysfs_devices_system_cpu:dir r_dir_perms;
-
-# access to /sys/module/lpm_stats/cpu%d/total_sleep_time_secs
-#allow qdmastatsd sysfs_lpm_stats:{file lnk_file} r_file_perms;
-#allow qdmastatsd sysfs_lpm_stats:dir r_dir_perms;
-
-# access to /sys/class/thermal/thermal_zone%d
-allow qdmastatsd sysfs_thermal:{file lnk_file} r_file_perms;
-allow qdmastatsd sysfs_thermal:dir r_dir_perms;
-
-# access to /sys/power/wake_lock, wake_unlock
-allow qdmastatsd sysfs_wake_lock:file r_file_perms;
-allow qdmastatsd sysfs_wake_lock:dir r_dir_perms;
-
-# access to /proc/stat
-allow qdmastatsd proc_stat:file r_file_perms;
-allow qdmastatsd proc_stat:dir r_dir_perms;
-
-# access to /proc/net/xt_qtaguid/stats
-allow qdmastatsd proc_net:file r_file_perms;
-allow qdmastatsd proc_net:dir r_dir_perms;
-
-# access to /proc/<pid>/
-r_dir_file(qdmastatsd, domain);
-
-# qmi
-qmux_socket(qdmastatsd);
-allow qdmastatsd self:socket create_socket_perms;
-allowxperm qdmastatsd self:socket ioctl msm_sock_ipc_ioctls;
-
-# for dmesg
-#read_logd(qdmastatsd);

common/qfips.te

@@ -1,7 +0,0 @@
-# add domain for qfintverify,
-#type qfips, domain;
-
-#domain_trans(init, rootfs, qfips)
-
-# Allow qfips read/write access to qce and rng devices.
-#allow qfips {qce_device rng_device}:chr_file rw_file_perms;

common/qlogd.te

@@ -1,65 +0,0 @@
-# qlogd
-type qlogd, domain;
-type qlogd_exec, exec_type, vendor_file_type, file_type;
-
-# make transition from init to its domain
-init_daemon_domain(qlogd)
-
-# need to access sharemem log device for smem logs
-allow qlogd smem_log_device:chr_file rw_file_perms;
-
-# need to add more capabilities for qlogd
-allow qlogd self:capability {
-    setuid
-    setgid
-    dac_override
-    dac_read_search
-    sys_admin
-    net_raw
-    net_admin
-    fowner
-    fsetid
-    kill
-    sys_module
-};
-allow qlogd self:capability2 syslog;
-allow qlogd self:packet_socket { create bind getopt setopt };
-
-# need to access system_data partitions for configration files
-allow qlogd qlogd_data_file:dir rw_dir_perms;
-allow qlogd qlogd_data_file:file create_file_perms;
-allow qlogd system_file:file x_file_perms;
-
-# need to create and listen socket
-allow qlogd qlogd_socket:sock_file create_file_perms;
-
-# need to start shell execute files
-allow qlogd vendor_shell_exec:file rx_file_perms;
-
-# need to create and write files in fuse partition
-allow qlogd fuse:dir create_dir_perms;
-allow qlogd fuse:file create_file_perms;
-
-# need to capture kmsg
-allow qlogd kernel:system syslog_mod;
-
-# need for qdss log and odl from UI
-userdebug_or_eng(`
-  allow qlogd { debugfs_tracing qdss_device }:file r_file_perms;
-  allow qlogd { qdss_device }:file r_file_perms;
-  allow qlogd sysfs:file w_file_perms;
-  r_dir_file(qlogd, storage_file)
-  r_dir_file(qlogd, mnt_user_file)
-  diag_use(qlogd)
-')
-
-# need for capture adb logs
-unix_socket_connect(qlogd, logdr, logd)
-
-# need for subsystem ramdump
-allow qlogd device:dir r_dir_perms;
-allow qlogd ramdump_device:chr_file { setattr rw_file_perms };
-
-# need for qxdm log
-allow qlogd diag_exec:file rx_file_perms;
-wakelock_use(qlogd)

common/qmuxd.te

@@ -1,53 +0,0 @@
-type qmuxd, domain;
-type qmuxd_exec, exec_type, vendor_file_type, file_type;
-net_domain(qmuxd)
-init_daemon_domain(qmuxd)
-
-userdebug_or_eng(`
-  domain_auto_trans(shell, qmuxd_exec, qmuxd)
-  #domain_auto_trans(adbd, qmuxd_exec, qmuxd)
-')
-
-#Allow qmuxd to operate on various qmux device sockets
-#allow qmuxd qmux_radio_socket:dir { write add_name remove_name search };
-#allow qmuxd qmux_radio_socket:sock_file { create setattr getattr write unlink };
-#allow qmuxd qmux_audio_socket:dir { write add_name remove_name search };
-#allow qmuxd qmux_audio_socket:sock_file { create setattr getattr write unlink };
-#allow qmuxd qmux_gps_socket:dir { write add_name remove_name search };
-#allow qmuxd qmux_gps_socket:sock_file { create setattr getattr write unlink };
-#allow qmuxd qmux_bluetooth_socket:dir { write add_name remove_name search };
-#allow qmuxd qmux_bluetooth_socket:sock_file { create setattr getattr write unlink };
-
-qmux_socket(qmuxd);
-
-#Allow logging
-allow qmuxd {
-    #Allow operation in platform specific transports
-    smd_device
-    hsic_device
-    mhi_device
-    smem_log_device
-}:chr_file rw_file_perms;
-
-#Allow qmuxd to operate in platform specific transports
-allow qmuxd {
-    sysfs_smd_open_timeout
-    #Allow qmuxd to write in hsic specific transport
-    sysfs
-    sysfs_hsic_modem_wait
-}:file w_file_perms;
-
-allow qmuxd self:capability { setuid setgid setpcap dac_override };
-
-#Allow qmuxd to have the CAP_BLOCK_SUSPEND capability
-wakelock_use(qmuxd)
-
-r_dir_file(qmuxd, sysfs_esoc)
-
-r_dir_file(qmuxd, sysfs_ssr);
-
-allow qmuxd mhi_device:chr_file rw_file_perms;
-
-#Allow qmuxd to access to IPC router
-allow qmuxd smem_log_device:chr_file rw_file_perms;
-allow qmuxd qmuxd:socket create_socket_perms_no_ioctl;

common/qseecomd.te

@@ -1,86 +0,0 @@
-# tee starts as root, and drops privileges
-allow tee self:capability {
-    setuid
-    setgid
-    sys_admin
-    chown
-    dac_override
-    sys_rawio
-};
-
-# Need to directly manipulate certain block devices
-# for anti-rollback protection
-allow tee block_device:dir r_dir_perms;
-allow tee rpmb_device:blk_file rw_file_perms;
-
-# Need to figure out how many scsi generic devices are preset
-# before being able to identify which one is rpmb device
-allow tee device:dir r_dir_perms;
-allow tee sg_device:chr_file { rw_file_perms setattr };
-
-# Allow qseecom to qsee folder so that listeners can create
-# respective directories
-allow tee data_qsee_file:dir create_dir_perms;
-allow tee data_qsee_file:file create_file_perms;
-allow tee system_data_file:dir r_dir_perms;
-
-allow tee persist_file:dir r_dir_perms;
-r_dir_file(tee, persist_data_file)
-
-# Write to drm related pieces of persist partition
-allow tee persist_drm_file:dir create_dir_perms;
-allow tee persist_drm_file:file create_file_perms;
-
-# Provide tee access to ssd partition for HW FDE
-allow tee ssd_device:blk_file rw_file_perms;
-
-# allow tee to operate tee device
-allow tee tee_device:chr_file rw_file_perms;
-
-# allow tee to load firmware images
-r_dir_file(tee, firmware_file)
-
-# allow qseecom access to time domain
-allow tee time_daemon:unix_stream_socket connectto;
-
-# allow tee access for secure UI to work
-allow tee graphics_device:dir r_dir_perms;
-allow tee graphics_device:chr_file r_file_perms;
-
-#allow tee access for secure touch to work
-allow tee sysfs_securetouch:file rw_file_perms;
-
-#allow tee surfaceflinger_service : service_manager  find;
-
-binder_call(tee, surfaceflinger)
-#binder_use(tee)
-
-#allow tee system_app:unix_dgram_socket sendto;
-unix_socket_connect(tee, property, init)
-
-set_prop(tee, system_prop);
-
-
-userdebug_or_eng(`
-  allow tee su:unix_dgram_socket sendto;
-  #allow tee shell_data_file:file rw_file_perms;
-  #allow tee shell_data_file:dir search;
-')
-
-
-#allow access to qfp-daemon
-allow tee qfp-daemon_data_file:dir create_dir_perms;
-allow tee qfp-daemon_data_file:file create_file_perms;
-allow tee persist_qti_fp_file:dir create_dir_perms;
-allow tee persist_qti_fp_file:file create_file_perms;
-
-# Provide access to Q VoicePrint
-allow tee qvop-daemon_data_file:dir create_dir_perms;
-allow tee qvop-daemon_data_file:file create_file_perms;
-
-# Allow access to qsee_ipc_irq_spss device
-allow tee qsee_ipc_irq_spss_device:chr_file rw_file_perms;
-
-#allow access to fingerprintd data file
-allow tee fingerprintd_data_file:dir create_dir_perms;
-allow tee fingerprintd_data_file:file create_file_perms;