uncrypt needs to write to the BCB

and in QC hardware, that's misc_partition...

Change-Id: I1d2f5d11423f01435f17f0e6f5d418cc0ce30e9d

Android.mk

@@ -1,109 +1,10 @@
-# Board specific SELinux policy variable definitions
-ifeq ($(call is-vendor-board-platform,QCOM),true)
-BOARD_SEPOLICY_DIRS := \
-       device/qcom/sepolicy \
-       device/qcom/sepolicy/common \
-       device/qcom/sepolicy/test \
-       device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
-
-BOARD_SEPOLICY_UNION := \
-       genfs_contexts \
-       file_contexts \
-       service_contexts \
-       property_contexts \
-       te_macros \
-       device.te \
-       vold.te \
-       ueventd.te \
-       file.te \
-       property.te \
-       untrusted_app.te \
-       drmserver.te \
-       adbd.te \
-       app.te \
-       cnd.te \
-       system_server.te \
-       mediaserver.te \
-       msm_irqbalanced.te \
-       qmuxd.te \
-       netmgrd.te \
-       port-bridge.te \
-       atfwd.te \
-       radio.te \
-       smd_test.te \
-       qmi_ping.te \
-       qmi_test_service.te \
-       irsc_util.te \
-       netd.te \
-       rild.te \
-       diag.te \
-       diag_test.te \
-       audiod.te \
-       service.te \
-       system_app.te \
-       thermal-engine.te \
-       vm_bms.te \
-       system_app.te \
-       bluetooth.te \
-       init_shell.te \
-       mpdecision.te \
-       perfd.te \
-       mm-qcamerad.te \
-       domain.te \
-       init.te \
-       time_daemon.te \
-       rmt_storage.te \
-       rfs_access.te \
-       hvdcp.te \
-       qti.te \
-       qseecomd.te \
-       mcStarter.te \
-       keystore.te \
-       ims.te \
-       imscm.te \
-       healthd.te \
-       charger_monitor.te \
-       surfaceflinger.te \
-       mm-pp-daemon.te \
-       wpa.te \
-       bootanim.te \
-       zygote.te \
-       mdm_helper.te \
-       peripheral_manager.te \
-       qcomsysd.te \
-       usb_uicc_daemon.te \
-       adsprpcd.te \
-       qlogd.te \
-       ipacm.te \
-       dpmd.te \
-       ssr_setup.te \
-       subsystem_ramdump.te \
-       ssr_diag.te \
-       sectest.te \
-       location.te \
-       location_app.te \
-       seapp_contexts \
-       logd.te \
-       installd.te \
-       wcnss_service.te \
-       mmi.te \
-       dhcp.te \
-       wfd_app.te \
-       mediaserver_test.te \
-       hbtp.te \
-       kernel.te \
-       vold.te
-
-# Compile sensor pilicy only for SSC targets
-SSC_TARGET_LIST := apq8084
-SSC_TARGET_LIST += msm8226
-SSC_TARGET_LIST += msm8960
-SSC_TARGET_LIST += msm8974
-SSC_TARGET_LIST += msm8994
-
-#ifeq ($(call is-board-platform-in-list,$(SSC_TARGET_LIST)),true)
-BOARD_SEPOLICY_UNION += sensors.te
-BOARD_SEPOLICY_UNION += sensors_test.te
-#endif
-
-endif
+# Don't recurse into the platform makefiles. We don't care about them, and
+# we don't want to force a reset of BOARD_SEPOLICY_DIRS
+#
+# If you want to use these policies, add a
+# 
+# include device/qcom/sepolicy/sepolicy.mk
+#
+# to your device's BoardConfig. It is highly recommended that in case
+# you have your own BOARD_SEPOLICY_DIRS and BOARD_SEPOLICY_UNION declarations,
+# the inclusion happens _before_ those lines

common/app.te

@@ -7,3 +7,8 @@ unix_socket_connect(appdomain, dpmwrapper, dpmd)
 unix_socket_connect(appdomain, qlogd, qlogd)
 #Allow all apps to open and send ioctl to qdsp device
 allow appdomain qdsp_device:chr_file r_file_perms;
+
+# access to perflock
+allow appdomain mpctl_socket:dir r_dir_perms;
+unix_socket_send(appdomain, mpctl, perfd)
+unix_socket_connect(appdomain, mpctl, perfd)

common/cnd.te

@@ -66,3 +66,5 @@ allow cnd mediaserver:fd use;
 allow cnd mediaserver:tcp_socket { read write bind getattr shutdown getopt };
 allow cnd mediaserver:file { open read };
 
+# allow cnd to access ipa_dev
+allow cnd ipa_dev:chr_file r_file_perms;

common/diag.te

@@ -1,13 +1,15 @@
 type diag, domain;
 type diag_exec, exec_type, file_type;
-userdebug_or_eng(`
+# Our BSPs still use diag for logging on a ton of components.
+# Allow access in user builds for now.
+#userdebug_or_eng(`
   domain_auto_trans(shell, diag_exec, diag)
   domain_auto_trans(adbd, diag_exec, diag)
   file_type_auto_trans(diag, system_data_file, diag_data_file);
   allow diag diag_device:chr_file {ioctl read write open getattr};
   allow diag devpts:chr_file {ioctl read write open getattr};
   allow diag shell:fd {use};
-  allow diag su:fd {use};
+  #allow diag su:fd {use};
   allow diag cgroup:dir { create add_name };
   allow diag console_device:chr_file { read write };
   allow diag port:tcp_socket name_connect;
@@ -25,4 +27,4 @@ userdebug_or_eng(`
   allow diag persist_drm_file:file create_file_perms;
   # allow access to qseecom for drmdiagapp
   allow sectest tee_device:chr_file rw_file_perms;
-')
+#')

common/domain.te

@@ -1,6 +1,6 @@
-userdebug_or_eng(`
+#userdebug_or_eng(`
   allow domain diag_device:chr_file rw_file_perms;
-')
+#')
 
 r_dir_file(domain, sysfs_socinfo);
 r_dir_file(domain, sysfs_esoc);

common/dpmd.te

@@ -36,3 +36,6 @@ allow dpmd kernel:system module_request;
 #appdomain
 allow dpmd appdomain:fd use;
 allow dpmd appdomain:tcp_socket { read write getopt getattr };
+
+#permission to unlink dpmwrapper socket
+allow dpmd socket_device:dir remove_name;

common/file.te

@@ -106,9 +106,6 @@ type ipacm_data_file, file_type;
 #Define the files written during the operation of mmi
 type mmi_data_file, file_type, data_file_type;
 
-#needed by vold
-type  proc_dirty_ratio, fs_type;
-
 # hbtp config file
 type hbtp_cfg_file, file_type;
 type hbtp_log_file, file_type;

common/file_contexts

@@ -213,7 +213,7 @@
 /data/hlos_rfs(/.*)?                                                u:object_r:rfs_shared_hlos_file:s0
 /data/camera(/.*)?                                                  u:object_r:camera_socket:s0
 /data/system/sensors(/.*)?                                          u:object_r:sensors_data_file:s0
-/data/time/*                                                        u:object_r:time_data_file:s0
+/data/time(/.*)?                                                    u:object_r:time_data_file:s0
 /data/nfc(/.*)?                                                     u:object_r:nfc_data_file:s0
 /data/system/perfd(/.*)?                                            u:object_r:mpctl_data_file:s0
 /data/misc/perfd(/.*)?                                              u:object_r:mpctl_socket:s0

common/genfs_contexts

@@ -1,2 +1 @@
 genfscon proc /asound/card0/state u:object_r:proc_audiod:s0
-genfscon proc /proc/sys/vm/dirty_ratio  u:object_r:proc_dirty_ratio:s0

common/kernel.te

@@ -1 +0,0 @@
-allow kernel block_device:blk_file r_file_perms;

common/keystore.te

@@ -1,2 +1,6 @@
 # Allow keystore to operate using qseecom_device
 allow keystore tee_device:chr_file rw_file_perms;
+
+# Allow keystore to search and get keymaste.mdt
+allow keystore firmware_file:dir search;
+allow keystore firmware_file:file { read getattr open };

common/location.te

@@ -16,9 +16,10 @@ binder_call(location, system_server)
 allow location location_data_file:dir rw_dir_perms;
 allow location location_data_file:fifo_file create_file_perms;
 allow location location_data_file:file create_file_perms;
+allow location location_data_file:sock_file create_file_perms;
 allow location location_exec:file execute_no_trans;
 allow location location_socket:sock_file create_file_perms;
-allow location self:capability { setuid setgid };
+allow location self:capability { setuid setgid net_admin };
 allow location self:socket create_socket_perms;
 allow location sensors:unix_stream_socket connectto;
 allow location sensors_device:chr_file r_file_perms;

common/mediaserver.te

@@ -16,6 +16,7 @@ allow mediaserver camera_data_file:sock_file write;
 userdebug_or_eng(`
   allow mediaserver camera_data_file:dir rw_dir_perms;
   allow mediaserver camera_data_file:file create_file_perms;
+  allow mediaserver debugfs:file rw_file_perms;
 ')
 
 allow mediaserver sysfs_esoc:dir r_dir_perms;
@@ -25,6 +26,7 @@ allow mediaserver system_app_data_file:file rw_file_perms;
 allow mediaserver mpctl_socket:dir r_dir_perms;
 unix_socket_send(mediaserver, mpctl, mpdecision)
 unix_socket_connect(mediaserver, mpctl, mpdecision)
+unix_socket_connect(mediaserver, thermal, thermal-engine)
 
 # access to perflock
 allow mediaserver mpctl_socket:dir r_dir_perms;
@@ -33,3 +35,7 @@ unix_socket_connect(mediaserver, mpctl, perfd)
 
 # for thermal sock files
 unix_socket_connect(mediaserver, thermal, thermal-engine)
+
+# Allow mediaserver to search and get the widevine, playready firmwares
+allow mediaserver firmware_file:dir search;
+allow mediaserver firmware_file:file { read getattr open };

common/mm-pp-daemon.te

@@ -23,8 +23,9 @@ allow mm-pp-daemon sensors_socket:sock_file rw_file_perms;
 allow mm-pp-daemon sensors:unix_stream_socket connectto;
 
 allow mm-pp-daemon system_prop:property_service set;
-
-userdebug_or_eng(`
+#Calibration can only be done on userdebug or eng builds
+#Enable on user builds too. This is causing mayhem for gfx
+#userdebug_or_eng(`
     # Display calibration service opens /dev/diag in order to communicate with the
     # target device
     allow mm-pp-daemon diag_device:chr_file rw_file_perms;
@@ -41,12 +42,15 @@ userdebug_or_eng(`
     allow mm-pp-daemon system_file:file execute_no_trans;
     allow mm-pp-daemon zygote_exec:file rx_file_perms;
     allow mm-pp-daemon self:process ptrace;
-')
 
 # Allow mm-pp-daemon to change the brightness of the target during display
 # calibration
 allow mm-pp-daemon sysfs:file rw_file_perms;
 
+#')
+
 # Allow socket calls in pp-daemon
 unix_socket_connect(mm-pp-daemon, property, init)
 unix_socket_connect(mm-pp-daemon, pps, init)
+allow mm-pp-daemon init:unix_stream_socket listen;
+allow mm-pp-daemon init:unix_stream_socket accept;

common/mm-qcamerad.te

@@ -7,6 +7,8 @@ userdebug_or_eng(`
 ')
 
 #Communicate with user land process through domain socket
+type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket1";
+type_transition mm-qcamerad system_data_file:sock_file camera_socket "cam_socket2";
 allow mm-qcamerad camera_socket:sock_file { create unlink write };
 allow mm-qcamerad camera_socket:dir w_dir_perms;
 unix_socket_connect(mm-qcamerad, sensors, sensors)

common/mpdecision.te

@@ -7,6 +7,8 @@ allow mpdecision sysfs_mpdecision:file rw_file_perms;
 allow mpdecision sysfs_devices_system_cpu:file rw_file_perms;
 allow mpdecision sysfs_rqstats:file w_file_perms;
 allow mpdecision sysfs_cpu_online:file rw_file_perms;
+# For the KSM tunables
+allow mpdecision sysfs_writable:file rw_file_perms;
 #Allow mpdecision set cpu affinity
 allow mpdecision kernel:process setsched;
 #Allow writes to /dev/cpu_dma_latency
@@ -32,3 +34,9 @@ allow mpdecision mpctl_data_file:file { create_file_perms unlink };
 #allow poll of system_server status
 allow mpdecision system_server:dir search;
 allow mpdecision system_server:file { open read };
+
+#cm extra opts
+allow mpdecision thermal-engine:unix_stream_socket connectto;
+allow mpdecision thermal_socket:sock_file write;
+allow mpdecision sysfs_thermal:file rw_file_perms;
+allow mpdecision sysfs_devices_system_iosched:file rw_file_perms;

common/netd.te

@@ -4,6 +4,10 @@ allow netd netd:packet_socket { create bind setopt read ioctl };
 allow netd wfd_app:fd use;
 allow netd wfd_app:tcp_socket { read write setopt getopt };
 
+# See change I4dd0326110c655fcd6cd5f8425be523d9e64ffa7 to system/netd
+type_transition netd wifi_data_file:dir wpa_socket "sockets";
+allow netd wpa_socket:dir create_dir_perms;
+
 dontaudit netd self:capability sys_module;
 
 #needed for ipt_TCPMSS and ip6t_TCPMSS

common/radio.te

@@ -11,3 +11,8 @@ unix_socket_connect(radio, dpmd, dpmd)
 
 # IMS needs permission to use unix domain socket
 allow radio ims:unix_stream_socket connectto;
+
+# allow radio to access video_device, smd_device for VideoCall
+allow radio video_device:dir r_dir_perms;
+allow radio video_device:chr_file rw_file_perms;
+allow radio smd_device:chr_file rw_file_perms;

common/rild.te

@@ -13,8 +13,9 @@ allow rild sysfs_ssr:lnk_file { read open };
 
 allow rild mediaserver:binder { transfer call };
 
-#allow rild diag_device:chr_file { open read write };
+allow rild diag_device:chr_file { open read write };
 allow rild rild_socket:chr_file { open read write };
+allow rild system_health_monitor_device:chr_file r_file_perms;
 
 allow rild sysfs_ssr:dir r_dir_perms;
 allow rild sysfs_ssr:lnk_file read;

common/seapp_contexts

@@ -2,3 +2,4 @@
 user=gps domain=location_app type=location_app_data_file
 user=system seinfo=platform name=com.qualcomm.services.location domain=location_app type=location_app_data_file
 user=system seinfo=platform name=com.qualcomm.location.XT domain=location_app type=location_app_data_file
+user=system seinfo=platform name=com.qualcomm.msapm domain=location_app type=location_app_data_file

common/sensors.te

@@ -53,5 +53,5 @@ allow sensors device_latency:chr_file w_file_perms;
 # Access to tests from userdebug/eng builds
 userdebug_or_eng(`
   domain_auto_trans(shell, sensors_exec, sensors)
-  allow sensors diag_device:chr_file rw_file_perms;
 ')
+allow sensors diag_device:chr_file rw_file_perms;

common/surfaceflinger.te

@@ -6,3 +6,8 @@ r_dir_file(surfaceflinger, mm-pp-daemon)
 
 binder_call(surfaceflinger, location)
 binder_call(surfaceflinger, tee)
+
+# access to perflock
+allow surfaceflinger mpctl_socket:dir r_dir_perms;
+unix_socket_send(surfaceflinger, mpctl, perfd)
+unix_socket_connect(surfaceflinger, mpctl, perfd)

common/system_server.te

@@ -33,7 +33,7 @@ allow system_server location_data_file:dir rw_dir_perms;
 allow system_server location_data_file:fifo_file create_file_perms;
 allow system_server location_socket:sock_file rw_file_perms;
 allow system_server location_app_data_file:dir r_dir_perms;
-allow system_server location_data_file:sock_file rw_file_perms;
+allow system_server location_data_file:sock_file create_file_perms;
 
 #For wifistatemachine
 allow system_server kernel:key search;

common/thermal-engine.te

@@ -10,11 +10,11 @@ init_daemon_domain(thermal-engine)
 allow thermal-engine thermal_device:chr_file rw_file_perms;
 #This is required to access smem log device
 allow thermal-engine smem_log_device:chr_file rw_file_perms;
-allow thermal-engine self:capability { dac_read_search dac_override fsetid };
+allow thermal-engine self:capability { dac_read_search dac_override fsetid chown };
 allow thermal-engine self:socket create_socket_perms;
 #This is required to access thermal sockets
 allow thermal-engine thermal_socket:dir w_dir_perms;
-allow thermal-engine thermal_socket:sock_file { create setattr open read write };
+allow thermal-engine thermal_socket:sock_file { create setattr open read write unlink };
 #This is required for thermal sysfs access
 allow thermal-engine sysfs_thermal:dir r_dir_perms;
 allow thermal-engine sysfs_thermal:file rw_file_perms;
@@ -24,3 +24,8 @@ allow thermal-engine sysfs:file write;
 qmux_socket(thermal-engine);
 allow thermal-engine sysfs_mpdecision:file rw_file_perms;
 r_dir_file(thermal-engine, sysfs_ssr);
+
+#Label the thermal sockets correctly
+type_transition thermal-engine socket_device:sock_file thermal_socket;
+#Allow creation of the sockets in the socket dir
+allow thermal-engine socket_device:dir { write add_name remove_name };

common/time_daemon.te

@@ -12,6 +12,8 @@ allow time_daemon smem_log_device:chr_file rw_file_perms;
 allow time_daemon rtc_device:chr_file { open read ioctl };
 allow time_daemon alarm_device:chr_file { open read write ioctl };
 
+#============= File labeling ==============
+type_transition time_daemon system_data_file:file time_data_file;
 #============= File read/write ==============
 allow time_daemon time_data_file:file { write create open read};
 allow time_daemon time_data_file:dir { write add_name search};

common/uncrypt.te

@@ -0,0 +1,3 @@
+allow uncrypt misc_partition:blk_file w_file_perms;
+allow uncrypt misc_partition:dir r_dir_perms;
+

common/untrusted_app.te

@@ -1,10 +1,16 @@
 # access to perflock
-allow untrusted_app mpctl_socket:dir r_dir_perms;
-unix_socket_send(untrusted_app, mpctl, perfd)
-unix_socket_connect(untrusted_app, mpctl, perfd)
 unix_socket_send(untrusted_app, mpctl, mpdecision)
 unix_socket_connect(untrusted_app, mpctl, mpdecision)
 
+# read temp sensors
+allow untrusted_app sysfs_thermal:file r_file_perms;
+allow untrusted_app sysfs_thermal:lnk_file r_file_perms;
+allow untrusted_app sysfs_thermal:dir r_dir_perms;
+
+# allow apps to read battery status
+allow untrusted_app sysfs_battery_supply:dir r_dir_perms;
+allow untrusted_app sysfs_battery_supply:file r_file_perms;
+
 # test apps needs to communicate with imscm
 # using binder call
 userdebug_or_eng(`

common/vold.te

@@ -6,4 +6,3 @@ allow vold proc_sysrq:file rw_file_perms;
 allow vold self:capability sys_boot;
 allow vold cache_file:dir { write add_name };
 allow vold cache_file:file { write create open };
-allow vold proc_dirty_ratio:file rw_file_perms;

common/wcnss_service.te

@@ -14,7 +14,6 @@ allow wcnss_service wifi_data_file:file create_file_perms;
 
 allow wcnss_service system_prop:property_service set;
 allow wcnss_service persist_file:dir r_dir_perms;
-qmux_socket(wcnss_service);
 
 allow wcnss_service self:socket create_socket_perms;
 allow wcnss_service smem_log_device:chr_file rw_file_perms;

common/wfd_app.te

@@ -12,7 +12,6 @@ allow wfd_app video_device:dir r_dir_perms;
 allow wfd_app video_device:chr_file rw_file_perms;
 allow wfd_app audio_device:dir r_dir_perms;
 allow wfd_app audio_device:chr_file rw_file_perms;
-allow wfd_app fwmarkd_socket:sock_file write;
 allow wfd_app netd:unix_stream_socket connectto;
 allow wfd_app firmware_file:dir r_dir_perms;
 allow wfd_app firmware_file:file r_file_perms;

msm8960/Android.mk

@@ -1 +1,2 @@
 BOARD_SEPOLICY_UNION += \
+     bridgemgr.te

msm8960/bridgemgr.te

@@ -0,0 +1,16 @@
+# Bridge Manager (radio process)
+type bridge, domain;
+type bridge_exec, exec_type, file_type;
+
+# Started by init
+init_daemon_domain(bridge)
+
+# Uevent for usb connection
+allow bridge self:netlink_kobject_uevent_socket { create bind read };
+
+# Talk to qmuxd (qmux_radio)
+qmux_socket(bridge)
+
+# Alert the RmNet SMD & SDIO function driver of the correct transport.
+# (/sys/class/android_usb/f_rmnet_smd_sdio/transport)
+allow bridge sysfs_rmnet:file { open read write getattr };

msm8960/file.te

@@ -1,2 +1,4 @@
 #efs file types
 type efs_data_file, file_type, data_file_type;
+#for Fusion's bridgemgr
+type sysfs_rmnet, fs_type, sysfs_type;

msm8960/file_contexts

@@ -20,3 +20,9 @@
 # Data files
 #
 /data/qcks(/.*)?                                u:object_r:efs_data_file:s0
+
+###################################
+# SDIO transport control on Fusion
+#
+/sys/class/android_usb/f_rmnet_smd_sdio/transport  --  u:object_r:sysfs_rmnet:s0
+/sys/devices/virtual/android_usb/android0/f_rmnet_smd_sdio/transport  --  u:object_r:sysfs_rmnet:s0

msm8994/ims.te

@@ -0,0 +1,2 @@
+allow ims self:capability net_raw;
+allow ims self:socket { read bind create write ioctl };

sepolicy.mk

@@ -0,0 +1,106 @@
+# Board specific SELinux policy variable definitions
+BOARD_SEPOLICY_DIRS += \
+       device/qcom/sepolicy \
+       device/qcom/sepolicy/common \
+       device/qcom/sepolicy/test \
+       device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)
+
+BOARD_SEPOLICY_UNION += \
+       genfs_contexts \
+       file_contexts \
+       service_contexts \
+       property_contexts \
+       te_macros \
+       device.te \
+       ueventd.te \
+       file.te \
+       property.te \
+       untrusted_app.te \
+       drmserver.te \
+       adbd.te \
+       app.te \
+       cnd.te \
+       system_server.te \
+       mediaserver.te \
+       msm_irqbalanced.te \
+       qmuxd.te \
+       netmgrd.te \
+       port-bridge.te \
+       atfwd.te \
+       radio.te \
+       smd_test.te \
+       qmi_ping.te \
+       qmi_test_service.te \
+       irsc_util.te \
+       netd.te \
+       rild.te \
+       diag.te \
+       diag_test.te \
+       audiod.te \
+       service.te \
+       thermal-engine.te \
+       vm_bms.te \
+       system_app.te \
+       bluetooth.te \
+       init_shell.te \
+       mpdecision.te \
+       perfd.te \
+       mm-qcamerad.te \
+       domain.te \
+       init.te \
+       time_daemon.te \
+       rmt_storage.te \
+       rfs_access.te \
+       hvdcp.te \
+       qti.te \
+       qseecomd.te \
+       mcStarter.te \
+       keystore.te \
+       ims.te \
+       imscm.te \
+       healthd.te \
+       charger_monitor.te \
+       surfaceflinger.te \
+       mm-pp-daemon.te \
+       wpa.te \
+       bootanim.te \
+       zygote.te \
+       mdm_helper.te \
+       peripheral_manager.te \
+       qcomsysd.te \
+       usb_uicc_daemon.te \
+       adsprpcd.te \
+       qlogd.te \
+       ipacm.te \
+       dpmd.te \
+       ssr_setup.te \
+       subsystem_ramdump.te \
+       ssr_diag.te \
+       sectest.te \
+       location.te \
+       location_app.te \
+       seapp_contexts \
+       logd.te \
+       installd.te \
+       wcnss_service.te \
+       mmi.te \
+       dhcp.te \
+       wfd_app.te \
+       mediaserver_test.te \
+       hbtp.te \
+       vold.te
+
+-include device/qcom/sepolicy/$(TARGET_BOARD_PLATFORM)/Android.mk
+
+# Compile sensor policy only for SSC targets
+SSC_TARGET_LIST := apq8084
+SSC_TARGET_LIST += msm8226
+SSC_TARGET_LIST += msm8610
+SSC_TARGET_LIST += msm8960
+SSC_TARGET_LIST += msm8974
+SSC_TARGET_LIST += msm8994
+
+#ifeq ($(call is-board-platform-in-list,$(SSC_TARGET_LIST)),true)
+BOARD_SEPOLICY_UNION += sensors.te
+BOARD_SEPOLICY_UNION += sensors_test.te
+#endif