sepolicy: qva: Remove duplicate specification for qti.ims.ext

*Warned on boot by SELinux
04-07 04:27:33.567   561   561 W SELinux : Multiple same specifications for qti.ims.ext.

*Current Duplicate: https://github.com/LineageOS/android_device_qcom_sepolicy/blob/lineage-17.0/generic/private/service_contexts#L27

Change-Id: I81772ce4207cb6f24a6b94f6d160c1afa285dab4

Android.mk

@@ -1,23 +1,10 @@
-# Board specific SELinux policy variable definitions
-ifeq ($(call is-vendor-board-platform,QCOM),true)
-LOCAL_PATH:= $(call my-dir)
-BOARD_SEPOLICY_DIRS := \
-       $(BOARD_SEPOLICY_DIRS) \
-       $(LOCAL_PATH) \
-       $(LOCAL_PATH)/common \
-       $(LOCAL_PATH)/ssg \
-       $(LOCAL_PATH)/$(TARGET_BOARD_PLATFORM)
-
-ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
-BOARD_SEPOLICY_DIRS += \
-       $(LOCAL_PATH)/test
-endif
-
-BOARD_PLAT_PUBLIC_SEPOLICY_DIR := \
-    $(BOARD_PLAT_PUBLIC_SEPOLICY_DIR) \
-    $(LOCAL_PATH)/public
-
-BOARD_PLAT_PRIVATE_SEPOLICY_DIR := \
-    $(BOARD_PLAT_PRIVATE_SEPOLICY_DIR) \
-    $(LOCAL_PATH)/private
-endif
+# Don't recurse into the platform makefiles. We don't care about them, and
+# we don't want to force a reset of BOARD_SEPOLICY_DIRS
+#
+# If you want to use these policies, add a
+#
+# include device/qcom/sepolicy/sepolicy.mk
+#
+# to your device's BoardConfig. It is highly recommended that in case
+# you have your own BOARD_SEPOLICY_DIRS declaration,
+# the inclusion happens _before_ those lines

apq8084/file_contexts

@@ -1,48 +0,0 @@
-# Copyright (c) 2015, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-###################################
-# Primary storage device nodes
-#
-/dev/block/platform/msm_sdcc\.1/by-name/modem                           u:object_r:modem_efs_partition_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/ssd                             u:object_r:ssd_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/misc                            u:object_r:misc_block_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/userdata                        u:object_r:userdata_block_device:s0
-/dev/block/mmcblk0                                                      u:object_r:root_block_device:s0
-/dev/block/mmcblk0rpmb                                                  u:object_r:rpmb_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/mdm1m9kefs1                     u:object_r:efs_boot_dev:s0
-/dev/block/platform/msm_sdcc\.1/by-name/mdm1m9kefs2                     u:object_r:efs_boot_dev:s0
-/dev/block/platform/msm_sdcc\.1/by-name/mdm1m9kefs3                     u:object_r:efs_boot_dev:s0
-/dev/block/platform/msm_sdcc\.1/by-name/mdm1m9kefsc                     u:object_r:efs_boot_dev:s0
-/dev/block/platform/msm_sdcc\.1/by-name/boot                            u:object_r:boot_block_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/system                          u:object_r:system_block_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/cache                           u:object_r:cache_block_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/recovery                        u:object_r:recovery_block_device:s0
-/dev/block/platform/msm_sdcc\.1/by-name/logdump                         u:object_r:logdump_partition:s0
-
-# qca data file for apq8084 target
-/data/misc/location/qca1530(/.*)?                                       u:object_r:qca1530_data_file:s0

apq8098_latv/file_contexts

@@ -1,118 +0,0 @@
-# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-###################################
-# Dev block nodes
-
-# UFS Devices
-/dev/block/platform/soc/1da4000.ufshc/by-name/system                            u:object_r:system_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/userdata                          u:object_r:userdata_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/boot                              u:object_r:boot_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/logdump                           u:object_r:logdump_partition:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/fsc                                u:object_r:modem_efs_partition_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/fsg                                u:object_r:modem_efs_partition_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/modemst1                           u:object_r:modem_efs_partition_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/modemst2                           u:object_r:modem_efs_partition_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/ssd                                u:object_r:ssd_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/misc                               u:object_r:misc_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/rpm                                u:object_r:rpmb_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/msadp                              u:object_r:mba_debug_dev:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/recovery                           u:object_r:recovery_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/cache                              u:object_r:cache_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/frp                                u:object_r:frp_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/mdtp                               u:object_r:mdtp_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/mdtpsecapp                         u:object_r:mdtp_device:s0
-
-#rawdump partition
-/dev/block/platform/soc/1da4000.ufshc/by-name/rawdump                            u:object_r:rawdump_block_device:s0
-/sys/kernel/dload/emmc_dload                                                     u:object_r:sysfs_emmc_dload:s0
-
-# A/B partitions.
-/dev/block/platform/soc/1da4000.ufshc/by-name/abl_[ab]          u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/apdp_[ab]         u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/boot_[ab]         u:object_r:boot_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/cmnlib_[ab]       u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/cmnlib64_[ab]     u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/devcfg_[ab]       u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/hyp_[ab]          u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/keymaster_[ab]    u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/modem_[ab]        u:object_r:modem_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/bluetooth_[ab]    u:object_r:modem_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/msadp_[ab]        u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/pmic_[ab]         u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/rpm_[ab]          u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/system_[ab]       u:object_r:system_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/tz_[ab]           u:object_r:custom_ab_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/vendor_[ab]       u:object_r:system_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/xbl_[ab]          u:object_r:xbl_block_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/mdtp_[ab]         u:object_r:mdtp_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/mdtpsecapp_[ab]   u:object_r:mdtp_device:s0
-/dev/block/platform/soc/1da4000.ufshc/by-name/dsp_[ab]          u:object_r:custom_ab_block_device:s0
-
-# Block device holding the GPT, where the A/B attributes are stored.
-/dev/block/platform/soc/1da4000.ufshc/sd[ade]                   u:object_r:gpt_block_device:s0
-
-# Block devices for the drive that holds the xbl_a and xbl_b partitions.
-/dev/block/platform/soc/1da4000.ufshc/sd[bc]                 u:object_r:xbl_block_device:s0
-
-###################################
-# Dev socket nodes
-#
-
-###################################
-# System files
-#
-
-###################################
-# data files
-#
-
-##################################
-# non-hlos mount points
-/firmware                  u:object_r:firmware_file:s0
-/bt_firmware               u:object_r:bt_firmware_file:s0
-
-##################################
-# FBE
-/(vendor|system/vendor)/bin/init.qti.qseecomd.sh                                u:object_r:init-qti-fbe-sh_exec:s0
-
-###################################
-# sysfs files
-#
-/sys/devices/soc/75ba000.i2c/i2c-12/12-0020/input/input[0-9]/secure_touch_enable u:object_r:sysfs_securetouch:s0
-/sys/devices/virtual/graphics/fb([0-3])+/lineptr_value                           u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/msm_fb_persist_mode                     u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/cec/enable                              u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/cec/enable_compliance                   u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/cec/logical_addr                        u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/cec/rd_msg                              u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/cec/wr_msg                              u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/connected                               u:object_r:sysfs_graphics:s0
-/sys/devices/virtual/graphics/fb([0-3])+/pa                                      u:object_r:sysfs_graphics:s0
-###################################
-# adding same_process_hal_file
-/vendor/lib(64)?/hw/gralloc\.apq8098_latv\.so                                    u:object_r:same_process_hal_file:s0
-/vendor/lib(64)?/hw/hdmi_cec\.apq8098_latv\.so                                   u:object_r:same_process_hal_file:s0

common/adbd.te

@@ -1,8 +0,0 @@
-allow adbd tombstone_data_file:dir getattr;
-
-# allow read access for adb
-r_dir_file(adbd, RIDL_data_file)
-
-# allow read access for adb
-r_dir_file(adbd, qti_logkit_priv_data_file)
-r_dir_file(adbd, qti_logkit_pub_data_file)

common/adsprpcd.te

@@ -1,14 +0,0 @@
-# adsprpcd daemon
-type adsprpcd, domain;
-type adsprpcd_exec, exec_type, vendor_file_type, file_type;
-
-# Started by init
-init_daemon_domain(adsprpcd)
-
-allow adsprpcd qdsp_device:chr_file r_file_perms;
-
-# For reading dir/files on /dsp
-r_dir_file(adsprpcd, adsprpcd_file)
-
-allow adsprpcd ion_device:chr_file r_file_perms;
-allow adsprpcd system_file:dir r_dir_perms;

common/app.te

@@ -1,28 +0,0 @@
-# allow application to access cnd domain and socket
-#unix_socket_connect(appdomain, cnd, cnd)
-
-# allow application to access dpmd domain and socket
-#unix_socket_connect(appdomain, dpmwrapper, dpmd)
-
-#unix_socket_connect(appdomain, qlogd, qlogd)
-#unix_socket_send(appdomain, seempdw, seempd)
-
-#Allow all apps to open and send ioctl to qdsp device
-allow appdomain qdsp_device:chr_file r_file_perms;
-#Allow all apps to have read access to dsp partition
-r_dir_file(appdomain, adsprpcd_file)
-
-# Allow access to qti_logkit
-#allow { appdomain -untrusted_app } qti_logkit_pub_data_file:dir create_dir_perms;
-#allow { appdomain -untrusted_app } qti_logkit_pub_data_file:file create_file_perms;
-allow appdomain qti_logkit_pub_socket:dir r_dir_perms;
-#unix_socket_connect(appdomain, qti_logkit_pub, qti_logkit)
-#allow appdomain qti_logkit_pub_socket:sock_file r_file_perms;
-#allow appdomain qti_logkit_priv_data_file:dir r_dir_perms;
-allow appdomain hwui_prop:file r_file_perms;
-allow appdomain bservice_prop:file r_file_perms;
-allow appdomain reschedule_service_prop:file r_file_perms;
-allow appdomain debug_gralloc_prop:file r_file_perms;
-
-#most of apps/UI try to read this prop
-get_prop(appdomain, sf_lcd_density_prop)

common/atfwd.te

@@ -1,23 +0,0 @@
-type atfwd, domain;
-type atfwd_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(atfwd)
-
-allow atfwd self:socket create_socket_perms;
-allowxperm atfwd self:socket ioctl msm_sock_ipc_ioctls;
-
-binder_call(atfwd, system_app);
-
-r_dir_file(atfwd, sysfs_ssr);
-r_dir_file(atfwd, sysfs_esoc);
-r_dir_file(atfwd, sysfs_data);
-
-set_prop(atfwd, radio_prop)
-
-hwbinder_use(atfwd)
-get_prop(atfwd, hwservicemanager_prop)
-
-#diag
-userdebug_or_eng(`
-    diag_use(atfwd)
-')

common/audiod.te

@@ -1,9 +0,0 @@
-# audio daemon
-type audiod, domain;
-type audiod_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(audiod)
-allow audiod proc_audiod:file r_file_perms;
-allow audiod audio_device:chr_file rw_file_perms;
-#allow audiod audioserver_service:service_manager find;
-#binder_use(audiod)
-binder_call(audiod, audioserver)

common/audioserver.te

@@ -1,80 +0,0 @@
-# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
-
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#    * Redistributions of source code must retain the above copyright
-#      notice, this list of conditions and the following disclaimer.
-#    * Redistributions in binary form must reproduce the above
-#      copyright notice, this list of conditions and the following
-#      disclaimer in the documentation and/or other materials provided
-#      with the distribution.
-#    * Neither the name of The Linux Foundation nor the names of its
-#      contributors may be used to endorse or promote products derived
-#      from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#
-# Copyright (c) 2015-2016 Dolby Laboratories, Inc. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-#debugfs access to audio
-userdebug_or_eng(`
-allow audioserver qti_debugfs:dir r_dir_perms;
-allow audioserver qti_debugfs:file rw_file_perms;
-')
-# Allow audioserver to create socket files for audio arbitration
-allow audioserver audio_data_file:sock_file { create setattr unlink };
-allow audioserver audio_data_file:dir remove_name;
-
-# Allow audioserver to read soundcard state under /proc/asound
-allow audioserver proc_audiod:file r_file_perms;
-
-# Allow audioserver to read sysfs dir and sysfs_thermal files for speaker protection
-allow audioserver sysfs_audio:dir r_dir_perms;
-allow audioserver sysfs_thermal:file r_file_perms;
-
-# Allow audioserver to access sysfs nodes
-allow audioserver sysfs_audio:file rw_file_perms;
-userdebug_or_eng(`
-  diag_use(audioserver)
-')
-
-#Rules for audioserver to talk to peripheral manager
-#use_per_mgr(audioserver);
-
-# DOLBY_START
-allow audioserver activity_service:service_manager find;
-set_prop(audioserver, dolby_prop)
-# DOLBY_END

common/bluetooth.te

@@ -1,72 +0,0 @@
-#Adding all bt related service to bt domains
-type sapd, bluetoothdomain;
-type sapd_exec, exec_type, vendor_file_type, file_type;
-
-type btsnoop, bluetoothdomain;
-type btsnoop_exec, exec_type, vendor_file_type, file_type;
-
-type bt_logger, bluetoothdomain;
-type bt_logger_exec, exec_type, vendor_file_type, file_type;
-
-type btnvtool, bluetoothdomain;
-type btnvtool_exec, exec_type, vendor_file_type, file_type;
-
-type fmhal_service, bluetoothdomain;
-type fmhal_service_exec, exec_type, vendor_file_type, file_type;
-
-allow bluetooth bluetooth_prop:property_service set;
-allow bluetooth sysfs_bluetooth_writable:file w_file_perms;
-
-#Access to /data/media
-allow bluetooth media_rw_data_file:dir create_dir_perms;
-allow bluetooth media_rw_data_file:file create_file_perms;
-#allow proc_sysrq access for crash dump
-userdebug_or_eng(`
- allow bluetooth proc_sysrq:file w_file_perms;
- allow bluetooth qti_debugfs:file r_file_perms;
-')
-
-allow bluetooth {
-    uhid_device
-    #input_device
-    serial_device
-    #BT needes read and write on smd device node
-    smd_device
-    bt_device
-}:chr_file rw_file_perms;
-
-#Access to persist_file
-allow bluetooth persist_bluetooth_file:dir rw_dir_perms;
-allow bluetooth persist_bluetooth_file:file create_file_perms;
-r_dir_file(bluetooth, persist_file)
-allow bluetooth persist_file:file w_file_perms;
-
-allow bluetooth self:socket { create write getopt read };
-
-#For bluetooth firmware
-r_dir_file(bluetooth, bt_firmware_file)
-
-#dun-server requires binding with system_app and servicemanager
-binder_use(bluetooth);
-binder_call(bluetooth, system_app);
-binder_call(bluetooth, servicemanager);
-allow bluetooth dun_service:service_manager find;
-
-#sapd requires interaction with qmux sockets
-#qmux_socket(bluetooth);
-
-# for finding wbc_service
-allow bluetooth wbc_service:service_manager find;
-
-# for fastmmi test bluetooth
-#allow bluetooth mmi:unix_stream_socket connectto;
-#connect to wcnss_filter
-#allow bluetooth wcnss_filter:unix_stream_socket connectto;
-
-# ioctlcmd=c302
-allow bluetooth self:socket ioctl;
-allowxperm bluetooth self:socket ioctl msm_sock_ipc_ioctls;
-
-#SplitA2dp bluetooth requires binding with audio hal
-binder_call(bluetooth, hal_audio);
-allow bluetooth hal_audio_hwservice:hwservice_manager find;

common/charger_monitor.te

@@ -1,17 +0,0 @@
-#integrated process
-type charger_monitor, domain;
-type charger_monitor_exec, exec_type, vendor_file_type, file_type;
-
-#started by init
-init_daemon_domain(charger_monitor)
-
-#charger monitor will use uevent, visit sysfs and use the wake lock
-allow charger_monitor self:netlink_kobject_uevent_socket { read create setopt bind };
-allow charger_monitor{
-    sysfs_wake_lock
-    sysfs_battery_supply
-}:file rw_file_perms;
-
-allow charger_monitor sysfs:file w_file_perms;
-allow charger_monitor sysfs_battery_supply:dir r_dir_perms;
-r_dir_file(charger_monitor, sysfs_usb_supply)

common/dhcp.te

@@ -1 +0,0 @@
-#unix_socket_connect(dhcp, cnd, cnd)

common/diag.te

@@ -1,45 +0,0 @@
-type diag, domain;
-type diag_exec, exec_type, vendor_file_type, file_type;
-userdebug_or_eng(`
-  domain_auto_trans(shell, diag_exec, diag)
-  #domain_auto_trans(adbd, diag_exec, diag)
-  file_type_auto_trans(diag, system_data_file, diag_data_file);
-  allow diag {
-      diag_device
-      devpts
-      console_device
-      # allow access to qseecom for drmdiagapp
-      tee_device
-  }:chr_file rw_file_perms;
-  allow diag {
-      shell
-      su
-  }:fd use;
-
-  allow diag {
-      cgroup
-      fuse
-      persist_drm_file
-  }:dir create_dir_perms;
-
-  allow diag port:tcp_socket name_connect;
-  allow diag self:capability { setuid net_raw sys_admin setgid dac_override };
-  allow diag self:capability2 syslog;
-  allow diag self:tcp_socket { create connect setopt};
-  wakelock_use(diag)
-  allow diag kernel:system syslog_mod;
-  # allow drmdiagapp access to drm related paths
-  allow diag persist_file:dir r_dir_perms;
-  r_dir_file(diag, persist_data_file)
-  # Write to drm related pieces of persist partition
-  allow diag persist_drm_file:file create_file_perms;
-
-  # For DiagExample daemon
-  init_daemon_domain(diag)
-  net_domain(diag)
-
-  allow diag fuse:dir r_dir_perms;
-  allow diag fuse:file r_file_perms;
-  r_dir_file(diag, storage_file)
-  r_dir_file(diag, mnt_user_file)
-')

common/dnsmasq.te

@@ -1,2 +0,0 @@
-# allow dnsmasq access to netd fifo_file
-allow dnsmasq netd:fifo_file getattr;

common/domain.te

@@ -1,23 +0,0 @@
-r_dir_file({domain - isolated_app}, sysfs_socinfo);
-r_dir_file({domain - isolated_app}, sysfs_esoc);
-r_dir_file({domain - isolated_app}, sysfs_ssr);
-
-dontaudit domain kernel:system module_request;
-
-# Allow all domains read access to sysfs_thermal
-r_dir_file({domain - isolated_app}, sysfs_thermal);
-
-# Allow domain to read /vendor -> /system/vendor
-allow domain system_file:lnk_file getattr;
-
-allow { domain - appdomain } debug_gralloc_prop:file r_file_perms;
-
-not_full_treble(`allow domain vendor_file:dir r_dir_perms;')
-
-# Added now for smoother UI
-# Remove this after HIDL implementation
-userdebug_or_eng(`
-allow domain hal_graphics_composer:fd use;
-allow domain qti_debugfs:dir search;
-')
-dontaudit domain persist_dpm_prop:file r_file_perms;

common/dpmd.te

@@ -1,83 +0,0 @@
-#dpmd as domain
-#type dpmd, domain, mlstrustedsubject;
-#type dpmd_exec, exec_type, vendor_file_type, file_type;
-#file_type_auto_trans(dpmd, socket_device, dpmwrapper_socket);
-#init_daemon_domain(dpmd)
-#net_domain(dpmd)
-#allow dpmd {
- #   dpmd_exec
- #   system_file
-#}:file x_file_perms;
-
-#allow dpmd to access dpm_data_file
-
-#allow dpmd dpmd_data_file:file create_file_perms;
-#allow dpmd dpmd_data_file:dir create_dir_perms;
-
-allow dpmd persist_dpm_prop:file r_file_perms;
-
-allow dpmd sysfs_wake_lock:file rw_file_perms;
-
-allow dpmd sysfs_data:dir r_dir_perms;
-
-allow dpmd sysfs_data:file r_file_perms;
-
-#r_dir_file(dpmd,proc_net)
-
-#allow dpmd self:capability {
- #   setuid
-  #  setgid
-   # dac_override
-#    net_raw chown
- #   fsetid
-  #  net_admin
-   # sys_module
-#}; #Need to check on it . It was present earlier
-
-#socket, self
-allow dpmd smem_log_device:chr_file rw_file_perms;
-#wakelock_use(dpmd) # it was present earlier
-
-set_prop(dpmd, system_prop)
-set_prop(dpmd, ctl_default_prop)
-#misc.
-#allow dpmd vendor_shell_exec:file rx_file_perms;
-
-#permission to unlink dpmwrapper socket
-#allow dpmd socket_device:dir remove_name;
-
-#permission to communicate with cnd_socket for installing iptable rules
-#unix_socket_connect(dpmd, cnd, cnd);
-
-#allow dpmd to create socket
-#allow dpmd self:socket create_socket_perms_no_ioctl;
-#allow dpmd self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
-
-#allow dpmd to write to /proc/net/sys
-#allow dpmd proc_net:file write;
-
-#allow dpmd get appname and use inet socket.
-#dpmd_socket_perm(appdomain)
-#dpmd_socket_perm(system_server)
-#dpmd_socket_perm(mediaserver)
-#dpmd_socket_perm(mtp)
-#dpmd_socket_perm(wfdservice)
-#dpmd_socket_perm(drmserver)
-#dpmd_socket_perm(netd)
-
-#explicitly allow udp socket permissions for appdomain
-#allow dpmd appdomain:udp_socket rw_socket_perms;
-
-#Allow dpmd to acquire lock for iptables
-allow dpmd system_file:file lock;
-
-#Allow dpmd to connect to hal_dpmQMiMgr
-allow dpmd hal_dpmqmi_hwservice:hwservice_manager find;
-get_prop(dpmd, hwservicemanager_prop)
-binder_call(dpmd,hal_dpmQmiMgr)
-hwbinder_use(dpmd)
-
-#diag
-userdebug_or_eng(`
-    diag_use(dpmd)
-')

common/drmserver.te

@@ -1,5 +0,0 @@
-#Address denial logs for drm server accessing firmware file
-r_dir_file(drmserver, firmware_file)
-
-#Address denial logs for drm server accessing qseecom driver
-allow drmserver tee_device:chr_file rw_file_perms;

common/dtsconfigurator.te

@@ -1,8 +0,0 @@
-type dtsconfigurator, domain;
-type dtsconfigurator_exec, exec_type, vendor_file_type, file_type;
-
-#started by init
-init_daemon_domain(dtsconfigurator)
-
-allow dtsconfigurator audio_device:dir r_dir_perms;
-allow dtsconfigurator audio_device:chr_file rw_file_perms;

common/dtseagleservice.te

@@ -1,22 +0,0 @@
-type dtseagleservice, domain;
-type dtseagleservice_exec, exec_type, vendor_file_type, file_type;
-
-#Allow for transition from init domain to dtseagleservice
-init_daemon_domain(dtseagleservice)
-
-#Allow dtseagleservice to use Binder IPC
-#binder_use(dtseagleservice)
-
-#Allow dtseagleservice to interact with apps
-binder_call(dtseagleservice, platform_app)
-binder_call(dtseagleservice, system_app)
-
-# Mark dtseagleservice as a Binder service domain
-#binder_service(dtseagleservice)
-
-#Allow dtseagleservice to be registered with service manager
-allow dtseagleservice dtseagleservice_service:service_manager add;
-
-#Allow access to audio drivers
-allow dtseagleservice audio_device:dir r_dir_perms;
-allow dtseagleservice audio_device:chr_file rw_file_perms;

common/energyawareness.te

@@ -1,16 +0,0 @@
-type energyawareness, domain;
-type energyawareness_exec, exec_type, vendor_file_type, file_type;
-
-#started by init
-init_daemon_domain(energyawareness)
-
-#allow access to pta and uio interface
-allow energyawareness { pta_device uio_device }:chr_file rw_file_perms;
-
-allow energyawareness self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-allow energyawareness self:capability net_admin;
-
-allow energyawareness sysfs_ea:file w_file_perms;
-
-r_dir_file(energyawareness, sysfs_ea)

common/fidodaemon.te

@@ -1,27 +0,0 @@
-type fidodaemon, domain;
-type fidodaemon_exec, exec_type, vendor_file_type, file_type;
-
-#Allow for transition from init domain to fidodaemon
-init_daemon_domain(fidodaemon)
-
-#Allow fidodaemon to use Binder IPC
-#binder_use(fidodaemon)
-
-#Allow apps to interact with fidodaemon
-binder_call(fidodaemon, platform_app)
-binder_call(fidodaemon, system_app)
-
-#Mark fidodaemon as a Binder service domain
-#binder_service(fidodaemon)
-
-#Allow fidodaemon to be registered with service manager
-allow fidodaemon fidodaemon_service:service_manager add;
-
-#Allow communication with init over property server
-unix_socket_connect(fidodaemon, property, init);
-
-#Allow access to tee device
-allow fidodaemon tee_device:chr_file rw_file_perms;
-
-#Allow access to firmware
-r_dir_file(fidodaemon, firmware_file)

common/file.te

@@ -1,298 +0,0 @@
-# Default type for anything under /firmware.
-type firmware_file, fs_type, contextmount_type;
-
-#Define the qmux socket type
-type qmuxd_socket, file_type;
-
-#Define the netmgrd socket type
-type netmgrd_socket, file_type;
-
-#Define the pps socket type
-type pps_socket, file_type;
-
-# Define cnd socket and data file type
-type cnd_socket, file_type, mlstrustedobject;
-type cnd_data_file, file_type, data_file_type;
-
-# Define dpmd data file type
-#type dpmd_socket, file_type;
-#type dpmwrapper_socket, file_type, mlstrustedobject;
-#type dpmd_data_file, file_type, data_file_type;
-#typealias system_app_data_file alias dpmd_app_data_file;
-#typealias system_app_data_file alias qtitetherservice_app_data_file;
-
-#Define the timeout for platform specific transports
-type sysfs_hsic_modem_wait, sysfs_type, fs_type;
-type sysfs_smd_open_timeout, sysfs_type, fs_type;
-
-#Define the files written during the operation of netmgrd and qmuxd
-type netmgrd_data_file, file_type, data_file_type;
-type data_test_data_file, file_type, data_file_type;
-type sysrq_trigger_proc, fs_type, mlstrustedobject;
-# Persist file types
-type persist_file, file_type;
-type persist_bluetooth_file, file_type;
-type persist_data_file, file_type;
-type persist_drm_file, file_type;
-type data_qtee_file, file_type, data_file_type;
-type data_qsee_file, file_type, data_file_type;
-type persist_misc_file, file_type;
-type persist_bms_file, file_type;
-type persist_secnvm_file, file_type;
-
-type diag_data_file, file_type, data_file_type;
-
-#file type for restricting proc read by audiod
-type proc_audiod, fs_type;
-
-#file type for irqbalance socket
-type msm_irqbalance_socket, file_type;
-
-# Sensor file types
-type sensors_socket, file_type;
-type sensors_data_file, file_type, data_file_type;
-type sensors_persist_file, file_type;
-type sysfs_sensors, sysfs_type, fs_type;
-
-#type for thermal-engine
-type thermal_socket, file_type;
-#type for uart
-type sysfs_msmuart_file, sysfs_type, fs_type;
-
-# Storage RFS file types
-type rfs_file, file_type, data_file_type;
-type rfs_system_file, file_type;
-type rfs_shared_hlos_file, file_type, data_file_type;
-
-#mm-pp-daemon file type for sysfs access
-#type sysfs_leds, fs_type, sysfs_type;
-
-#Define the files written during the operation of mm-pp-daemon
-type data_ad_calib_cfg, file_type, data_file_type;
-
-#SurfaceFlinger file type for sysfs access
-type sysfs_graphics, sysfs_type, fs_type;
-
-# USB/battery power supply type for hvdcp/quickcharge
-type sysfs_usb_supply, sysfs_type, fs_type;
-type sysfs_battery_supply, sysfs_type, fs_type;
-type sysfs_usbpd_device, sysfs_type, fs_type;
-# sysfs vadc device for hvdcp/quickcharge
-type sysfs_vadc_dev, sysfs_type, fs_type;
-# sysfs spmi device for hvdcp/quickcharge
-type sysfs_spmi_dev, sysfs_type, fs_type;
-
-#Define the files written during the operation of mpdecision
-type sysfs_mpdecision, fs_type, sysfs_type;
-type sysfs_rqstats, fs_type, sysfs_type;
-type sysfs_cpu_online, fs_type, sysfs_type;
-type mpctl_socket, file_type, mlstrustedobject;
-type mpctl_data_file, file_type, data_file_type;
-
-#Define the files used by lm
-type lm_data_file, file_type, data_file_type;
-
-type sysfs_devfreq, fs_type, sysfs_type;
-type sysfs_mmc_host, fs_type, sysfs_type;
-type sysfs_scsi_host, fs_type, sysfs_type;
-type sysfs_cpu_boost, fs_type, sysfs_type;
-type sysfs_msm_perf, fs_type, sysfs_type;
-type sysfs_memory, fs_type, sysfs_type;
-type sysfs_lib, fs_type, sysfs_type;
-
-#define the files writer during the operation of app state changes
-type gamed_socket, file_type;
-
-#define the files writter during the operatio of iop
-type iop_socket, file_type;
-type iop_data_file, file_type, data_file_type;
-
-# SPSS Apps images location
-type spss_data_file, file_type, data_file_type;
-
-#mm-qcamera-daemon socket
-type camera_socket, file_type, data_file_type;
-
-#Socket node needed by ims_data daemon
-type ims_socket, file_type;
-
-#mink-lowi-interface-daemon (mlid) socket
-type mlid_socket, file_type, mlstrustedobject;
-
-#ssg qmi gateway daemon socket
-type ssgqmig_socket, file_type, mlstrustedobject;
-
-#ssg tz daemon socket
-type ssgtzd_socket, file_type, mlstrustedobject;
-
-#location file types
-type location_data_file, file_type, data_file_type;
-type location_socket, file_type, data_file_type;
-type location_app_data_file, file_type, data_file_type;
-
-#File types required by mdm-helper
-type sysfs_esoc, sysfs_type, fs_type;
-type sysfs_ssr,  sysfs_type, fs_type;
-type sysfs_ssr_toggle,  sysfs_type, file_type;
-type sysfs_hsic, sysfs_type, fs_type;
-type sysfs_hsic_host_rdy, sysfs_type, file_type;
-
-# Files accessed by qcom-system-daemon
-type sysfs_socinfo, fs_type, sysfs_type;
-
-#Define the sysfs files for usb_uicc_daemon
-type sysfs_usb_uicc, sysfs_type, fs_type;
-
-type qlogd_socket, file_type, mlstrustedobject;
-type qlogd_data_file, file_type, data_file_type;
-#Defines the files (configs, dumps, etc) used by display processes
-type display_misc_file, file_type, data_file_type;
-
-#Define the files for the operation of QDCM
-type persist_display_file, file_type;
-
-# IPA file types
-type ipacm_socket, file_type;
-type ipacm_data_file, file_type, data_file_type;
-
-# Port-bridge file types
-type port_bridge_data_file, file_type, data_file_type;
-
-type fm_data_file, file_type, data_file_type;
-
-#Define the files written during the operation of mmi
-type mmi_data_file, file_type, data_file_type;
-
-#bluetooth firmware file types
-type bt_firmware_file, fs_type, contextmount_type;
-
-#needed by vold
-type  proc_dirty_ratio, fs_type;
-
-#File types by mmi
-type mmi_socket, file_type;
-
-# hbtp config file
-type hbtp_cfg_file, file_type;
-type hbtp_log_file, file_type, data_file_type;
-type hbtp_kernel_sysfs, file_type, sysfs_type;
-
-#Define the files written during the operation of usf
-type usf_data_file, file_type, data_file_type;
-type persist_usf_file, file_type;
-
-#qfp-daemon
-type qfp-daemon_data_file, file_type, data_file_type;
-type persist_qti_fp_file, file_type;
-
-# dts notifier files
-type dts_data_file, file_type, data_file_type;
-
-#qsee_svc_app file types
-type qsee_svc_app_data_file, file_type, data_file_type;
-
-# imshelper_app file types
-type imshelper_app_data_file, file_type, data_file_type;
-
-# RIDL data files
-type RIDL_data_file, file_type, data_file_type;
-type RIDL_socket, file_type, data_file_type;
-
-# qti_logkit data files (privileged and public)
-type qti_logkit_priv_data_file, file_type, data_file_type;
-type qti_logkit_pub_data_file, file_type, data_file_type;
-type qti_logkit_priv_socket, file_type, data_file_type;
-type qti_logkit_pub_socket, file_type, mlstrustedobject, data_file_type;
-
-# used for /dsp files
-type adsprpcd_file, file_type, mlstrustedobject;
-
-# audio pp notifier files
-type audio_pp_data_file, file_type, data_file_type;
-
-#mdtp_svc_app file types
-type mdtp_svc_app_data_file, file_type, data_file_type;
-
-# subsystem_ramdump files
-type ssr_ramdump_data_file, file_type, data_file_type;
-
-# Regionalization files
-type regionalization_file, file_type;
-
-# /data/system/swap/swapfile - swapfile
-type swap_data_file, file_type, data_file_type;
-
-# dynamic nv files
-type dynamic_nv_data_file, file_type, data_file_type;
-
-# Wifi Data file
-type wifi_vendor_data_file, file_type, data_file_type;
-type wifi_vendor_wpa_socket, file_type, data_file_type;
-type wifi_vendor_hostapd_socket, file_type, data_file_type;
-
-# wififtmd socket file
-type wififtmd_socket, file_type;
-
-type persist_alarm_file, file_type;
-
-type persist_time_file, file_type;
-
-# kgsl file type for sysfs access
-type sysfs_kgsl, sysfs_type, fs_type;
-
-# secure touch files
-type sysfs_securetouch, fs_type, sysfs_type;
-
-#data sysfs  files
-type sysfs_data, fs_type, sysfs_type;
-
-#diag sysfs files
-type sysfs_diag, fs_type, sysfs_type;
-
-#laser sysfs files
-type sysfs_laser, fs_type, sysfs_type;
-
-# QDMA data files
-type qdma_data_file, file_type, data_file_type;
-type qdma_app_data_file, file_type, data_file_type;
-
-# path to debugfs use this whic should be only used
-# in debug builds
-type qti_debugfs, fs_type, debugfs_type;
-
-# vendor radio files
-type vendor_radio_data_file, file_type, data_file_type;
-
-#irq balance sysfs type
-type sysfs_irqbalance , sysfs_type, fs_type;
-
-# vpp files
-type vpp_data_file, file_type, data_file_type;
-type persist_vpp_file, file_type;
-# vendor camera files
-type vendor_camera_data_file, file_type, data_file_type;
-
-# wigig, fstman
-type sysfs_bond0, fs_type, sysfs_type;
-type sysfs_wigig, fs_type, sysfs_type;
-
-# wigig_hostapd
-type wigig_hostapd_socket, file_type, data_file_type;
-
-# ea sysfs files
-type sysfs_ea, fs_type, sysfs_type;
-
-#audio sysfs files
-type sysfs_audio, fs_type, sysfs_type;
-
-# lpm sysfs files
-type sysfs_msm_stats, fs_type, sysfs_type;
-type sysfs_msm_power, fs_type, sysfs_type;
-
-# Data type for QVOP
-type qvop-daemon_data_file, file_type, data_file_type;
-
-type sysfs_fm, sysfs_type, fs_type;
-
-# for adsp to load /sys/kernel/b ot_adsp/boot
-type sysfs_boot_adsp, sysfs_type, fs_type;

common/genfs_contexts

@@ -1,7 +0,0 @@
-genfscon proc /asound/card0/state u:object_r:proc_audiod:s0
-genfscon proc /sys/vm/dirty_ratio  u:object_r:proc_dirty_ratio:s0
-genfscon sysfs /module/msm_performance/workload_modes u:object_r:sysfs_msm_perf:s0
-genfscon sysfs /devices/soc/soc:qcom,cpubw/devfreq/soc:qcom,cpubw/bw_hwmon u:object_r:sysfs_devfreq:s0
-genfscon debugfs /kgsl/proc u:object_r:qti_debugfs:s0
-genfscon sysfs /kernel/wcd_cpe0 u:object_r:sysfs_audio:s0
-genfscon sysfs /devices/virtual/thermal u:object_r:sysfs_thermal:s0

common/hbtp.te

@@ -1,52 +0,0 @@
-# Policies for hbtp (host based touch processing)
-type hbtp, domain;
-type hbtp_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(hbtp)
-hal_server_domain(hbtp, hal_hbtp)
-# Allow access for /dev/hbtp_input and /dev/jdi-bu21150
-allow hbtp { hbtp_device qdsp_device dsp_device bu21150_device }:chr_file rw_file_perms;
-
-allow hbtp hbtp_log_file:dir rw_dir_perms;
-allow hbtp hbtp_log_file:file create_file_perms;
-
-allow hbtp hbtp_cfg_file:dir r_dir_perms;
-allow hbtp hbtp_cfg_file:file r_file_perms;
-
-allow hbtp firmware_file:dir r_dir_perms;
-allow hbtp firmware_file:file r_file_perms;
-
-allow hbtp sysfs_usb_supply:file r_file_perms;
-allow hbtp sysfs_usb_supply:dir r_dir_perms;
-
-allow hbtp hbtp_kernel_sysfs:file rw_file_perms;
-
-allow hbtp sysfs_graphics:file r_file_perms;
-allow hbtp sysfs_graphics:dir r_dir_perms;
-
-allow hbtp sysfs_battery_supply:file r_file_perms;
-allow hbtp sysfs_battery_supply:dir r_dir_perms;
-
-allow hbtp ion_device:chr_file r_file_perms;
-
-allow hbtp self:netlink_kobject_uevent_socket { create read setopt bind };
-
-# Allow the service to access wakelock sysfs
-allow hbtp sysfs_wake_lock:file r_file_perms;
-
-# Allow the service to change to system from root
-allow hbtp self:capability { setgid setuid };
-
-# Allow load touch driver as touchPD
-r_dir_file(hbtp, adsprpcd_file)
-
-# Allow the service to access wakelock capability
-wakelock_use(hbtp)
-
-# Allow hwbinder call from hal client to server and vice-versa
-binder_call(hal_hbtp_client, hal_hbtp_server)
-binder_call(hal_hbtp_server, hal_hbtp_client)
-
-# Allow hwservice related rules
-add_hwservice(hal_hbtp_server, hal_hbtp_hwservice)
-allow hal_hbtp_client hal_hbtp_hwservice:hwservice_manager find;
-hal_client_domain(hbtp, hal_allocator);

common/healthd.te

@@ -1,14 +0,0 @@
-r_dir_file(healthd, sysfs_battery_supply)
-r_dir_file(healthd, sysfs_usb_supply)
-r_dir_file(healthd, sysfs_thermal);
-r_dir_file(healthd, persist_file);
-
-#allow healthd read rtc device file
-allow healthd rtc_device:chr_file r_file_perms;
-allow healthd persist_bms_file:dir rw_dir_perms;
-allow healthd persist_bms_file:file create_file_perms;
-
-allow healthd {
-    sysfs_battery_supply
-    sysfs_usb_supply
-}:file rw_file_perms;

common/hvdcp.te

@@ -1,41 +0,0 @@
-# HVDVP quickcharge
-type hvdcp, domain;
-type hvdcp_exec, exec_type, vendor_file_type, file_type;
-
-# Make transition to its own HVDCP domain from init
-init_daemon_domain(hvdcp)
-
-# Add rules for access permissions
-allow hvdcp hvdcp_device:chr_file rw_file_perms;
-allow hvdcp {
-    sysfs_battery_supply
-    sysfs_usb_supply
-    sysfs_usbpd_device
-    sysfs_vadc_dev
-    sysfs_spmi_dev
-}:dir r_dir_perms;
-
-allow hvdcp {
-    sysfs_battery_supply
-    sysfs_usb_supply
-    sysfs_usbpd_device
-    sysfs_vadc_dev
-    sysfs_spmi_dev
-}:file rw_file_perms;
-
-allow hvdcp {
-    sysfs_battery_supply
-    sysfs_usb_supply
-    sysfs_vadc_dev
-    sysfs_spmi_dev
-}:lnk_file r_file_perms;
-
-allow hvdcp self:capability { setgid setuid };
-allow hvdcp self:capability2 wake_alarm;
-allow hvdcp kmsg_device:chr_file rw_file_perms;
-allow hvdcp cgroup:dir { create add_name };
-allow hvdcp self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-allow hvdcp sysfs_battery_supply:file setattr;
-allow hvdcp sysfs_usb_supply:file setattr;
-allow hvdcp sysfs_usbpd_device:file setattr;
-wakelock_use(hvdcp)

common/ims.te

@@ -1,70 +0,0 @@
-#integrated sensor process
-type ims, domain;
-type ims_exec, exec_type, vendor_file_type, file_type;
-
-# Started by init
-init_daemon_domain(ims)
-net_domain(ims)
-
-# Talk to qmuxd
-qmux_socket(ims)
-
-allow ims self:capability net_bind_service;
-
-# Use generic netlink socket
-allow ims self:{
-    netlink_socket
-    socket
-    netlink_generic_socket
-} create_socket_perms_no_ioctl;
-
-# To run NDC command
-allow ims {
-    vendor_shell_exec
-    system_file
-    # IMS route installation
-    wcnss_service_exec
-    # for WPA supplicant comment to remove compilation issue
-    #wpa_exec
-}:file rx_file_perms;
-
-# Talk to netd via netd_socket
-unix_socket_connect(ims, netd, netd)
-
-# Talk to qumuxd via ims_socket
-unix_socket_connect(ims, ims, qmuxd)
-
-set_prop(ims, qcom_ims_prop)
-
-# permissions needed for IMS to connect and interact with WPA supplicant
-# comment to remove compilation
-#unix_socket_send(ims, wpa, wpa)
-allow ims wpa_socket:dir w_dir_perms;
-allow ims wpa_socket:sock_file { create unlink setattr };
-allow ims wifi_data_file:dir r_dir_perms;
-
-# permissions for communication with CNE in LBO use case
-unix_socket_connect(ims, cnd, cnd)
-
-#Allow access to netmgrd socket
-netmgr_socket(ims);
-
-# Inherit and use open files from radio.
-allow ims radio:fd use;
-
-#diag
-userdebug_or_eng(`
-    diag_use(ims)
-')
-allow ims self:{ socket udp_socket } ioctl;
-# ioctlcmd=c302
-allowxperm ims self:socket ioctl msm_sock_ipc_ioctls;
-# ioctlcmd=89fd
-allowxperm ims self:udp_socket ioctl priv_sock_ioctls;
-allow ims sysfs:file r_file_perms;
-allow ims sysfs_data:file r_file_perms;
-hwbinder_use(ims)
-get_prop(ims, hwservicemanager_prop)
-get_prop(ims, qcom_ims_prop)
-allow ims hal_cne_hwservice:hwservice_manager find;
-binder_call(ims, cnd)

common/init.te

@@ -1,54 +0,0 @@
-# Adding allow rule for search on /fuse
-allow init fuse:dir { search mounton };
-allow init self:capability sys_module;
-allow init {
-    adsprpcd_file
-    cache_file
-    persist_file
-    storage_file
-}:dir mounton;
-allow init kmsg_device:chr_file write;
-
-#Allow triggering IPA FWs loading
-allow init ipa_dev:chr_file write;
-
-#For insmod to search module key for signature verification
-allow init kernel:key search;
-
-#For sdcard
-allow init tmpfs:lnk_file create_file_perms;
-
-#Certain domains needs LD_PRELOAD passed from init
-#allow it for most domain. Do not honor LD_PRELOAD
-#for lmkd
-#allow init { domain -lmkd }:process noatsecure;
-
-#For configfs file permission
-allow init configfs:dir r_dir_perms;
-allow init configfs:file { rw_file_perms link };
-allow init configfs:lnk_file create_file_perms;
-
-#Allow init to mount non-hlos partitions in A/B builds
-allow init firmware_file:dir { mounton };
-allow init bt_firmware_file:dir { mounton };
-
-allow init sysfs_boot_adsp:file write;
-
-#dontaudit non configfs usb denials
-dontaudit init sysfs:dir write;
-
-#load /vendor/lib/modules/qca_cld3/qca_cld3_wlan.ko
-#load /vendor/lib/modules/wil6210.ko
-allow init vendor_file:system module_load;
-
-#Needed for restorecon. Init already has these permissions
-#for generic block devices, but is unable to access those
-#which have a custom lable added by us.
-allow init {
-    custom_ab_block_device
-    boot_block_device
-    xbl_block_device
-    ssd_device
-    modem_block_device
-    mdtp_device
-}:{ blk_file lnk_file } relabelto;

common/installd.te

@@ -1,3 +0,0 @@
-allow installd { imshelper_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file qdma_app_data_file} :dir { create_dir_perms relabelfrom relabelto };
-allow installd { imshelper_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file qdma_app_data_file} :lnk_file { create_file_perms relabelfrom relabelto };
-allow installd { imshelper_app_data_file location_app_data_file qsee_svc_app_data_file mdtp_svc_app_data_file qdma_app_data_file} :{ file fifo_file } { getattr unlink rename relabelfrom relabelto setattr };

common/ipacm.te

@@ -1,38 +0,0 @@
-# General definitions
-type ipacm, domain;
-type ipacm-diag, domain;
-type ipacm_exec, exec_type, vendor_file_type, file_type;
-type ipacm-diag_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(ipacm)
-init_daemon_domain(ipacm-diag)
-
-# associate netdomain to use for accessing internet sockets
-net_domain(ipacm)
-
-userdebug_or_eng(`
-  # Allow using the logging file between ipacm and ipacm-diag
-  unix_socket_send(ipacm, ipacm, ipacm-diag)
-  diag_use(ipacm-diag)
-')
-
-# Allow operations with /dev/ipa, /dev/wwan_ioctl and /dev/ipaNatTable
-allow ipacm ipa_dev:chr_file rw_file_perms;
-
-# Allow receiving NETLINK messages
-allow ipacm ipacm:{
-    netlink_route_socket
-    netlink_socket
-    # Allow querying the network stack via IOCTLs
-    udp_socket
-    netlink_generic_socket
-} create_socket_perms_no_ioctl;
-
-# Allow creating and modifying the PID file
-allow ipacm ipacm_data_file:dir w_dir_perms;
-allow ipacm ipacm_data_file:file create_file_perms;
-
-# To register ipacm to hwbinder
-add_hwservice(ipacm, hal_ipacm_hwservice)
-hwbinder_use(ipacm)
-get_prop(ipacm, hwservicemanager_prop)
-binder_call(ipacm, system_server)

common/irsc_util.te

@@ -1,12 +0,0 @@
-type irsc_util, domain;
-type irsc_util_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(irsc_util)
-
-userdebug_or_eng(`
-  #domain_auto_trans(vendor_shell, irsc_util_exec, irsc_util)
-  #domain_auto_trans(adbd, irsc_util_exec, irsc_util)
-')
-
-allow irsc_util irsc_util:socket { create ioctl };
-allowxperm irsc_util self:socket ioctl msm_sock_ipc_ioctls;
-allow irsc_util devpts:chr_file rw_file_perms;

common/kernel.te

@@ -1,14 +0,0 @@
-allow kernel block_device:blk_file rw_file_perms;
-
-userdebug_or_eng(`
- #allow kernel self:capability { dac_read_search dac_override };
-  allow kernel self:socket create_socket_perms_no_ioctl;
-  r_dir_file(kernel, qti_debugfs);
-')
-
-# Access firmware_file
-r_dir_file(kernel, firmware_file)
-
-# Allow kernel to schedule process to different cpuset
-# when the current cpu is hotplugged out
-allow kernel domain:process setsched;

common/keystore.te

@@ -1,2 +0,0 @@
-# Allow keystore to operate using qseecom_device
-allow keystore tee_device:chr_file rw_file_perms;

common/location.te

@@ -1,85 +0,0 @@
-# location - Location daemon
-type location, domain;
-type location_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(location)
-net_domain(location)
-
-# Socket is created by the daemon, not by init, and under /data/gps,
-# not under /dev/socket.
-type_transition location location_data_file:sock_file location_socket;
-
-qmux_socket(location)
-#binder_use(location)
-binder_call(location, system_server)
-wakelock_use(location)
-
-allow location location_data_file:dir create_dir_perms;
-allow location location_data_file:{ file fifo_file } create_file_perms;
-allow location location_data_file:sock_file write;
-allow location location_exec:file x_file_perms;
-allow location location_socket:sock_file create_file_perms;
-allow location self:capability { setuid setgid net_admin net_bind_service };
-allow location self:{
-    socket
-    netlink_socket
-    netlink_generic_socket
-} create_socket_perms_no_ioctl;
-
-unix_socket_connect(location, sensors, sensors)
-allow location sensors_device:chr_file r_file_perms;
-allow location sensors_socket:sock_file rw_file_perms;
-allow location vendor_shell_exec:file rx_file_perms;
-
-#allow location system_server:unix_stream_socket { read write connectto};
-
-# For interfacing with the device sensorservice
-# permission check for slim daemon
-#allow location { sensorservice_service permission_service }:service_manager find;
-
-hwbinder_use(location)
-get_prop(location, hwservicemanager_prop)
-
-allow location fwk_sensor_hwservice:hwservice_manager find;
-
-allow location sensors_persist_file:dir r_dir_perms;
-allow location sensors_persist_file:file r_file_perms;
-
-#wifi
-userdebug_or_eng(`
-allow location wifi_data_file:dir create_dir_perms;
-#allow location wifi_data_file:sock_file create_file_perms;
-allow location su:unix_dgram_socket sendto;
-')
-# comment to remove compilation issue
-#unix_socket_send(wpa, location, location)
-#allow location wpa:unix_dgram_socket sendto;
-allow location wpa_socket:dir rw_dir_perms;
-allow location wpa_socket:sock_file create_file_perms;
-
-allow location rfs_shared_hlos_file:dir r_dir_perms;
-allow location rfs_shared_hlos_file:file rw_file_perms;
-
-dontaudit location domain:dir r_dir_perms;
-r_dir_file(location, netmgrd)
-allow location persist_file:dir r_dir_perms;
-
-#Allow access to netmgrd socket
-netmgr_socket(location);
-
-#Allow access to properties
-set_prop(location, location_prop);
-
-#diag
-userdebug_or_eng(`
-    diag_use(location)
-')
-allow location sysfs:file r_file_perms;
-allow location sysfs_data:file r_file_perms;
-allow location self:socket ioctl;
-# ioctlcmd=c304
-allowxperm location self:socket ioctl msm_sock_ipc_ioctls;
-allow location self:udp_socket ioctl;
-allow location wifi_prop:file r_file_perms;
-# Replace this with macro
-allowxperm location self:udp_socket ioctl priv_sock_ioctls;

common/location_app.te

@@ -1,33 +0,0 @@
-type location_app, domain;
-app_domain(location_app)
-binder_use(location_app)
-hal_client_domain(location_app, hal_gnss)
-
-qmux_socket(location_app)
-
-net_domain(location_app)
-
-#Permissions for JDWP
-userdebug_or_eng(`
-  allow location_app { adbd su }:unix_stream_socket connectto;
-  allow location_app mediaserver_service:service_manager find;
-  allow location_app audioserver_service:service_manager find;
-  diag_use(location_app)
-')
-
-allow location_app surfaceflinger_service:service_manager find;
-allow location_app location_app_data_file:dir create_dir_perms;
-allow location_app location_app_data_file:file create_file_perms ;
-allow location_app location_data_file:dir rw_dir_perms;
-allow location_app location_data_file:sock_file create_file_perms;
-allow location_app self:socket create_socket_perms;
-#allow location_app system_app_data_file:dir r_dir_perms;
-allow location_app anr_data_file:dir rw_dir_perms;
-allow location_app anr_data_file:file rw_file_perms;
-allow location_app { app_api_service activity_service }:service_manager find;
-# ioctlcmd=c302
-allowxperm location_app self:socket ioctl msm_sock_ipc_ioctls;
-allow location_app sysfs:file r_file_perms;
-allow location_app sysfs_data:file r_file_perms;
-get_prop(location_app, debug_gralloc_prop)
-unix_socket_connect(location_app, dpmtcm, dpmd)

common/logd.te

@@ -1 +0,0 @@
-r_dir_file(logd, location_app)

common/mcStarter.te

@@ -1,10 +0,0 @@
-# mobicore daemon
-type mcStarter, domain;
-type mcStarter_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(mcStarter)
-
-# Allow Mobicore to use qseecom services for loading the app
-allow mcStarter tee_device:chr_file rw_file_perms;
-
-# Allow Mobicore to access the firmware files
-r_dir_file(mcStarter, firmware_file)

common/mdm_helper.te

@@ -1,54 +0,0 @@
-#Policy for mdm_helper
-#mdm_helper - mdm_helper domain
-type mdm_helper, domain;
-type mdm_helper_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(mdm_helper);
-
-#block_suspend capability is needed by kickstart(ks)
-wakelock_use(mdm_helper)
-
-#Needed to power on the peripheral
-allow mdm_helper ssr_device:chr_file r_file_perms;
-
-#Needed to access the esoc device to control the mdm
-allow mdm_helper esoc_device:dir r_dir_perms;
-allow mdm_helper esoc_device:chr_file rw_file_perms;
-
-#Needed to detect presence of hsic bridge and to xfer images
-allow mdm_helper ksbridgehsic_device:chr_file rw_file_perms;
-
-#Needed to detect efs sync and for kickstart to run the efs sync server
-allow mdm_helper efsbridgehsic_device:chr_file rw_file_perms;
-
-#Needed for communication with the HSIC driver
-r_dir_file(mdm_helper, sysfs_hsic)
-allow mdm_helper sysfs_hsic:file w_file_perms;
-
-#Needed by libmdmdetect to figure out the system configuration
-r_dir_file(mdm_helper, sysfs_esoc)
-
-#Needed by libmdmdetect to get system information regarding subsystems and to check their states
-r_dir_file(mdm_helper, sysfs_ssr)
-
-#Needed in order to run kickstart
-allow mdm_helper shell:fd use;
-allow mdm_helper vendor_shell_exec:file rx_file_perms;
-allow mdm_helper { system_file mdm_helper_exec }:file x_file_perms;
-
-#Needed by ks in order to access the efs sync partitions.
-allow mdm_helper block_device:dir rw_dir_perms;
-allow mdm_helper efs_boot_dev:blk_file rw_file_perms;
-
-#Needed to inform the hsic driver that mdm has booted up
-allow mdm_helper sysfs:file w_file_perms;
-
-#Needed in order to access the firmware partition
-r_dir_file(mdm_helper, firmware_file)
-
-#Needed in order to collect ramdumps
-allow mdm_helper tombstone_data_file:dir create_dir_perms;
-allow mdm_helper tombstone_data_file:file create_file_perms;
-
-#Needed to allow boot over PCIe
-allow mdm_helper bhi_device:chr_file rw_file_perms;
-allow mdm_helper mhi_device:chr_file rw_file_perms;

common/mdtp.te

@@ -1,92 +0,0 @@
-# Copyright (c) 2015, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-type mdtpdaemon, domain;
-type mdtpdaemon_exec, exec_type, vendor_file_type, file_type;
-
-allow mdtpdaemon self:capability {
-    setuid
-    setgid
-};
-
-userdebug_or_eng(`
-    #Needed for kill(pid, 0) existance test
-    allow mdtpdaemon su:process signull;
-    allow mdtpdaemon self:capability kill;
-    diag_use(mdtpdaemon)
-')
-
-#Allow for transition from init domain to mdtpdaemon
-init_daemon_domain(mdtpdaemon)
-
-#Allow mdtpdaemon to use Binder IPC
-#binder_use(mdtpdaemon)
-
-#Mark mdtpdaemon as a Binder service domain
-#binder_service(mdtpdaemon)
-
-#Allow mdtpdaemon to be registered with service manager
-#allow mdtpdaemon mdtpdaemon_service:service_manager { add find };
-
-#Allow apps to interact with mdtpdaemon
-binder_call(mdtpdaemon, platform_app)
-
-#Allow access to firmware
-r_dir_file(mdtpdaemon, firmware_file)
-
-#Allow access to qsee directories
-allow mdtpdaemon data_qsee_file:dir create_dir_perms;
-allow mdtpdaemon data_qsee_file:file create_file_perms;
-
-#Allow access to qsee fifos
-allow mdtpdaemon data_qsee_file:fifo_file create_file_perms;
-
-#Allow access to tee device
-allow mdtpdaemon tee_device:chr_file rw_file_perms;
-
-# Provide access to block devices
-allow mdtpdaemon block_device:dir r_dir_perms;
-allow mdtpdaemon mdtp_device:blk_file rw_file_perms;
-allow mdtpdaemon system_block_device:blk_file r_file_perms;
-
-# Provide access to QTI Crypto driver for MDTP
-# allow mdtpdaemon qce_device:chr_file rw_file_perms;
-
-# Provide read access to all /system files for MDTP file-to-block-mapping
-r_dir_file(mdtpdaemon, exec_type)
-r_dir_file(mdtpdaemon, system_file)
-
-# Provide mdtpd ability to access QMUXD/IPCRouter for QMI
-qmux_socket(mdtpdaemon);
-allow mdtpdaemon self:socket create_socket_perms;
-allowxperm mdtpdaemon self:socket ioctl msm_sock_ipc_ioctls;
-
-# Provide tee ability to run executables in rootfs for MDTP
-allow mdtpdaemon rootfs:file x_file_perms;
-allow mdtpdaemon ion_device:chr_file r_file_perms;
-allow mdtpdaemon sysfs:file r_file_perms;
-allow mdtpdaemon sysfs_data:file r_file_perms;

common/mediacodec.te

@@ -1,80 +0,0 @@
-#copyright (c) 2016, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-#
-# Copyright (c) 2015-2016 Dolby Laboratories, Inc. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-#mediacodec need intraction with audio device nodes
-allow mediacodec audio_device:chr_file rw_file_perms;
-
-#allow mediacodec to access adsprpcd
-r_dir_file(mediacodec, adsprpcd_file);
-r_dir_file(mediacodec, firmware_file);
-
-#Allow mediacodec to access proc_net files
-allow mediacodec proc_net:file r_file_perms;
-
-allow mediacodec system_file:dir r_dir_perms;
-allow mediacodec qdsp_device:chr_file r_file_perms;
-
-#Allow mediacodec to access service manager wfdnativemm_service
-allow mediacodec wfdnativemm_service:service_manager find;
-hal_client_domain(mediacodec, wifidisplayhalservice)
-
-allow mediacodec media_data_file:dir create_dir_perms;
-allow mediacodec media_data_file:file create_file_perms;
-
-# DOLBY_START
-#allow mediacodec audioserver_service:service_manager find;
-set_prop(mediacodec, dolby_prop)
-# DOLBY_END
-allow mediacodec debug_gralloc_prop:file r_file_perms;
-vndbinder_use(mediacodec);
-hwbinder_use(mediacodec);
-hal_client_domain(mediacodec, hal_vpp)
-hal_client_domain(mediacodec, hal_perf)

common/mediaserver.te

@@ -1,66 +0,0 @@
-# allow mediaserver to communicate with cnd
-#unix_socket_connect(mediaserver, cnd, cnd)
-
-#unix_socket_send(mediaserver, camera, mm-qcamerad)
-
-allow mediaserver tee_device:chr_file rw_file_perms;
-allow mediaserver qdsp_device:chr_file r_file_perms;
-
-allow mediaserver self:socket create_socket_perms_no_ioctl;
-
-binder_call(mediaserver, rild)
-
-#qmux_socket(mediaserver)
-allow mediaserver camera_data_file:sock_file w_file_perms;
-
-userdebug_or_eng(`
-  allow mediaserver camera_data_file:dir rw_dir_perms;
-  allow mediaserver camera_data_file:file create_file_perms;
-  # Access to audio
-  allow mediaserver qti_debugfs:file rw_file_perms;
-')
-
-r_dir_file(mediaserver, sysfs_esoc)
-#allow mediaserver system_app_data_file:file rw_file_perms;
-
-# allow mediaserver to write DTS files
-allow mediaserver dts_data_file:dir rw_dir_perms;
-allow mediaserver dts_data_file:file create_file_perms;
-
-# allow poweroffhandler to binder mediaserver
-binder_call(mediaserver, poweroffhandler);
-
-
-# for thermal sock files
-#unix_socket_connect(mediaserver, thermal, thermal-engine)
-
-#This is required for thermal sysfs access
-r_dir_file(mediaserver, sysfs_thermal);
-
-#allow mediaserver to communicate with timedaemon
-#allow mediaserver time_daemon:unix_stream_socket connectto;
-
-# Allow mediaserver to create socket files for audio arbitration
-allow mediaserver audio_data_file:sock_file { create setattr unlink };
-allow mediaserver audio_data_file:dir remove_name;
-
-# Allow mediaserver to create audio pp files
-allow mediaserver audio_pp_data_file:dir rw_dir_perms;
-allow mediaserver audio_pp_data_file:file create_file_perms;
-
-#Allow mediaserver to set camera  properties
-allow mediaserver camera_prop:property_service set;
-
-#Allow mediaserver access mmi_data_file
-allow mediaserver mmi_data_file:file r_file_perms;
-
-#allow mediaserver to access wfdservice
-binder_call(mediaserver, wfdservice)
-
-#allow mediaserver to access adsprpcd
-r_dir_file(mediaserver, adsprpcd_file);
-
-# allow mediaserver to communicate with bootanim
-binder_call(mediaserver, bootanim);
-
-allow mediaserver surfaceflinger:unix_stream_socket rw_socket_perms;

common/mmi.te

@@ -1,143 +0,0 @@
-#integrated process
-type mmi, domain;
-type mmi_exec, exec_type, vendor_file_type, file_type;
-
-#started by init
-init_daemon_domain(mmi)
-
-#self capability
-allow mmi self:socket create_socket_perms_no_ioctl;
-allow mmi self:{ netlink_socket netlink_generic_socket } create_socket_perms_no_ioctl;
-allow mmi self:udp_socket create_socket_perms_no_ioctl;
-allow mmi self:capability { sys_nice dac_override setuid setgid fowner chown fsetid kill net_admin sys_module net_raw};
-allow mmi self:capability2 wake_alarm;
-
-#For various devices
-allow mmi sysfs:file w_file_perms;
-allow mmi graphics_device:dir r_dir_perms;
-allow mmi graphics_device:chr_file rw_file_perms;
-allow mmi input_device:chr_file r_file_perms;
-allow mmi input_device:dir r_dir_perms;
-allow mmi nfc_device:chr_file rw_file_perms;
-allow mmi vendor_shell_exec:file rx_file_perms;
-wakelock_use(mmi)
-
-#FTM_AP folder permissions
-file_type_auto_trans(mmi, cache_file, mmi_data_file);
-allow mmi mmi_data_file:dir rw_dir_perms;
-allow mmi mmi_data_file:file create_file_perms;
-
-#socket
-allow mmi socket_device:dir w_dir_perms;
-
-#allow mmi set system prop,sensor need write persist
-set_prop(mmi, powerctl_prop)
-allow mmi persist_file:dir r_dir_perms;
-allow mmi sensors_persist_file:dir create_dir_perms;
-allow mmi sensors_persist_file:file create_file_perms;
-
-#wifi case
-allow mmi system_file:file x_file_perms;
-#allow mmi wpa_exec:file rx_file_perms;
-allow mmi wcnss_service_exec:file rx_file_perms;
-allow mmi kernel:key search;
-allow mmi kernel:system module_request;
-allow mmi vendor_toolbox_exec:file rx_file_perms;
-allow mmi system_file:system module_load;
-
-#audio case
-allow mmi audio_device:dir r_dir_perms;
-allow mmi audio_device:chr_file rw_file_perms;
-
-#FM case
-allow mmi fm_radio_device:chr_file r_file_perms;
-allow mmi fm_data_file:file r_file_perms;
-set_prop(mmi, fm_prop)
-set_prop(mmi, ctl_default_prop)
-#bluetooth case
-allow mmi bluetooth_data_file:dir rw_dir_perms;
-allow mmi bluetooth_data_file:file create_file_perms;
-set_prop(mmi, bluetooth_prop)
-allow mmi smd_device:chr_file rw_file_perms;
-allow mmi persist_bluetooth_file:file r_file_perms;
-allow mmi wcnss_filter:unix_stream_socket connectto;
-
-#GPS case
-allow mmi location_data_file:fifo_file create_file_perms;
-allow mmi location_data_file:dir create_dir_perms;
-allow mmi location_data_file:file create_file_perms;
-allow mmi mmi_socket:sock_file create_file_perms;
-type_transition mmi socket_device:sock_file mmi_socket;
-allow mmi location_exec:file rx_file_perms;
-allow mmi smem_log_device:chr_file rw_file_perms;
-allow mmi ssr_device:chr_file r_file_perms;
-
-#SD card case
-allow mmi sd_device:blk_file rw_file_perms;
-allow mmi block_device:blk_file getattr;
-allow mmi block_device:dir r_dir_perms;
-
-#camera
-allow mmi video_device:chr_file rw_file_perms;
-allow mmi camera_data_file:sock_file write;
-allow mmi camera_data_file:dir r_dir_perms;
-allow mmi mm-qcamerad:unix_dgram_socket sendto;
-
-#nfc case
-allow mmi nfc_data_file:dir rw_dir_perms;
-allow mmi nfc_data_file:file create_file_perms;
-
-#simcard
-qmux_socket(mmi);
-
-#allow mmi access chgdiabled prop
-set_prop(mmi, chgdiabled_prop)
-#Allow mmi operate on surfaceflinger
-allow mmi surfaceflinger:fd use;
-#allow mmi surfaceflinger_service:service_manager find;
-
-#Allow mmi operate on graphics
-hal_client_domain(mmi, hal_graphics_allocator);
-
-#Allow mmi operate on hwservicemanager
-hwbinder_use(hwservicemanager);
-get_prop(mmi, hwservicemanager_prop);
-
-#Allow mmi operate ion_device
-allow mmi ion_device:chr_file r_file_perms;
-
-#Allow mmi operate on graphics
-hal_client_domain(mmi, hal_graphics_allocator);
-
-#Allow mmi operate on hwservicemanager
-hwbinder_use(hwservicemanager);
-get_prop(mmi, hwservicemanager_prop);
-
-#Allow mmi operate ion_device
-allow mmi ion_device:chr_file r_file_perms;
-
-#Allow mmi to use IPC
-#binder_use(mmi)
-binder_call(mmi,surfaceflinger)
-
-#sensor cases
-unix_socket_connect(mmi, sensors, sensors);
-allow mmi sensors_device:chr_file r_file_perms;
-
-#logcat
-#domain_auto_trans(mmi, logcat_exec, logd);
-
-#access kmsg device for logging
-allow mmi kmsg_device:chr_file rw_file_perms;
-
-#mmi test
-unix_socket_connect(mmi, cnd, cnd);
-unix_socket_connect(mmi, netmgrd, netmgrd);
-net_domain(mmi);
-
-#allow mmi access boot mode switch
-set_prop(mmi, boot_mode_prop)
-#diag
-userdebug_or_eng(`
-    diag_use(mmi)
-')

common/mpdecision.te

@@ -1,44 +0,0 @@
-type mpdecision, domain, mlstrustedsubject;
-type mpdecision_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(mpdecision)
-
-allow mpdecision {
-    sysfs_mpdecision
-    sysfs_devices_system_cpu
-    sysfs_cpu_online
-}:file rw_file_perms;
-
-#Allow mpdecision set cpu affinity
-allow mpdecision kernel:process setsched;
-
-#Allow writes to /dev/cpu_dma_latency
-allow mpdecision self: {
-    netlink_kobject_uevent_socket
-    socket
-} create_socket_perms_no_ioctl;
-
-allow mpdecision device_latency:chr_file w_file_perms;
-
-r_dir_file(mpdecision, sysfs_rqstats)
-allow mpdecision sysfs_rqstats:file w_file_perms;
-r_dir_file(mpdecision, sysfs_thermal)
-allow mpdecision sysfs_thermal:file write;
-
-#policies for mpctl
-#mpctl socket
-allow mpdecision self:capability { net_admin chown dac_override fsetid sys_nice };
-allow mpdecision mpctl_socket:dir rw_dir_perms;
-allow mpdecision mpctl_socket:sock_file create_file_perms;
-
-allow mpdecision sysfs:file w_file_perms;
-
-#default_values file
-allow mpdecision mpctl_data_file:dir rw_dir_perms;
-allow mpdecision mpctl_data_file:file create_file_perms;
-
-#allow poll of system_server status
-r_dir_file(mpdecision, system_server)
-
-#mpdecision set properties
-set_prop(mpdecision, mpdecision_prop)

common/msm_irqbalanced.te

@@ -1,16 +0,0 @@
-type msm_irqbalanced, domain;
-type msm_irqbalanced_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(msm_irqbalanced)
-
-allow msm_irqbalanced cgroup:dir { create add_name };
-allow msm_irqbalanced { proc sysfs_devices_system_cpu }:file w_file_perms;
-allow msm_irqbalanced self:capability { setuid setgid dac_override };
-r_dir_file(msm_irqbalanced, sysfs_rqstats);
-
-# access smp_affinity
-allow msm_irqbalanced proc:file r_file_perms;
-allow msm_irqbalanced proc_interrupts:file r_file_perms;
-allow msm_irqbalanced proc_stat:file r_file_perms;
-# irq_blacklist_on
-allow msm_irqbalanced sysfs_irqbalance:file r_file_perms;

common/net.te

@@ -1,5 +0,0 @@
-# allow netdomain access to cnd
-#unix_socket_connect(netdomain, cnd, cnd)
-
-# allow netdomain access to dpmd
-#unix_socket_connect(netdomain, dpmwrapper, dpmd)

common/netd.te

@@ -1,33 +0,0 @@
-#Policies for IPv6 tethering
-allow netd netd:capability { setgid setuid };
-dontaudit netd self:capability sys_module;
-binder_use(netd);
-allow netd qtitetherservice_service:service_manager find;
-
-allow netd netd:packet_socket create_socket_perms_no_ioctl;
-
-#unix_socket_connect(netd, cnd, cnd)
-
-allow netd wfdservice:fd use;
-#allow netd wfdservice:tcp_socket rw_socket_perms;
-hal_client_domain(netd, wifidisplayhalservice);
-
-# allow to read /data/misc/ipa/tether_stats file
-allow netd ipacm_data_file:dir r_dir_perms;
-allow netd ipacm_data_file:file r_file_perms;
-
-#allow netd to use privileged sock ioctls
-allowxperm netd self: { unix_stream_socket } ioctl priv_sock_ioctls;
-
-# needed for netd to start FST Manager via system property
-allow netd netd_prop:property_service set;
-
-allow netd self:capability fsetid;
-#allow netd hostapd:unix_dgram_socket sendto;
-
-# Allow netd to chmod dir /data/misc/dhcp
-allow netd dhcp_data_file:dir create_dir_perms;
-
-type_transition netd wifi_data_file:dir wpa_socket "sockets";
-allow netd wpa_socket:dir create_dir_perms;
-#allow netd wpa_socket:sock_file create_file_perms;

common/peripheral_manager.te

@@ -1,32 +0,0 @@
-# Policy for peripheral_manager
-# per_mgr - peripheral_manager domain
-type per_mgr, domain;
-
-type per_mgr_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(per_mgr);
-
-# Needed for binder transactions
-use_per_mgr(per_mgr)
-allow per_mgr per_mgr_service:service_manager { add };
-
-allow per_mgr self:socket create_socket_perms;
-allowxperm per_mgr self:socket ioctl msm_sock_ipc_ioctls;
-
-
-# Needed by ipc_router
-allow per_mgr self:capability net_bind_service;
-
-# Needed to power on the peripheral
-allow per_mgr ssr_device:chr_file r_file_perms;
-
-# Needed by libmdmdetect to figure out the system configuration
-r_dir_file(per_mgr, sysfs_esoc)
-
-# Needed by libmdmdetect to get subsystem info and to check their states
-r_dir_file(per_mgr, sysfs_ssr)
-r_dir_file(per_mgr, firmware_file)
-r_dir_file(per_mgr, sysfs)
-allow per_mgr sysfs_data:file r_file_perms;
-
-# Set the peripheral state property
-set_prop(per_mgr, per_mgr_state_prop);

common/platform_app.te

@@ -1,29 +0,0 @@
-# Allow platform apps to interact with dtseagleservice
-binder_call(platform_app, dtseagleservice)
-
-# Allow platform apps to interact with fido daemon
-binder_call(platform_app, fidodaemon)
-
-# Allow platform apps to interact with secota daemon
-allow platform_app secotad_service:service_manager find;
-binder_call(platform_app, secotad)
-
-allow platform_app imsrcs_service:service_manager find;
-
-# Allow NFC service to be found
-allow platform_app nfc_service:service_manager find;
-
-#Allow platform apps to interact with seemp health daemon
-binder_call(platform_app, seemp_health_daemon)
-
-# Allow gba_auth_service to be found
-allow platform_app gba_auth_service:service_manager find;
-
-# Allow hbtp hal Service to be found
-hal_client_domain(platform_app, hal_hbtp)
-
-#get_prop(platform_app, bluetooth_prop)
-get_prop(platform_app, debug_gralloc_prop)
-
-#for perf-hal call
-hal_client_domain(platform_app, hal_perf)

common/port-bridge.te

@@ -1,32 +0,0 @@
-type port-bridge, domain;
-type port-bridge_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(port-bridge)
-
-userdebug_or_eng(`
-  domain_auto_trans(shell, port-bridge_exec, netmgrd)
-  #domain_auto_trans(adbd, port-bridge_exec, netmgrd)
-  diag_use(port-bridge)
-')
-
-# Allow operations on different types of sockets
-allow port-bridge port-bridge:netlink_kobject_uevent_socket { create bind read };
-
-# Allow process capabilities
-allow port-bridge port-bridge:capability dac_override;
-
-allow port-bridge {
-    # Allow operations on mhi transport
-    mhi_device
-    # Allow operations on gadget serial device
-    gadget_serial_device
-    # Allow operations on ATCoP g-link transport
-    at_device
-}:chr_file rw_file_perms;
-
-# Allow write permissions for log file
-allow port-bridge port_bridge_data_file:file create_file_perms;
-allow port-bridge port_bridge_data_file:dir w_dir_perms;
-
-#access ipa sysfs node
-allow port-bridge sysfs:file r_file_perms;
-allow port-bridge sysfs_data:file r_file_perms;

common/property.te

@@ -1,125 +0,0 @@
-# Copyright (c) 2015-2016 Dolby Laboratories, Inc. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# property for uicc_daemon
-type uicc_prop, property_type;
-type qcom_ims_prop, property_type;
-type ctl_qmuxd_prop, property_type;
-type ctl_netmgrd_prop, property_type;
-type ctl_port-bridge_prop, property_type;
-
-# property for LKCore ctl start
-type ctl_LKCore_prop, property_type;
-
-# properties for usf daemons
-type usf_prop, property_type;
-
-type freq_prop, property_type;
-type perfd_prop, property_type;
-type vm_bms_prop, property_type; #To start vm_bms
-type qti_prop, property_type;
-type ipacm_prop, property_type;
-type ipacm-diag_prop, property_type;
-type sensors_prop, property_type;
-type msm_irqbalance_prop, property_type;
-type msm_irqbl_sdm630_prop, property_type;
-type camera_prop, property_type;
-type spcomlib_prop, property_type;
-type sdm_idle_time_prop, property_type;
-type sf_lcd_density_prop, property_type;
-type scr_enabled_prop, property_type;
-type bg_daemon_prop, property_type;
-type bg_boot_complete_prop, property_type;
-type opengles_prop, property_type;
-type mdm_helper_prop, property_type;
-type mpdecision_prop, property_type;
-type gamed_prop, property_type;
-
-#Needed for  ubwc support
-type debug_gralloc_prop, property_type;
-
-type fm_prop, property_type;
-type chgdiabled_prop, property_type;
-
-#properites for netd
-type netd_prop, property_type;
-
-type xlat_prop, property_type;
-
-# property for location
-type location_prop, property_type;
-
-#properites for init.qcom.sh script
-type rmnet_mux_prop, property_type;
-type qemu_hw_mainkeys_prop, property_type;
-type sys_usb_controller_prop, property_type;
-type sys_usb_configfs_prop, property_type;
-
-type sys_usb_tethering_prop, property_type;
-
-type coresight_prop, property_type;
-
-
-type ctl_hbtp_prop, property_type;
-type alarm_boot_prop, property_type;
-type boot_animation_prop, property_type;
-
-# DOLBY_START
-type dolby_prop, property_type;
-# DOLBY_END
-
-type wififtmd_prop, property_type;
-
-# WIGIG
-type wigig_prop, property_type;
-type fst_prop, property_type;
-type ctl_vendor_wigigsvc_prop, property_type;
-
-type alarm_handled_prop, property_type;
-type alarm_instance_prop, property_type;
-
-#HWUI property
-type hwui_prop, property_type;
-
-type graphics_vulkan_prop, property_type;
-
-#Bservice property
-type bservice_prop, property_type;
-
-#Delayed Service Reschedule property
-type reschedule_service_prop, property_type;
-
-#boot mode property
-type boot_mode_prop, property_type;
-#properties for nfc
-type nfc_nq_prop, property_type;
-type ppd_prop, property_type;
-type qemu_gles_prop, property_type;
-
-type vendor_rild_libpath_prop, property_type;
-
-#Peripheral manager
-type per_mgr_state_prop, property_type;
-
-type vendor_system_prop, property_type;

common/property_contexts

@@ -1,118 +0,0 @@
-# Copyright (c) 2015-2016 Dolby Laboratories, Inc. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-wc_transport.              u:object_r:bluetooth_prop:s0
-sys.usb_uicc.              u:object_r:uicc_prop:s0
-dolby.audio.               u:object_r:audio_prop:s0
-vendor.ims.                u:object_r:qcom_ims_prop:s0
-sys.ims.                   u:object_r:qcom_ims_prop:s0
-hw.fm.                     u:object_r:fm_prop:s0
-sys.usf.                   u:object_r:usf_prop:s0
-ro.qc.sdk.us.                 u:object_r:usf_prop:s0
-radio.atfwd.               u:object_r:radio_prop:s0
-ctl.qmuxd                  u:object_r:ctl_qmuxd_prop:s0
-ctl.netmgrd                u:object_r:ctl_netmgrd_prop:s0
-ctl.port-bridge            u:object_r:ctl_port-bridge_prop:s0
-ro.min_freq_0                 u:object_r:freq_prop:s0
-ro.min_freq_4                 u:object_r:freq_prop:s0
-ctl.perfd                  u:object_r:perfd_prop:s0
-ctl.gamed                  u:object_r:gamed_prop:s0
-ctl.iop                    u:object_r:perfd_prop:s0
-ctl.vm_bms                 u:object_r:vm_bms_prop:s0
-ro.qualcomm.bluetooth.        u:object_r:bluetooth_prop:s0
-ctl.ipacm                  u:object_r:ipacm_prop:s0
-ctl.ipacm-diag             u:object_r:ipacm-diag_prop:s0
-ctl.qti                    u:object_r:qti_prop:s0
-ctl.sensors                u:object_r:sensors_prop:s0
-ctl.vendor.msm_irqbalance         u:object_r:msm_irqbalance_prop:s0
-ctl.vendor.msm_irqbl_sdm630       u:object_r:msm_irqbl_sdm630_prop:s0
-ctl.msm_irqbal_lb          u:object_r:msm_irqbalance_prop:s0
-camera.                    u:object_r:camera_prop:s0
-persist.camera.            u:object_r:camera_prop:s0
-vendor.spcom.              u:object_r:spcomlib_prop:s0
-sdm.idle_time              u:object_r:sdm_idle_time_prop:s0
-ro.sf.lcd_density             u:object_r:sf_lcd_density_prop:s0
-ro.vendor.scr_enabled         u:object_r:scr_enabled_prop:s0
-vendor.bg_reset               u:object_r:bg_daemon_prop:s0
-vendor.bg.boot_complete       u:object_r:bg_boot_complete_prop:s0
-ro.opengles.version           u:object_r:opengles_prop:s0
-ro.qualcomm.bt.hci_transport  u:object_r:bluetooth_prop:s0
-ctl.mdm_helper             u:object_r:mdm_helper_prop:s0
-ctl.mpdecision             u:object_r:mpdecision_prop:s0
-qualcomm.perf.cores_online u:object_r:mpdecision_prop:s0
-netd.fstman.               u:object_r:netd_prop:s0
-location.                  u:object_r:location_prop:s0
-qc.izat.                   u:object_r:location_prop:s0
-persist.rmnet.mux          u:object_r:rmnet_mux_prop:s0
-sys.usb.controller         u:object_r:sys_usb_controller_prop:s0
-sys.usb.configfs           u:object_r:sys_usb_configfs_prop:s0
-sys.usb.tethering          u:object_r:sys_usb_tethering_prop:s0
-qemu.hw.mainkeys           u:object_r:qemu_hw_mainkeys_prop:s0
-ro.dbg.coresight.cfg_file     u:object_r:coresight_prop:s0
-ctl.hbtp                   u:object_r:ctl_hbtp_prop:s0
-vendor.audio.sys.init             u:object_r:audio_prop:s0
-ro.alarm_boot                 u:object_r:alarm_boot_prop:s0
-debug.sf.nobootanimation   u:object_r:boot_animation_prop:s0
-debug.gralloc.             u:object_r:debug_gralloc_prop:s0
-persist.net.doxlat         u:object_r:xlat_prop:s0
-# DOLBY_START
-dolby.                     u:object_r:dolby_prop:s0
-# DOLBY_END
-wifi.ftmd.                 u:object_r:wififtmd_prop:s0
-ro.bluetooth.              u:object_r:bluetooth_prop:s0
-# WIGIG
-persist.vendor.wigig.       u:object_r:wigig_prop:s0
-vendor.wigig.               u:object_r:wigig_prop:s0
-ctl.vendor.wigig_supplicant u:object_r:ctl_vendor_wigigsvc_prop:s0
-ctl.vendor.wigig_hostapd    u:object_r:ctl_vendor_wigigsvc_prop:s0
-
-persist.vendor.fst.         u:object_r:fst_prop:s0
-ro.alarm_handled           u:object_r:alarm_handled_prop:s0
-ro.alarm_instance          u:object_r:alarm_instance_prop:s0
-#HWUI Property
-ro.hwui.texture_cache_size u:object_r:hwui_prop:s0
-#Bservice Property
-ro.vendor.qti.sys.fw.bservice_ u:object_r:bservice_prop:s0
-#Delayed Service Restart Property
-ro.vendor.qti.am.reschedule_service u:object_r:reschedule_service_prop:s0
-persist.graphics.vulkan.disable     u:object_r:graphics_vulkan_prop:s0
-#boot mode property
-sys.boot_mode              u:object_r:boot_mode_prop:s0
-# GPU
-ro.gpu.available_frequencies u:object_r:freq_prop:s0
-# NFC
-sys.nfc.nq.                u:object_r:nfc_nq_prop:s0
-ctl.ppd                    u:object_r:ppd_prop:s0
-qemu.gles                  u:object_r:qemu_gles_prop:s0
-# LKCore start
-ctl.vendor.LKCore-dbg      u:object_r:ctl_LKCore_prop:s0
-ctl.vendor.LKCore-rel      u:object_r:ctl_LKCore_prop:s0
-vendor.rild.libpath        u:object_r:vendor_rild_libpath_prop:s0
-# Peripheral Manager
-vendor.peripheral.         u:object_r:per_mgr_state_prop:s0
-
-persist.vendor.radio       u:object_r:radio_prop:s0
-vendor.radio               u:object_r:radio_prop:s0
-ro.vendor.ril.             u:object_r:radio_prop:s0
-persist.vendor.sys.        u:object_r:vendor_system_prop:s0

common/qcomsysd.te

@@ -1,32 +0,0 @@
-#Policy file for qcom-system-daemon
-#qcomsysd = qcom-system-daemon domain
-type qcomsysd, domain;
-type qcomsysd_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(qcomsysd);
-
-#Needed for logging
-allow qcomsysd smem_log_device:chr_file rw_file_perms;
-
-#Needed to read/write cookies to the misc partition
-allow qcomsysd block_device:dir r_dir_perms;
-allow qcomsysd {
-    #Needed to access the bootselect partition
-    bootselect_device
-}:blk_file rw_file_perms;
-
-#Needed to get image info from socinfo
-r_dir_file(qcomsysd, sysfs_socinfo)
-allow qcomsysd sysfs_socinfo:file w_file_perms;
-
-allow qcomsysd self:capability { dac_override sys_boot };
-use_per_mgr(qcomsysd);
-#allow qcomsysd access boot mode switch
-set_prop(qcomsysd, boot_mode_prop);
-
-#diag
-userdebug_or_eng(`
-    diag_use(qcomsysd)
-    set_prop(qcomsysd, powerctl_prop)
-    allow qcomsysd sysfs:file rw_file_perms;
-    allow qcomsysd sysfs_data:file r_file_perms;
-')

common/qfips.te

@@ -1,7 +0,0 @@
-# add domain for qfintverify,
-#type qfips, domain;
-
-#domain_trans(init, rootfs, qfips)
-
-# Allow qfips read/write access to qce and rng devices.
-#allow qfips {qce_device rng_device}:chr_file rw_file_perms;

common/qlogd.te

@@ -1,65 +0,0 @@
-# qlogd
-type qlogd, domain;
-type qlogd_exec, exec_type, vendor_file_type, file_type;
-
-# make transition from init to its domain
-init_daemon_domain(qlogd)
-
-# need to access sharemem log device for smem logs
-allow qlogd smem_log_device:chr_file rw_file_perms;
-
-# need to add more capabilities for qlogd
-allow qlogd self:capability {
-    setuid
-    setgid
-    dac_override
-    dac_read_search
-    sys_admin
-    net_raw
-    net_admin
-    fowner
-    fsetid
-    kill
-    sys_module
-};
-allow qlogd self:capability2 syslog;
-allow qlogd self:packet_socket { create bind getopt setopt };
-
-# need to access system_data partitions for configration files
-allow qlogd qlogd_data_file:dir rw_dir_perms;
-allow qlogd qlogd_data_file:file create_file_perms;
-allow qlogd system_file:file x_file_perms;
-
-# need to create and listen socket
-allow qlogd qlogd_socket:sock_file create_file_perms;
-
-# need to start shell execute files
-allow qlogd vendor_shell_exec:file rx_file_perms;
-
-# need to create and write files in fuse partition
-allow qlogd fuse:dir create_dir_perms;
-allow qlogd fuse:file create_file_perms;
-
-# need to capture kmsg
-allow qlogd kernel:system syslog_mod;
-
-# need for qdss log and odl from UI
-userdebug_or_eng(`
-  allow qlogd { debugfs_tracing qdss_device }:file r_file_perms;
-  allow qlogd { qdss_device }:file r_file_perms;
-  allow qlogd sysfs:file w_file_perms;
-  r_dir_file(qlogd, storage_file)
-  r_dir_file(qlogd, mnt_user_file)
-  diag_use(qlogd)
-')
-
-# need for capture adb logs
-unix_socket_connect(qlogd, logdr, logd)
-
-# need for subsystem ramdump
-allow qlogd device:dir r_dir_perms;
-allow qlogd ramdump_device:chr_file { setattr rw_file_perms };
-
-# need for qxdm log
-allow qlogd diag_exec:file rx_file_perms;
-wakelock_use(qlogd)

common/qmuxd.te

@@ -1,53 +0,0 @@
-type qmuxd, domain;
-type qmuxd_exec, exec_type, vendor_file_type, file_type;
-net_domain(qmuxd)
-init_daemon_domain(qmuxd)
-
-userdebug_or_eng(`
-  domain_auto_trans(shell, qmuxd_exec, qmuxd)
-  #domain_auto_trans(adbd, qmuxd_exec, qmuxd)
-')
-
-#Allow qmuxd to operate on various qmux device sockets
-#allow qmuxd qmux_radio_socket:dir { write add_name remove_name search };
-#allow qmuxd qmux_radio_socket:sock_file { create setattr getattr write unlink };
-#allow qmuxd qmux_audio_socket:dir { write add_name remove_name search };
-#allow qmuxd qmux_audio_socket:sock_file { create setattr getattr write unlink };
-#allow qmuxd qmux_gps_socket:dir { write add_name remove_name search };
-#allow qmuxd qmux_gps_socket:sock_file { create setattr getattr write unlink };
-#allow qmuxd qmux_bluetooth_socket:dir { write add_name remove_name search };
-#allow qmuxd qmux_bluetooth_socket:sock_file { create setattr getattr write unlink };
-
-qmux_socket(qmuxd);
-
-#Allow logging
-allow qmuxd {
-    #Allow operation in platform specific transports
-    smd_device
-    hsic_device
-    mhi_device
-    smem_log_device
-}:chr_file rw_file_perms;
-
-#Allow qmuxd to operate in platform specific transports
-allow qmuxd {
-    sysfs_smd_open_timeout
-    #Allow qmuxd to write in hsic specific transport
-    sysfs
-    sysfs_hsic_modem_wait
-}:file w_file_perms;
-
-allow qmuxd self:capability { setuid setgid setpcap dac_override };
-
-#Allow qmuxd to have the CAP_BLOCK_SUSPEND capability
-wakelock_use(qmuxd)
-
-r_dir_file(qmuxd, sysfs_esoc)
-
-r_dir_file(qmuxd, sysfs_ssr);
-
-allow qmuxd mhi_device:chr_file rw_file_perms;
-
-#Allow qmuxd to access to IPC router
-allow qmuxd smem_log_device:chr_file rw_file_perms;
-allow qmuxd qmuxd:socket create_socket_perms_no_ioctl;

common/qseecomd.te

@@ -1,86 +0,0 @@
-# tee starts as root, and drops privileges
-allow tee self:capability {
-    setuid
-    setgid
-    sys_admin
-    chown
-    dac_override
-    sys_rawio
-};
-
-# Need to directly manipulate certain block devices
-# for anti-rollback protection
-allow tee block_device:dir r_dir_perms;
-allow tee rpmb_device:blk_file rw_file_perms;
-
-# Need to figure out how many scsi generic devices are preset
-# before being able to identify which one is rpmb device
-allow tee device:dir r_dir_perms;
-allow tee sg_device:chr_file { rw_file_perms setattr };
-
-# Allow qseecom to qsee folder so that listeners can create
-# respective directories
-allow tee data_qsee_file:dir create_dir_perms;
-allow tee data_qsee_file:file create_file_perms;
-allow tee system_data_file:dir r_dir_perms;
-
-allow tee persist_file:dir r_dir_perms;
-r_dir_file(tee, persist_data_file)
-
-# Write to drm related pieces of persist partition
-allow tee persist_drm_file:dir create_dir_perms;
-allow tee persist_drm_file:file create_file_perms;
-
-# Provide tee access to ssd partition for HW FDE
-allow tee ssd_device:blk_file rw_file_perms;
-
-# allow tee to operate tee device
-allow tee tee_device:chr_file rw_file_perms;
-
-# allow tee to load firmware images
-r_dir_file(tee, firmware_file)
-
-# allow qseecom access to time domain
-allow tee time_daemon:unix_stream_socket connectto;
-
-# allow tee access for secure UI to work
-allow tee graphics_device:dir r_dir_perms;
-allow tee graphics_device:chr_file r_file_perms;
-
-#allow tee access for secure touch to work
-allow tee sysfs_securetouch:file rw_file_perms;
-
-#allow tee surfaceflinger_service : service_manager  find;
-
-binder_call(tee, surfaceflinger)
-#binder_use(tee)
-
-#allow tee system_app:unix_dgram_socket sendto;
-unix_socket_connect(tee, property, init)
-
-set_prop(tee, system_prop);
-
-
-userdebug_or_eng(`
-  allow tee su:unix_dgram_socket sendto;
-  #allow tee shell_data_file:file rw_file_perms;
-  #allow tee shell_data_file:dir search;
-')
-
-
-#allow access to qfp-daemon
-allow tee qfp-daemon_data_file:dir create_dir_perms;
-allow tee qfp-daemon_data_file:file create_file_perms;
-allow tee persist_qti_fp_file:dir create_dir_perms;
-allow tee persist_qti_fp_file:file create_file_perms;
-
-# Provide access to Q VoicePrint
-allow tee qvop-daemon_data_file:dir create_dir_perms;
-allow tee qvop-daemon_data_file:file create_file_perms;
-
-# Allow access to qsee_ipc_irq_spss device
-allow tee qsee_ipc_irq_spss_device:chr_file rw_file_perms;
-
-#allow access to fingerprintd data file
-allow tee fingerprintd_data_file:dir create_dir_perms;
-allow tee fingerprintd_data_file:file create_file_perms;

common/qti.te

@@ -1,39 +0,0 @@
-type qti, domain;
-type qti_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(qti)
-net_domain(qti)
-
-allow qti {
-    rmnet_device
-    smem_log_device
-    mhi_device
-    smd_device
-    userdebug_or_eng(`kmsg_device')
-}:chr_file rw_file_perms;
-
-qmux_socket(qti)
-
-allow qti self:capability {
-    net_admin
-    net_raw
-    fsetid
-    sys_module
-    dac_override
-};
-
-allow qti self:{
-    netlink_socket
-    socket
-    udp_socket
-} create_socket_perms_no_ioctl;
-
-allow qti self:socket ioctl;
-allowxperm qti self:socket ioctl msm_sock_ipc_ioctls;
-allow qti { vendor_shell_exec system_file }:file rx_file_perms;
-
-#diag
-userdebug_or_eng(`
-    diag_use(qti)
-    allow qti sysfs:file r_file_perms;
-    allow qti sysfs_data:file r_file_perms;
-')

common/radio.te

@@ -1,19 +0,0 @@
-# IMS needs permission to use avtimer
-allow radio avtimer_device:chr_file r_file_perms;
-
-allow radio { cameraserver_service mediaextractor_service mediacodec_service }:service_manager find;
-#diag
-userdebug_or_eng(`
-    diag_use(radio)
-')
-
-binder_call(radio, hal_imsrtp)
-allow radio hal_imsrtp_hwservice:hwservice_manager find;
-# qcril needs permission to load mbn file from regional carrier
-allow radio regionalization_file:file r_file_perms;
-allow radio regionalization_file:dir r_dir_perms;
-# permissions for IMS-ConnectionmanagerTestApp
-userdebug_or_eng(`
-  allow radio hal_imsrcsd_hwservice:hwservice_manager find;
-  binder_call(radio, hal_rcsservice)
-')

common/recovery.te

@@ -1,28 +0,0 @@
-recovery_only(`
-    # Read files on /sdcard
-    allow recovery sdcard_type:dir r_dir_perms;
-    allow recovery sdcard_type:file r_file_perms;
-    allow recovery vfat:dir r_dir_perms;
-    allow recovery vfat:file create_file_perms;
-    allow recovery vfat:file rw_file_perms;
-    allow recovery system_data_file:file r_file_perms;
-    allow recovery system_data_file:dir r_dir_perms;
-    allow recovery RIDL_data_file:file r_file_perms;
-    allow recovery RIDL_data_file:dir r_dir_perms;
-    allow recovery qti_logkit_priv_data_file:file r_file_perms;
-    allow recovery qti_logkit_priv_data_file:dir r_dir_perms;
-    allow recovery rfs_system_file:{file lnk_file } { create_file_perms relabelfrom relabelto };
-    allow recovery rfs_system_file:dir { create_dir_perms relabelfrom relabelto };
-    allow recovery cache_file:dir mounton;
-    allow recovery qce_device:chr_file rw_file_perms;
-    allow recovery tee_device:chr_file rw_file_perms;
-    allow recovery sg_device:chr_file rw_file_perms;
-    allow recovery self:capability sys_rawio;
-    allow recovery sg_device:chr_file ioctl;
-    # Enable adb on configfs devices
-    allow recovery configfs:file rw_file_perms;
-    allow recovery configfs:dir rw_dir_perms;
-    set_prop(recovery, ffs_prop);
-    get_prop(recovery, sys_usb_controller_prop);
-    get_prop(recovery, boot_mode_prop);
-')

common/rfs_access.te

@@ -1,70 +0,0 @@
-# rfs_access - rfs_access daemon
-type rfs_access, domain;
-type rfs_access_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(rfs_access)
-
-#The files created by rfs_access process in the /data folder will have type rfs_file
-type_transition rfs_access system_data_file:{ dir file } rfs_file;
-type_transition rfs_access system_data_file:dir rfs_shared_hlos_file "hlos_rfs";
-
-#The files created by rfs_access process in the /persist folder will have type rfs_file
-type_transition rfs_access persist_file:{ dir file } rfs_file;
-type_transition rfs_access persist_file:dir rfs_shared_hlos_file "hlos_rfs";
-
-allow rfs_access {
-    #To read the uio char device
-    uio_device
-    #To read the smem log char device
-    smem_log_device
-}:chr_file rw_file_perms;
-
-#For QMI sockets and IPCR Sockets
-allow rfs_access self:socket create_socket_perms_no_ioctl;
-
-#For Wakelocks
-wakelock_use(rfs_access)
-
-#To create the folders in /data
-allow rfs_access system_data_file:dir create_dir_perms;
-
-#To create the folders in /persist
-allow rfs_access persist_file:dir create_dir_perms;
-
-#For system folder entries
-r_dir_file(rfs_access, rfs_system_file)
-allow rfs_access rfs_system_file:lnk_file r_file_perms;
-
-#For data folder entries
-allow rfs_access rfs_file:dir create_dir_perms;
-allow rfs_access rfs_file:file create_file_perms;
-
-allow rfs_access rfs_shared_hlos_file:dir create_dir_perms;
-allow rfs_access rfs_shared_hlos_file:file create_file_perms;
-
-#For ramdump entries in /data/tombstones.
-allow rfs_access tombstone_data_file:dir create_dir_perms;
-allow rfs_access tombstone_data_file:file create_file_perms;
-
-#For firmware entries in /firmware to read NHLOS.bin files ( only perms to read and get attributes).
-r_dir_file(rfs_access, firmware_file)
-
-#For dropping permisions from root and wakelock
-allow rfs_access self:capability {
-    setuid
-    setgid
-    setpcap
-    net_bind_service
-};
-
-# RFS UID and GIDs were changed and moved from old values to new ones OEM range.
-# The below permissions are required to recursively update the folder ownership
-# to the new values in the OEM range.
-
-allow rfs_access self:capability { dac_read_search chown dac_override };
-
-#For access to the kmsg device
-allow rfs_access kmsg_device:chr_file w_file_perms;
-
-#Prevent other domains from accessing RFS data files.
-neverallow { domain -rfs_access -kernel -recovery -init -vendor_init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:dir create_dir_perms;
-neverallow { domain -rfs_access -kernel -recovery -init -vendor_init userdebug_or_eng(`-su') -qti_init_shell } rfs_file:file create_file_perms;

common/rild.te

@@ -1,45 +0,0 @@
-qmux_socket(rild);
-#binder_use(rild)
-
-allow rild ssr_device:chr_file r_file_perms;
-
-r_dir_file(rild, sysfs_ssr)
-r_dir_file(rild, sysfs_esoc)
-
-allow rild sysfs_esoc:file w_file_perms;
-
-binder_call(rild, mediaserver)
-binder_call(rild, audioserver)
-binder_call(audioserver, rild)
-
-#Rule for RILD to talk to peripheral manager
-use_per_mgr(rild);
-
-allow rild rild_socket:chr_file r_file_perms;
-unix_socket_connect(rild, rild, time_daemon)
-allow rild system_health_monitor_device:chr_file r_file_perms;
-
-dontaudit rild domain:dir r_dir_perms;
-allow rild time_daemon:unix_stream_socket connectto;
-r_dir_file(rild, netmgrd)
-
-#Allow access to netmgrd socket
-netmgr_socket(rild);
-
-#allow rild { mediaserver_service audioserver_service }:service_manager find;
-
-# Rule for RILD to talk to peripheral manager
-use_per_mgr(rild);
-
-#diag
-userdebug_or_eng(`
-    diag_use(rild)
-')
-allow rild self:socket ioctl;
-allowxperm rild self:socket ioctl msm_sock_ipc_ioctls;
-
-allow rild vendor_radio_data_file:dir rw_dir_perms;
-allow rild vendor_radio_data_file:file create_file_perms;
-
-# qcril.so needs access to /vendor/radio/qcril_database/qcril.db
-allow rild vendor_file:file lock;

common/rmt_storage.te

@@ -1,43 +0,0 @@
-# rmt_storage - rmt_storage daemon
-type rmt_storage, domain;
-type rmt_storage_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(rmt_storage)
-
-allow rmt_storage {
-    modem_efs_partition_device
-    root_block_device
-    ssd_device
-}:blk_file rw_file_perms;
-allow rmt_storage block_device:dir r_dir_perms;
-allow rmt_storage cgroup:dir create_dir_perms;
-allow rmt_storage { smem_log_device uio_device }:chr_file rw_file_perms;
-
-# sys_admin is needed for ioprio_set
-allow rmt_storage self:capability {
-    setuid
-    setgid
-    net_bind_service
-    setpcap
-};
-
-#For set the ctl properties
-set_prop(rmt_storage, ctl_default_prop)
-
-#For Wakelocks
-wakelock_use(rmt_storage)
-
-allow rmt_storage self:socket create_socket_perms;
-allowxperm rmt_storage self:socket ioctl msm_sock_ipc_ioctls;
-allow rmt_storage uio_device:chr_file rw_file_perms;
-
-#For access to the kmsg device
-allow rmt_storage kmsg_device:chr_file w_file_perms;
-
-#debugfs access
-userdebug_or_eng(`
-allow rmt_storage qti_debugfs:dir r_dir_perms;
-allow rmt_storage qti_debugfs:file rw_file_perms;
-')
-
-allow rmt_storage sysfs:dir r_dir_perms;
-allow rmt_storage sysfs:file r_file_perms;

common/seapp_contexts

@@ -1,26 +0,0 @@
-#Add new domain for Location services
-user=gps domain=location_app type=location_app_data_file
-user=system seinfo=platform name=com.qualcomm.services.location domain=location_app type=location_app_data_file
-user=system seinfo=platform name=com.qualcomm.location.XT domain=location_app type=location_app_data_file
-
-#Add new domain for QSEE services
-user=system seinfo=platform name=com.qualcomm.qti.auth.fidocryptoservice domain=qsee_svc_app type=qsee_svc_app_data_file
-
-#Add new domain for MDTP services
-user=system seinfo=platform name=com.qualcomm.qti.securemsm.mdtp.MdtpService domain=mdtpservice_app type=mdtp_svc_app_data_file
-
-
-# AtFwd and FastDormancy apps
-user=system seinfo=platform name=com.qualcomm.telephony domain=qtelephony type=system_app_data_file
-
-#Add new domain for QDMA
-user=system seinfo=platform name=com.qualcomm.qti.qdma domain=qdma_app type=qdma_app_data_file
-
-# Add time service app
-user=system seinfo=platform name=com.qualcomm.timeservice domain=timeservice_app type=system_app_data_file
-
-#Add new domain for logkit services
-user=system seinfo=platform name=com.qualcomm.qti.logkit domain=qti_logkit_app type=system_app_data_file
-
-#Add new domain for imshelper service
-user=system seinfo=platform name=.imshelperservice domain=imshelper_app type=imshelper_app_data_file

common/sensors.te

@@ -1,80 +0,0 @@
-# Policy for sensor daemon
-type sensors, domain;
-type sensors_exec, exec_type, vendor_file_type, file_type;
-
-# Started by init
-init_daemon_domain(sensors)
-
-allow sensors self:capability {
-    # Change own perms to (nobody,nobody)
-    setuid
-    setgid
-    # Chown /data/misc/sensors/debug/ to nobody
-    chown
-    # Access /data/misc/sensors/debug and /data/system/sensors/settings
-    dac_override
-    dac_read_search
-    net_bind_service
-};
-
-dontaudit sensors self:capability { fsetid net_raw };
-
-# Sensors socket
-allow sensors sensors_socket:sock_file create_file_perms;
-type_transition sensors socket_device:sock_file sensors_socket "sensor_ctl_socket";
-allow sensors socket_device:dir rw_dir_perms;
-
-# Create directories and files under /data/misc/sensors
-# and /data/system/sensors. Allow generic r/w file access.
-
-# Access sensor nodes (/dev/msm_dsps, /dev/sensors)
-allow sensors sensors_device:chr_file rw_file_perms;
-
-# Access to /persist/sensors
-allow sensors persist_file:dir r_dir_perms;
-allow sensors sensors_persist_file:dir create_dir_perms;
-allow sensors sensors_persist_file:file create_file_perms;
-
-# Access to execmem
-allow sensors self:process execmem;
-
-# Wake lock access
-wakelock_use(sensors)
-
-allow sensors cgroup:dir { create add_name };
-
-allow sensors self:socket create_socket_perms;
-# ioctlcmd=c304
-allowxperm sensors self:socket ioctl msm_sock_ipc_ioctls;
-
-# Access to other devices
-allow sensors smd_device:chr_file rw_file_perms;
-allow sensors smem_log_device:chr_file rw_file_perms;
-allow sensors device_latency:chr_file w_file_perms;
-
-# Access to tests from userdebug/eng builds
-userdebug_or_eng(`
-  domain_auto_trans(shell, sensors_exec, sensors)
-  diag_use(sensors)
-')
-
-#binder_use(sensors)
-#binder_call(sensors, servicemanager)
-binder_call(sensors, per_mgr)
-
-allow sensors sysfs:dir r_dir_perms;
-allow sensors sysfs_socinfo:dir r_dir_perms;
-allow sensors sysfs_socinfo:file rw_file_perms;
-allow sensors sysfs_data:file r_file_perms;
-
-#Rules for sensors to talk to peripheral manager
-allow sensors system_file:dir r_dir_perms;
-
-allow sensors dsp_device:chr_file r_file_perms;
-
-allow sensors ion_device:chr_file r_file_perms;
-allow sensors qdsp_device:chr_file r_file_perms;
-
-
-# For reading dir/files on /dsp
-r_dir_file(sensors, adsprpcd_file)

common/service.te

@@ -1,17 +0,0 @@
-type iqfp_service,                service_manager_type;
-type qfp_proxy_service,           service_manager_type;
-type atfwd_service,               service_manager_type;
-type fidodaemon_service,          service_manager_type;
-type seemp_health_daemon_service, service_manager_type;
-type secotad_service,             service_manager_type;
-type wbc_service,                 service_manager_type;
-type dun_service,                 service_manager_type;
-type imsrcs_service,              service_manager_type;
-type improve_touch_service,       service_manager_type;
-type usf_service,                 service_manager_type;
-type dtseagleservice_service,     service_manager_type;
-type gba_auth_service,            service_manager_type;
-type mdtpdaemon_service,          service_manager_type;
-type qtitetherservice_service,    service_manager_type;
-type wigigp2p_service,            app_api_service, system_server_service, service_manager_type;
-type wigig_service,               app_api_service, system_server_service, service_manager_type;

common/ssr_diag.te

@@ -1,8 +0,0 @@
-type ssr_diag, domain;
-type ssr_diag_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(ssr_diag);
-
-userdebug_or_eng(`
-  allow ssr_diag sysfs:file w_file_perms;
-  diag_use(ssr_diag)
-')

common/ssr_setup.te

@@ -1,17 +0,0 @@
-# Policy for ssr_setup
-# ssr_setup - ssr_setup domain
-type ssr_setup, domain;
-type ssr_setup_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(ssr_setup);
-
-# Required to discover esoc's
-r_dir_file(ssr_setup, sysfs_esoc)
-
-# Required to enable/disable ssr
-r_dir_file(ssr_setup, sysfs_ssr)
-allow ssr_setup sysfs_ssr:lnk_file w_file_perms;
-allow ssr_setup sysfs_ssr_toggle:file rw_file_perms;
-
-# Keeping this here till sysfs labeling is resolved
-allow ssr_setup sysfs:file w_file_perms;
-allow ssr_setup sysfs_data:file r_file_perms;

common/subsystem_ramdump.te

@@ -1,11 +0,0 @@
-type subsystem_ramdump, domain;
-type subsystem_ramdump_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(subsystem_ramdump);
-
-userdebug_or_eng(`
-  allow subsystem_ramdump ramdump_device:chr_file r_file_perms;
-  allow subsystem_ramdump sysfs:file rw_file_perms;
-  allow subsystem_ramdump device:dir r_dir_perms;
-  allow subsystem_ramdump ssr_ramdump_data_file:file create_file_perms;
-  allow subsystem_ramdump ssr_ramdump_data_file:dir rw_dir_perms;
-')

common/surfaceflinger.te

@@ -1,42 +0,0 @@
-allow surfaceflinger sysfs_graphics:file rw_file_perms;
-
-# Allow reading/writing to 'persist/display/*'
-allow surfaceflinger persist_display_file:dir rw_dir_perms;
-allow surfaceflinger persist_display_file:file create_file_perms;
-
-# Allow only directory search to '/persist'
-allow surfaceflinger persist_file:dir search;
-
-# Use open file provided by poweroffhandler
-binder_call(surfaceflinger, poweroffhandler);
-
-binder_call(surfaceflinger, location)
-binder_call(surfaceflinger, tee)
-
-# access to /data/misc/display for dumping input frames
-allow surfaceflinger display_misc_file:dir create_dir_perms;
-allow surfaceflinger display_misc_file:file create_file_perms;
-
-# Allows access to dpps daemon in calibration mode
-#unix_socket_connect(surfaceflinger, pps, mm-pp-daemon)
-
-r_dir_file(surfaceflinger, firmware_file)
-
-#Allow access to fastmmi
-binder_call(surfaceflinger, mmi)
-
-#Allow access to cameraserver service
-allow surfaceflinger cameraserver_service:service_manager find;
-#diag
-userdebug_or_eng(`
-    diag_use(surfaceflinger)
-')
-
-allow surfaceflinger {
-    debug_gralloc_prop
-    sdm_idle_time_prop
-    sf_lcd_density_prop
-}:file r_file_perms;
-
-#set qemu.gles prop
-set_prop(surfaceflinger, qemu_gles_prop)

common/te_macros

@@ -1,87 +0,0 @@
-#####################################
-# qmux_socket(clientdomain)
-# Allow client domain to connecto and send
-# via a local socket to the qmux domain.
-# Also allow the client domain to remove
-# its own socket.
-define(`qmux_socket', `
-allow $1 qmuxd_socket:dir create_dir_perms;
-unix_socket_connect($1, qmuxd, qmuxd)
-allow $1 qmuxd_socket:sock_file { read getattr write setattr create unlink };
-')
-
-#####################################
-# netmgr_socket(clientdomain)
-# Allow client domain to connecto and send
-# via a local socket to the netmgrd domain.
-# Also allow the client domain to remove
-# its own socket.
-define(`netmgr_socket', `
-allow $1 netmgrd_socket:dir r_dir_perms;
-unix_socket_connect($1, netmgrd, netmgrd)
-allow $1 netmgrd_socket:sock_file { read getattr write };
-')
-
-########################################
-# peripheral_manager
-# Allow clients to interact with peripheral
-# manager
-define(`use_per_mgr', `
-vndbinder_use($1);
-binder_call(per_mgr, $1);
-binder_call($1, per_mgr);
-allow $1 per_mgr_service:service_manager find;
-get_prop($1, per_mgr_state_prop);
-')
-
-#####################################
-# cnd_nims_socket_perm(clientdomain)
-# allow cnd to read /proc/pid/cmdline to get appname
-# allow cnd to use inet socket created by app.
-define(`cnd_nims_socket_perm', `
-allow cnd $1:dir r_dir_perms;
-allow cnd $1:file r_file_perms;
-allow cnd $1:fd use;
-allow cnd $1:tcp_socket rw_socket_perms;
-')
-
-#####################################
-# diag_use(clientdomain)
-# allow clientdomain to read/write to diag
-define(`diag_use', `
-r_dir_file($1, sysfs_diag)
-allow $1 diag_device:chr_file rw_file_perms;
-')
-
-#####################################
-# use_netutils(clientdomain)
-# allow access to netutils from vendor
-define(`use_netutils', `
-domain_auto_trans($1, netutils_wrapper_exec, netutils_wrapper)
-allow netutils_wrapper $1:fd use;
-allow netutils_wrapper $1:fifo_file { read write getattr };
-allow netutils_wrapper $1:netlink_route_socket { read write };
-allow netutils_wrapper $1:unix_stream_socket { read write };
-allow netutils_wrapper $1:netlink_generic_socket { read write };
-allow netutils_wrapper $1:netlink_xfrm_socket { read write };
-allow netutils_wrapper $1:udp_socket { read write };
-allow netutils_wrapper $1:tcp_socket { read write };
-')
-
-#####################################
-## hal_server_domain_bypass(domain, hal_type)
-## Allow a base set of permissions required for a domain to offer a
-## HAL implementation of the specified type over HwBinder without
-## halserverdomain attribute
-##
-## For example, default implementation of Foo HAL:
-##   type hal_foo_default, domain;
-##   hal_server_domain_bypass(hal_foo_default, hal_foo)
-##
-define(`hal_server_domain_bypass', `
-hwbinder_use($1)
-allow $1 system_file:dir r_dir_perms;
-get_prop($1, hwservicemanager_prop)
-typeattribute $1 $2_server;
-typeattribute $1 $2;
-')

common/thermal-engine.te

@@ -1,70 +0,0 @@
-# Thermal-engine daemon
-type thermal-engine, domain;
-type thermal-engine_exec, exec_type, vendor_file_type, file_type;
-
-# Started by init
-init_daemon_domain(thermal-engine)
-
-# Allow to read and write cpufreq sysfs
-allow thermal-engine sysfs_devices_system_cpu:file rw_file_perms;
-
-# This is to access thermal query device and smem log device
-allow thermal-engine { thermal_device smem_log_device }:chr_file rw_file_perms;
-
-allow thermal-engine self:capability {
-    dac_read_search
-    dac_override
-    fsetid
-    sys_boot
-};
-
-allow thermal-engine self:socket create_socket_perms;
-# ioctlcmd=c304
-allowxperm thermal-engine self:socket ioctl msm_sock_ipc_ioctls;
-
-# This is required to access thermal sockets
-allow thermal-engine thermal_socket:dir w_dir_perms;
-allow thermal-engine thermal_socket:sock_file create_file_perms;
-allow thermal-engine socket_device:dir w_dir_perms;
-
-# This is required for thermal sysfs access
-r_dir_file(thermal-engine, sysfs_thermal)
-allow thermal-engine { sysfs_thermal sysfs }:file w_file_perms;
-
-# This is required for qmi access
-qmux_socket(thermal-engine);
-allow thermal-engine sysfs_mpdecision:file rw_file_perms;
-
-r_dir_file(thermal-engine, sysfs_ssr);
-r_dir_file(thermal-engine, sysfs)
-r_dir_file(thermal-engine, sysfs_leds)
-
-# This is required for wake alarm access
-allow thermal-engine self:capability2 wake_alarm;
-
-#This is to allow access to uio device
-allow thermal-engine uio_device:chr_file rw_file_perms;
-
-userdebug_or_eng(`
-  diag_use(thermal-engine)
-')
-
-# To search, read and write kgsl sysfs
-allow thermal-engine sysfs_kgsl:dir r_dir_perms;
-allow thermal-engine sysfs_kgsl:file rw_file_perms;
-allow thermal-engine sysfs_kgsl:lnk_file r_file_perms;
-
-allow thermal-engine sysfs_data:file r_file_perms;
-
-# netlink access
-allow thermal-engine self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-# This is required read and write battery power supply sysfs
-allow thermal-engine sysfs_battery_supply:dir r_dir_perms;
-allow thermal-engine sysfs_battery_supply:file rw_file_perms;
-allow thermal-engine sysfs_battery_supply:lnk_file r_file_perms;
-
-# This is required to read and write lcd-backlight sysfs
-allow thermal-engine sysfs_graphics:dir r_dir_perms;
-allow thermal-engine sysfs_graphics:file rw_file_perms;
-allow thermal-engine sysfs_graphics:lnk_file r_file_perms;

common/time_daemon.te

@@ -1,35 +0,0 @@
-# Policies for time daemon
-type time_daemon, domain;
-type time_daemon_exec, exec_type, vendor_file_type, file_type;
-type time_data_file, file_type, data_file_type;
-
-# Make transition to its own time_daemon domain from init
-init_daemon_domain(time_daemon)
-allow time_daemon smem_log_device:chr_file rw_file_perms;
-
-# Add rules for access permissions
-allow time_daemon rtc_device:chr_file r_file_perms;
-allow time_daemon alarm_device:chr_file rw_file_perms;
-
-allow time_daemon time_data_file:file create_file_perms;
-allow time_daemon time_data_file:dir w_dir_perms;
-allow time_daemon self:socket create_socket_perms_no_ioctl;
-allow time_daemon self:capability { setuid setgid sys_time };
-
-allow time_daemon persist_time_file:file create_file_perms;
-allow time_daemon persist_time_file:dir w_dir_perms;
-
-allow time_daemon persist_file:dir search;
-
-r_dir_file(time_daemon, sysfs_esoc);
-
-userdebug_or_eng(`
-  diag_use(time_daemon)
-')
-
-allow time_daemon sysfs_data:file r_file_perms;
-
-allow time_daemon self:socket ioctl;
-allowxperm time_daemon self:socket ioctl msm_sock_ipc_ioctls;
-
-get_prop(time_daemon, alarm_boot_prop);

common/ueventd.te

@@ -1,26 +0,0 @@
-# Allow firmware_file access to load Non-HLOS images
-r_dir_file(ueventd, firmware_file)
-
-# Allow persist_file access to wcnss bin
-r_dir_file(ueventd, persist_file)
-
-# For wifi to access wifi_data_file
-r_dir_file(ueventd, wifi_data_file)
-
-# For wifi to access wifi_vendor_data_file
-r_dir_file(ueventd, wifi_vendor_data_file)
-
-allow ueventd {
-    { sysfs_type - usermodehelper }
-    sysfs_battery_supply
-    sysfs_thermal
-    sysfs_usb_supply
-    sysfs_socinfo
-    sysfs_data
-    sysfs_kgsl
-}:file w_file_perms;
-
-#allow ueventd mba_debug_dev:blk_file r_file_perms;
-
-# For setting up various WIGIG files
-allow ueventd sysfs_bond0:file rw_file_perms;

common/uncrypt.te

@@ -1,30 +0,0 @@
-# Copyright (c) 2016, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# Allow uncrypting of RIDL
-allow uncrypt RIDL_data_file:file r_file_perms;
-allow uncrypt RIDL_data_file:dir r_dir_perms;

common/usb_uicc_daemon.te

@@ -1,12 +0,0 @@
-# usb_uicc_daemon
-type usb_uicc_daemon, domain;
-type usb_uicc_daemon_exec, exec_type, vendor_file_type, file_type;
-
-# Make transition from init to its domain
-init_daemon_domain(usb_uicc_daemon)
-
-allow usb_uicc_daemon self:socket create_socket_perms_no_ioctl;
-allow usb_uicc_daemon usb_uicc_device:chr_file rw_file_perms;
-allow usb_uicc_daemon sysfs_usb_uicc:file rw_file_perms;
-allow usb_uicc_daemon sysfs_usb_uicc:dir rw_dir_perms;
-set_prop(usb_uicc_daemon, uicc_prop)

common/usf.te

@@ -1,29 +0,0 @@
-# Policy for usf daemons
-type usf, domain;
-type usf_exec, exec_type, vendor_file_type, file_type;
-
-# Started by init
-init_daemon_domain(usf)
-net_domain(usf)
-
-# Ultrasound device
-allow usf usf_device:chr_file rw_file_perms;
-
-# Audio
-allow usf audio_data_file:sock_file write;
-#allow usf mediaserver:unix_stream_socket connectto;
-allow usf audio_data_file:dir r_dir_perms;
-allow usf audio_device:chr_file rw_file_perms;
-allow usf proc_audiod:file r_file_perms;
-allow usf audio_device:dir r_dir_perms;
-
-# Data files and persist storage
-allow usf usf_data_file:dir rw_dir_perms;
-allow usf usf_data_file:{ file sock_file fifo_file } create_file_perms;
-allow usf usf_data_file:lnk_file r_file_perms;
-r_dir_file(usf, persist_file)
-r_dir_file(usf, persist_usf_file)
-
-# Properties
-set_prop(usf, ctl_default_prop)
-set_prop(usf, usf_prop)

common/vm_bms.te

@@ -1,32 +0,0 @@
-#integrated process
-type vm_bms, domain;
-type vm_bms_exec, exec_type, vendor_file_type, file_type;
-
-#started by init
-init_daemon_domain(vm_bms)
-
-#allow vm_bms to visit chr_file
-allow vm_bms {
-    tmpfs
-    vm_bms_device
-    battery_data_device
-}:chr_file rw_file_perms;
-
-allow vm_bms {
-    sysfs_battery_supply
-    sysfs_usb_supply
-}:dir r_dir_perms;
-
-allow vm_bms {
-    sysfs_battery_supply
-    sysfs_usb_supply
-}:file rw_file_perms;
-
-#allow vm_bms to drop down to system service
-allow vm_bms self:capability { setpcap setgid setuid };
-
-#allow vm_bms to block the system suspend and get wake lock
-wakelock_use(vm_bms)
-
-#allow vm_bms to visit sysfs
-allow vm_bms sysfs:file w_file_perms;

common/vold.te

@@ -1,12 +0,0 @@
-allow vold tee_device:chr_file rw_file_perms;
-allow vold self:capability sys_boot;
-allow vold cache_file:dir w_dir_perms;
-allow vold { fscklogs cache_file }:file create_file_perms;
-
-# Read and write /cache/recovery/command
-allow vold cache_recovery_file:dir rw_dir_perms;
-allow vold cache_recovery_file:file create_file_perms;
-
-allow vold { proc_sysrq proc_dirty_ratio }:file rw_file_perms;
-wakelock_use(vold)
-allow vold swap_block_device:blk_file r_file_perms;

common/wcnss_service.te

@@ -1,72 +0,0 @@
-type wcnss_service, domain;
-type wcnss_service_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(wcnss_service)
-net_domain(wcnss_service)
-
-allow wcnss_service wcnss_device:chr_file rw_file_perms;
-
-qmux_socket(wcnss_service);
-
-allow wcnss_service wifi_data_file:dir w_dir_perms;
-allow wcnss_service wifi_data_file:file create_file_perms;
-
-set_prop(wcnss_service, system_prop)
-
-allow wcnss_service wifi_vendor_data_file:dir w_dir_perms;
-allow wcnss_service wifi_vendor_data_file:file create_file_perms;
-
-allow wcnss_service persist_file:dir r_dir_perms;
-qmux_socket(wcnss_service);
-
-allow wcnss_service self:socket create_socket_perms;
-# ioctlcmd=c304
-allowxperm wcnss_service self:socket ioctl msm_sock_ipc_ioctls;
-allowxperm wcnss_service self:udp_socket ioctl SIOCIWFIRSTPRIV_05;
-allow wcnss_service smem_log_device:chr_file rw_file_perms;
-allow wcnss_service proc_net:file rw_file_perms;
-
-# allow wpa_supplicant to send back wifi information to cnd
-allow wcnss_service cnd:unix_dgram_socket sendto;
-allow wcnss_service self:capability {
-    net_admin
-    net_bind_service
-};
-
-allow wcnss_service self:netlink_socket create_socket_perms_no_ioctl;
-allow wcnss_service self:netlink_generic_socket create_socket_perms_no_ioctl;
-allow wcnss_service firmware_file:dir r_dir_perms;
-allow wcnss_service firmware_file:file r_file_perms;
-allow wcnss_service sysfs:file rw_file_perms;
-allow wcnss_service sysfs_data:file r_file_perms;
-
-# allow access to netd
-unix_socket_connect(wcnss_service, netd, netd)
-
-userdebug_or_eng(`
-allow wcnss_service fuse:dir create_dir_perms;
-allow wcnss_service fuse:file create_file_perms;
-allow wcnss_service vfat:dir create_dir_perms;
-allow wcnss_service vfat:file create_file_perms;
-allow wcnss_service media_rw_data_file:dir create_dir_perms;
-allow wcnss_service media_rw_data_file:file create_file_perms;
-allow wcnss_service sdcardfs:dir create_dir_perms;
-allow wcnss_service sdcardfs:file create_file_perms;
-allow wcnss_service persist_file:file { rw_file_perms setattr };
-allow wcnss_service dynamic_nv_data_file:file r_file_perms;
-allow wcnss_service dynamic_nv_data_file:dir r_dir_perms;
-
-# This is needed for ptt_socket app to write logs file collected to sdcard
-r_dir_file(wcnss_service, storage_file)
-r_dir_file(wcnss_service, mnt_user_file)
-diag_use(wcnss_service)
-')
-
-#binder_use(wcnss_service)
-use_per_mgr(wcnss_service)
-
-hwbinder_use(wcnss_service)
-get_prop(wcnss_service, hwservicemanager_prop)
-
-#access to perflock
-hal_client_domain(wcnss_service, hal_perf)

common/wfdservice.te

@@ -1,23 +0,0 @@
-#allow access to sysfs to know HDMI repeater state
-allow wfdservice sysfs_graphics:file rw_file_perms;
-allow wfdservice sysfs_graphics:dir r_dir_perms;
-
-#Allow access to firmware files for HDCP session
-r_dir_file(wfdservice, firmware_file)
-
-
-#Allow hardware binder use
-hwbinder_use(wfdservice)
-get_prop(wfdservice, hwservicemanager_prop)
-
-#Allow hal graphics mapper permissions
-hal_client_domain(wfdservice, hal_graphics_composer);
-
-#Allow hal graphics allocator permissions
-hal_client_domain(wfdservice, hal_graphics_allocator);
-
-hal_client_domain(wfdservice, wifidisplayhalservice);
-
-#Denial seen - SELinux : avc:  denied  { find } for interface=com.qualcomm.qti.wifidisplayhal::IHDCPSession
-#pid=3530 scontext=u:r:wfdservice:s0 tcontext=u:object_r:wifidisplayhalservice_hwservice:s0 tclass=hwservice_manager
-allow wfdservice wifidisplayhalservice_hwservice:hwservice_manager find;

common/wpa.te

@@ -1,25 +0,0 @@
-
-# AOSP replaced wpa with new definition. this file to be
-# deleted once we have new definition and existing rules are modified
-
-#allow wpa persist_file:dir search;
-#qmux_socket(wpa);
-
-#allow wpa self:socket create_socket_perms_no_ioctl;
-#allow wpa smem_log_device:chr_file rw_file_perms;
-#allow wpa proc_net:file write;
-
-allow hal_wifi_supplicant wifi_vendor_data_file:dir create_dir_perms;
-allow hal_wifi_supplicant wifi_vendor_data_file:dir w_dir_perms;
-allow hal_wifi_supplicant wifi_vendor_data_file:file create_file_perms;
-allow hal_wifi_supplicant wifi_vendor_wpa_socket:dir create_dir_perms;
-allow hal_wifi_supplicant wifi_vendor_wpa_socket:sock_file create_file_perms;
-
-# Permission for wpa socket which IMS use to communicate
-# Allow wpa_supplicant to send back wifi information to cnd
-allow hal_wifi_supplicant { cnd ims }:unix_dgram_socket sendto;
-
-allow hal_wifi_supplicant fstman:unix_dgram_socket sendto;
-allow hal_wifi_supplicant wigighalsvc:unix_dgram_socket sendto;
-
-type_transition hal_wifi_supplicant wifi_vendor_data_file:dir wpa_socket "wigig_sockets";

common/zygote.te

@@ -1,32 +0,0 @@
-# Copyright (c) 2016, The Linux Foundation. All rights reserved.
-#
-# Redistribution and use in source and binary forms, with or without
-# modification, are permitted provided that the following conditions are
-# met:
-#     * Redistributions of source code must retain the above copyright
-#       notice, this list of conditions and the following disclaimer.
-#     * Redistributions in binary form must reproduce the above
-#       copyright notice, this list of conditions and the following
-#       disclaimer in the documentation and/or other materials provided
-#       with the distribution.
-#     * Neither the name of The Linux Foundation nor the names of its
-#       contributors may be used to endorse or promote products derived
-#       from this software without specific prior written permission.
-#
-# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
-# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
-# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
-# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
-# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-allow zygote debug_gralloc_prop:file r_file_perms;
-allow zygote sf_lcd_density_prop:file r_file_perms;
-# persist.service.bdroid.bdaddr hw.cabl.level
-allow zygote { bluetooth_prop ppd_prop system_prop } :property_service set;
-set_prop(zygote, qemu_gles_prop)

generic/private/dataservice_app.te

@@ -0,0 +1,45 @@
+# Copyright (c) 2017-2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+typeattribute dataservice_app coredomain;
+app_domain(dataservice_app)
+net_domain(dataservice_app)
+
+add_service(dataservice_app, cne_service)
+add_service(dataservice_app, dpmservice)
+add_service(dataservice_app, uce_service)
+allow dataservice_app {
+  app_api_service
+  system_api_service
+  audioserver_service
+  radio_service
+}:service_manager find;
+
+allow dataservice_app radio_data_file:dir create_dir_perms;
+allow dataservice_app radio_data_file:{ file lnk_file } create_file_perms;
+
+hwbinder_use(dataservice_app)

generic/private/domain.te

@@ -0,0 +1,29 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+get_prop(domain, vendor_exported_system_prop)
+get_prop(domain, vendor_exported_odm_prop)

generic/private/file.te

@@ -1,4 +1,4 @@
-# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+# Copyright (c) 2015, 2017-2018 The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -25,5 +25,4 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-#sysfs emmc dload type
-type sysfs_emmc_dload, sysfs_type, fs_type;
+type seemp_data_file, core_data_file_type, data_file_type, file_type;

generic/private/file_contexts

@@ -1,4 +1,4 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -24,8 +24,7 @@
 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-##################################
+/data/misc/elabel(/.*)?         u:object_r:elabel_data_file:s0
+/data/misc/seemp(/.*)?          u:object_r:seemp_data_file:s0
 
-r_dir_file(hal_tv_cec, sysfs_graphics)
-allow hal_tv_cec self:netlink_kobject_uevent_socket { create read setopt bind };
-allow hal_tv_cec sysfs_graphics:file w_file_perms;
+/system/etc/init\.qcom\.testscripts\.sh         u:object_r:qti-testscripts_exec:s0

generic/private/platform_app.te

@@ -1,4 +1,4 @@
-# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+# Copyright (c) 2015, 2017-2018, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -25,6 +25,7 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-recovery_only(`
-    allow recovery vendor_shell_exec:file x_file_perms;
+userdebug_or_eng(`
+    r_dir_file(platform_app, seemp_data_file)
+    allow platform_app seemp_data_file: file w_file_perms;
 ')

generic/private/property.te

@@ -0,0 +1,31 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# QCV: define property type vendor_exported_system_prop
+# and vendor_exported_odm_prop
+type vendor_exported_system_prop, property_type;
+type vendor_exported_odm_prop, property_type;

generic/private/property_contexts

@@ -1,4 +1,4 @@
-# Copyright (c) 2015, The Linux Foundation. All rights reserved.
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -25,5 +25,5 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-media.msm8956hw            u:object_r:media_msm8956hw_prop:s0
-media.msm8956.version      u:object_r:media_msm8956_version_prop:s0
+ro.vendor.qti.va_aosp.support       u:object_r:vendor_exported_system_prop:s0 exact bool
+ro.vendor.qti.va_odm.support       u:object_r:vendor_exported_odm_prop:s0 exact bool

generic/private/qtelephony.te

@@ -1,4 +1,4 @@
-# Copyright (c) 2017, The Linux Foundation. All rights reserved.
+# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -25,18 +25,14 @@
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-# Qualcomm telephony apps, such as AtFwd and FastDormancy
+# qti telephony apps, such as AtFwd and FastDormancy
 typeattribute qtelephony coredomain;
 
 app_domain(qtelephony)
 
-allow qtelephony { app_api_service system_api_service }:service_manager find;
-
-# Read and write /data/data subdirectory.
-allow qtelephony system_app_data_file:dir create_dir_perms;
-allow qtelephony system_app_data_file:{ file lnk_file } create_file_perms;
-
 hwbinder_use(qtelephony);
-allow qtelephony system_file:dir r_dir_perms;
 get_prop(qtelephony, hwservicemanager_prop);
 add_hwservice(qtelephony, hal_atfwd_hwservice);
+
+allow qtelephony system_api_service:service_manager find;
+allow qtelephony app_api_service:service_manager find;

generic/private/qti-testscripts.te

@@ -27,7 +27,7 @@
 
 #as the exec is defined in file_context  it is hitting build
 # error in user build  so moving out of the macro
-type qti-testscripts_exec, exec_type, file_type;
+type qti-testscripts_exec, system_file_type, exec_type, file_type;
 
 userdebug_or_eng(`
   typeattribute  qti-testscripts coredomain;
@@ -80,7 +80,7 @@ userdebug_or_eng(`
 # allow adbd qti-testscripts:process dyntransition;
   #allow { domain -mediaextractor -mediacodec } qti-testscripts:unix_stream_socket connectto;
   allow domain qti-testscripts:fd use;
-  allow { domain -mediaextractor -mediacodec -hal_configstore_server } qti-testscripts:unix_stream_socket { getattr getopt read write shutdown };
+  allow { domain -app_zygote -mediaextractor -hal_omx_server -hal_configstore_server } qti-testscripts:unix_stream_socket { getattr getopt read write shutdown };
 #  binder_call({ domain -init -netd }, qti-testscripts)
   allow domain qti-testscripts:fifo_file { write getattr };
   allow domain qti-testscripts:process sigchld;
@@ -92,4 +92,9 @@ userdebug_or_eng(`
   allow priv_app qti-testscripts:binder { transfer call };
   allow surfaceflinger qti-testscripts:binder { transfer call };
   allow system_server qti-testscripts:fifo_file read;
+  binder_call(platform_app, qti-testscripts)
+  binder_call(system_app, qti-testscripts)
+
+# allow lmkd to kill tasks with positive oom_score_adj under memory pressure
+  allow lmkd qti-testscripts:process { setsched sigkill };
 ')

generic/private/radio.te

@@ -0,0 +1,27 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+allow radio uce_service:service_manager find;

generic/private/seapp_contexts

@@ -0,0 +1,30 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+#Add new domain for DataServices
+# Needed for CNEService , uceShimService and other connectivity services
+user=radio seinfo=platform name=.dataservices domain=dataservice_app type=radio_data_file

generic/private/service.te

@@ -0,0 +1,28 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+type cne_service,                 service_manager_type;
+type uce_service,                 service_manager_type;

generic/private/service_contexts

@@ -1,4 +1,4 @@
-# Copyright (c) 2016, The Linux Foundation. All rights reserved.
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -24,6 +24,7 @@
 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-# Regionalization service
-regionalization                                       u:object_r:regionalization_service:s0
+qti.ims.ext                                          u:object_r:radio_service:s0
+cneservice                                           u:object_r:cne_service:s0
+uce                                                  u:object_r:uce_service:s0
+com.qualcomm.qti.ustaservice.USTAServiceImpl         u:object_r:usta_app_service:s0

generic/private/vendor_init.te

@@ -0,0 +1,31 @@
+# Copyright (c) 2019, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+# QCV:vendor_init settable for vendor_exported_system_prop
+set_prop(vendor_init, vendor_exported_system_prop)
+# QCV:vendor_init settable for vendor_exported_odm_prop
+set_prop(vendor_init, vendor_exported_odm_prop)

generic/public/dataservice_app.te

@@ -0,0 +1,27 @@
+# Copyright (c) 2018, The Linux Foundation. All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#     * Redistributions of source code must retain the above copyright
+#       notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+#       copyright notice, this list of conditions and the following
+#       disclaimer in the documentation and/or other materials provided
+#       with the distribution.
+#     * Neither the name of The Linux Foundation nor the names of its
+#       contributors may be used to endorse or promote products derived
+#       from this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+# WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+# ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+# CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+# SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+# IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+type dataservice_app, domain;

generic/public/domain.te

@@ -1,4 +1,4 @@
-# Copyright (c) 2016-2017, The Linux Foundation. All rights reserved.
+# Copyright (c) 2017-2018, The Linux Foundation. All rights reserved.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions are
@@ -24,3 +24,5 @@
 # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
 # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
 # IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+type qtelephony, domain;