Initial selinux policies

* convert existing one to vendor

BoardConfig.mk

@@ -32,6 +32,7 @@ TARGET_BOARD_PLATFORM := sdm710
 # Kernel
 TARGET_KERNEL_CONFIG := kunlun2_defconfig
 BOARD_KERNEL_CMDLINE := console=ttyMSM0,115200n8 earlycon=msm_geni_serial,0xA90000 androidboot.hardware=qcom androidboot.console=ttyMSM0 video=vfb:640x400,bpp=32,memsize=3072000 msm_rtb.filter=0x237 ehci-hcd.park=3 lpm_levels.sleep_disabled=1 service_locator.enable=1 androidboot.configfs=true androidboot.usbcontroller=a600000.dwc3 swiotlb=1 loop.max_part=7
+BOARD_KERNEL_CMDLINE += androidboot.selinux=permissive
 BOARD_KERNEL_BASE := 0x00000000
 BOARD_KERNEL_PAGESIZE := 4096
 BOARD_KERNEL_TAGS_OFFSET := 0x00000100
@@ -117,9 +118,9 @@ TARGET_RELEASETOOLS_EXTENSIONS := $(DEVICE_PATH)
 TARGET_PROVIDES_QTI_TELEPHONY_JAR := true
 
 # Sepolicy
-# PRIVATE_EXCLUDE_BUILD_TEST := true
-include device/qcom/sepolicy/SEPolicy.mk
-BOARD_PLAT_PRIVATE_SEPOLICY_DIR += $(DEVICE_PATH)/sepolicy/private
+include device/qcom/sepolicy_vndr/SEPolicy.mk
+
+BOARD_VENDOR_SEPOLICY_DIRS += $(DEVICE_PATH)/sepolicy/vendor
 SELINUX_IGNORE_NEVERALLOWS := true
 
 # Treble

sepolicy/private/app.te

@@ -1,4 +0,0 @@
-# Allow appdomain to get vendor_camera_prop
-get_prop(appdomain, vendor_camera_prop)
-
-get_prop(appdomain, vendor_default_prop)

sepolicy/private/device.te

@@ -1,2 +0,0 @@
-type device_latency, dev_type;
-type diag_device, dev_type, mlstrustedobject;

sepolicy/private/dontaudit.te

@@ -1 +0,0 @@
-dontaudit gmscore_app firmware_file:filesystem getattr;

sepolicy/private/file.te

@@ -1,21 +0,0 @@
-type adsprpcd_file, file_type;
-type bt_firmware_file, file_type;
-type firmware_file, file_type;
-type persist_file, file_type;
-type sensors_persist_file, file_type;
-type proc_touchpanel, fs_type, proc_type;
-type sysfs_graphics, sysfs_type, fs_type;
-type sysfs_devfreq, sysfs_type, fs_type;
-type pps_socket, file_type;
-type display_data_file, data_file_type, core_data_file_type, file_type;
-type vendor_firmware_file, vendor_file_type, file_type;
-type sysfs_msm_subsys, sysfs_type, fs_type;
-type sysfs_system_sleep_stats, sysfs_type, fs_type;
-type sysfs_rpm, sysfs_type, fs_type;
-type sysfs_kgsl, sysfs_type, fs_type;
-type sysfs_scsi_devices, sysfs_type, fs_type;
-type debugfs_wlan, debugfs_type, fs_type;
-type debugfs_sched_features, debugfs_type, fs_type;
-type proc_sysctl_schedboost, proc_type, fs_type;
-type sysfs_tp, fs_type, sysfs_type;
-type sysfs_mmc_host, fs_type, sysfs_type;

sepolicy/private/file_contexts

@@ -1,25 +0,0 @@
-# Data files
-/data/display(/.*)?                 u:object_r:display_data_file:s0
-
-# Dev nodes
-/dev/diag                           u:object_r:diag_device:s0
-
-# Files in rootfs
-/bt_firmware(/.*)?       u:object_r:bt_firmware_file:s0
-/dsp(/.*)?               u:object_r:adsprpcd_file:s0
-/firmware(/.*)?          u:object_r:firmware_file:s0
-/persist(/.*)?           u:object_r:persist_file:s0
-
-# HALs
-/system/bin/hw/android\.hardware\.power-service\.lenovo                                      u:object_r:hal_power_pixel_exec:s0
-/system/bin/hw/lineage\.livedisplay@2\.0-service-sdm                                         u:object_r:shal_livedisplay_default_exec:s0
-/(system|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service                         u:object_r:hal_light_default_exec:s0
-
-# IMS
-/vendor/bin/imsdatadaemon            u:object_r:ims_exec:s0
-
-# Thermal config
-/(system|system/vendor)/etc/thermal-engine.conf   u:object_r:vendor_configs_file:s0
-
-# Touch
-/sys/class/touch/tp_dev/gesture_on  u:object_r:sysfs_tp:s0

sepolicy/private/flipendo.te

@@ -1 +0,0 @@
-binder_call(flipendo, hal_power_pixel);

sepolicy/private/fm_app.te

@@ -1,2 +0,0 @@
-allow vendor_fm_app hal_fm_hwservice:hwservice_manager find;
-allow vendor_fm_app hal_bluetooth:binder { call transfer };

sepolicy/private/genfs_contexts

@@ -1,10 +0,0 @@
-genfscon proc /touchpanel    u:object_r:proc_touchpanel:s0
-genfscon debugfs /wlan0                               u:object_r:debugfs_wlan:s0
-genfscon debugfs /sched_features                      u:object_r:debugfs_sched_features:s0
-genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state    u:object_r:sysfs_graphics:s0
-genfscon sysfs /devices/platform/soc/soc:qcom,l3-cdsp/devfreq                   u:object_r:sysfs_devfreq:s0
-genfscon sysfs /devices/platform/soc/1d84000.ufshc/clkgate_enable               u:object_r:sysfs_scsi_devices:s0
-genfscon sysfs /devices/platform/soc/1d84000.ufshc/hibern8_on_idle_enable       u:object_r:sysfs_scsi_devices:s0
-genfscon sysfs /power/rpmh_stats/master_stats         u:object_r:sysfs_rpm:s0
-genfscon sysfs /power/system_sleep/stats              u:object_r:sysfs_system_sleep_stats:s0
-genfscon proc /sys/kernel/sched_boost                 u:object_r:proc_sysctl_schedboost:s0

sepolicy/private/hal_audio.te

@@ -1,8 +0,0 @@
-allow hal_audio diag_device:chr_file rw_file_perms;
-
-allow hal_audio sysfs:dir read;
-
-allow hal_audio hal_power_pixel:binder call;
-
-get_prop(hal_audio, default_prop)
-get_prop(hal_audio, audio_prop)

sepolicy/private/hal_bluetooth.te

@@ -1,2 +0,0 @@
-allow hal_bluetooth vendor_fm_app:binder call;
-allow hal_bluetooth diag_device:chr_file rw_file_perms;

sepolicy/private/hal_camera.te

@@ -1,2 +0,0 @@
-get_prop(hal_camera, system_prop)
-get_prop(hal_camera, default_prop)

sepolicy/private/hal_livedisplay_default.te

@@ -1,29 +0,0 @@
-type shal_livedisplay_default, coredomain, domain;
-hal_server_domain(shal_livedisplay_default, hal_lineage_livedisplay)
-
-type shal_livedisplay_default_exec, exec_type, file_type;
-init_daemon_domain(shal_livedisplay_default)
-
-# Allow LiveDisplay to perform binder IPC to vendor.display.color::IDisplayColor
-type hal_display_color_default, domain;
-binder_call(shal_livedisplay_default, hal_display_color_default)
-
-allow shal_livedisplay_default hal_display_color_hwservice:hwservice_manager find;
-
-# Talk to the binder device node
-allow shal_livedisplay_default binder_device:chr_file rw_file_perms;
-
-# Allow LiveDisplay to store files under /data/display and access them
-allow shal_livedisplay_default display_data_file:dir rw_dir_perms;
-allow shal_livedisplay_default display_data_file:file create_file_perms;
-
-# Allow LiveDisplay to access pps socket
-type mm-pp-daemon, domain;
-typeattribute mm-pp-daemon socket_between_core_and_vendor_violators;
-unix_socket_connect(shal_livedisplay_default, pps, mm-pp-daemon)
-
-# Allow LiveDisplay to read display props
-get_prop(shal_livedisplay_default, vendor_display_prop)
-
-# Grant LiveDisplay access over the control nodes
-allow shal_livedisplay_default sysfs_graphics:file rw_file_perms;

sepolicy/private/hal_power_pixel.te

@@ -1,55 +0,0 @@
-type hal_power_pixel, coredomain, domain;
-hal_server_domain(hal_power_pixel, hal_power)
-
-type hal_power_pixel_exec, system_file_type, exec_type, file_type;
-init_daemon_domain(hal_power_pixel)
-
-# Allow hal_power_pixel to write to dt2w nodes
-allow hal_power_pixel proc_touchpanel:dir search;
-allow hal_power_pixel proc_touchpanel:file w_file_perms;
-
-allow hal_power_pixel debugfs_wlan:dir r_dir_perms;
-allow hal_power_pixel debugfs_wlan:file r_file_perms;
-
-allow hal_power_pixel self:capability dac_override;
-
-allow hal_power_pixel system_file:file r_file_perms;
-
-allow hal_power_pixel sysfs_graphics:dir search;
-allow hal_power_pixel sysfs_graphics:file r_file_perms;
-
-allow hal_power_pixel sysfs_rpm:file r_file_perms;
-allow hal_power_pixel sysfs_system_sleep_stats:file r_file_perms;
-
-r_dir_file(hal_power, sysfs_tp)
-allow hal_power_pixel sysfs_tp:file write;
-
-# To do powerhint on nodes defined in powerhint.json
-allow hal_power_pixel sysfs_devfreq:dir search;
-allow hal_power_pixel sysfs_devfreq:{ file lnk_file } rw_file_perms;
-allow hal_power_pixel sysfs_scsi_devices:dir search;
-allow hal_power_pixel sysfs_scsi_devices:{ file lnk_file } rw_file_perms;
-allow hal_power_pixel sysfs_kgsl:dir search;
-allow hal_power_pixel sysfs_kgsl:{ file lnk_file } rw_file_perms;
-allow hal_power_pixel sysfs_msm_subsys:dir search;
-allow hal_power_pixel sysfs_msm_subsys:file rw_file_perms;
-allow hal_power_pixel sysfs_devices_system_cpu:file rw_file_perms;
-allow hal_power_pixel device_latency:chr_file rw_file_perms;
-allow hal_power_pixel proc_sysctl_schedboost:file rw_file_perms;
-allow hal_power_pixel debugfs_sched_features:dir search;
-allow hal_power_pixel debugfs_sched_features:file rw_file_perms;
-allow hal_power_pixel input_device:dir search;
-allow hal_power_pixel input_device:chr_file rw_file_perms;
-
-allow hal_power_pixel hal_power_hwservice:hwservice_manager add;
-allow hal_power_pixel hidl_base_hwservice:hwservice_manager add;
-allow hal_power_pixel hal_power_service:service_manager add;
-binder_call(hal_power_pixel, hwservicemanager)
-binder_call(hal_power_pixel, hal_audio)
-binder_call(hal_power_pixel, servicemanager);
-
-# To get hwservicemanager state
-get_prop(hal_power_pixel, hwservicemanager_prop)
-
-# To get/set powerhal state property
-set_prop(hal_power_pixel, vendor_power_prop)

sepolicy/private/hal_sensors.te

@@ -1,2 +0,0 @@
-allow hal_sensors diag_device:chr_file rw_file_perms;
-allow hal_sensors system_server:fd use;

sepolicy/private/hwservice.te

@@ -1,2 +0,0 @@
-type hal_display_color_hwservice, hwservice_manager_type;
-type hal_fm_hwservice, hwservice_manager_type;

sepolicy/private/ims.te

@@ -1,7 +0,0 @@
-type ims, domain;
-type ims_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(ims)
-net_domain(ims)
-
-allow ims diag_device:chr_file rw_file_perms;

sepolicy/private/init.te

@@ -1,12 +0,0 @@
-allow init proc_touchpanel:dir search;
-allow init proc_touchpanel:file { write setattr open};
-
-# Allow init to mount vendor configs
-allow init vendor_configs_file:dir mounton;
-allow init vendor_configs_file:file mounton;
-
-allow init self:netlink_generic_socket read;
-
-allow init sysfs_tp:file setattr;
-
-allow init vendor_file:file execute;

sepolicy/private/property.te

@@ -1,5 +0,0 @@
-type vendor_camera_prop, property_type;
-type vendor_display_prop, property_type;
-type vendor_power_prop, property_type;
-type vendor_ssr_prop, property_type;
-type vendor_cap_configstore_dbg_prop, property_type;

sepolicy/private/property_contexts

@@ -1,5 +0,0 @@
-vendor.powerhal.state      u:object_r:vendor_power_prop:s0
-vendor.powerhal.audio      u:object_r:vendor_power_prop:s0
-vendor.powerhal.init       u:object_r:vendor_power_prop:s0
-vendor.powerhal.rendering  u:object_r:vendor_power_prop:s0
-ro.vendor.fm.use_audio_session     u:object_r:vendor_default_prop:s0

sepolicy/private/qti_init_shell.te

@@ -1,21 +0,0 @@
-type qti_init_shell, domain;
-
-allow qti_init_shell sysfs_io_sched_tuneable:file w_file_perms;
-dontaudit qti_init_shell self:capability { dac_override dac_read_search };
-
-allow qti_init_shell configfs:dir create_dir_perms;
-allow qti_init_shell configfs:file create_file_perms;
-allow qti_init_shell configfs:lnk_file create_file_perms;
-
-allow qti_init_shell persist_file:lnk_file read;
-
-allow qti_init_shell sensors_persist_file:fifo_file create_file_perms;
-
-allow qti_init_shell shell_exec:file rx_file_perms;
-
-allow qti_init_shell sysfs:file setattr;
-allow qti_init_shell sysfs_leds:file setattr;
-
-allow qti_init_shell toolbox_exec:file rx_file_perms;
-
-get_prop(qti_init_shell, default_prop)

sepolicy/private/ssr_setup.te

@@ -1,7 +0,0 @@
-type vendor_ssr_setup, domain;
-type vendor_ssr_setup_exec, exec_type, vendor_file_type, file_type;
-init_daemon_domain(vendor_ssr_setup);
-
-allow vendor_ssr_setup sysfs:file rw_file_perms;
-
-get_prop(vendor_ssr_setup, vendor_ssr_prop)

sepolicy/private/surfaceflinger.te

@@ -1 +0,0 @@
-binder_call(surfaceflinger, hal_power_pixel);

sepolicy/private/system_server.te

@@ -1,5 +0,0 @@
-allow system_server hal_power_pixel:binder call;
-
-allow system_server sysfs:file read;
-
-get_prop(system_server, vendor_camera_prop)

sepolicy/private/thermal-engine.te

@@ -1,4 +0,0 @@
-type thermal-engine, domain;
-
-allow thermal-engine sysfs_devfreq:dir r_dir_perms;
-allow thermal-engine sysfs:dir r_dir_perms;

sepolicy/private/vendor_init.te

@@ -1,13 +0,0 @@
-typeattribute vendor_init data_between_core_and_vendor_violators;
-
-# Allow vendor_init to check encryption status of system_data_file
-allow vendor_init system_data_file:dir { ioctl open read setattr };
-
-allow vendor_init block_device:lnk_file setattr;
-
-allow vendor_init persist_file:lnk_file read;
-
-get_prop(vendor_init, default_prop)
-get_prop(vendor_init, persist_debug_prop)
-
-set_prop(vendor_init, default_prop)

sepolicy/private/vold.te

@@ -1,2 +0,0 @@
-# For setting read_ahead_kb
-allow vold sysfs_mmc_host:file w_file_perms;

sepolicy/vendor/app.te

@@ -0,0 +1,3 @@
+# Allow appdomain to get some props
+get_prop(appdomain, vendor_camera_prop)
+get_prop(appdomain, camera_prop)

sepolicy/vendor/binderfs.te

@@ -0,0 +1,4 @@
+# REVERT ME: make binderfs permissive
+userdebug_or_eng(`
+  permissive binderfs;
+')

sepolicy/vendor/cameraserver.te

@@ -0,0 +1 @@
+allow cameraserver camera_data_file:file { getattr open write };

sepolicy/vendor/device.te

@@ -0,0 +1,3 @@
+type oem_block_device, dev_type;
+type param_block_device, dev_type;
+type param_device, dev_type;

sepolicy/vendor/domain.te

@@ -0,0 +1,2 @@
+# Allow domain to get public_vendor_default_prop
+get_prop(domain, public_vendor_default_prop)

sepolicy/vendor/file.te

@@ -0,0 +1,18 @@
+type display_data_file, file_type, data_file_type, core_data_file_type;
+type proc_touchpanel, fs_type;
+type sysfs_oem, sysfs_type, fs_type;
+
+type sysfs_msm_subsys, sysfs_type, fs_type;
+type sysfs_system_sleep_stats, sysfs_type, fs_type;
+type sysfs_rpm, sysfs_type, fs_type;
+type sysfs_power_stats, sysfs_type, fs_type;
+#type sysfs_graphics, sysfs_type, fs_type;
+#type sysfs_ssr, sysfs_type, fs_type;
+#type sysfs_ssr_toggle,  sysfs_type, fs_type;
+#type sysfs_devfreq, sysfs_type, fs_type;
+#type sysfs_kgsl, sysfs_type, fs_type;
+#type sysfs_scsi_devices, sysfs_type, fs_type;
+type debugfs_wlan, debugfs_type, fs_type;
+type debugfs_sched_features, debugfs_type, fs_type;
+
+type proc_sysctl_schedboost, proc_type, fs_type;

sepolicy/vendor/file_contexts

@@ -0,0 +1,11 @@
+# Files in rootfs
+/bt_firmware(/.*)?       u:object_r:bt_firmware_file:s0
+/firmware(/.*)?          u:object_r:firmware_file:s0
+/persist(/.*)?           u:object_r:persist_file:s0
+
+# Data files
+/data/display(/.*)?      u:object_r:display_data_file:s0
+
+# Custom HALs
+/vendor/bin/hw/android\.hardware\.light@2\.0-service                                             u:object_r:hal_light_default_exec:s0
+/vendor/bin/hw/android\.hardware\.power-service\.lenovo                                  u:object_r:hal_power_default_exec:s0

sepolicy/vendor/genfs_contexts

@@ -0,0 +1,36 @@
+# Display
+genfscon proc  /touchpanel u:object_r:proc_touchpanel:s0
+genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply u:object_r:sysfs_battery_supply:s0
+#genfscon sysfs /devices/platform/soc/c440000.qcom,spmi/spmi-0/spmi0-02/c440000.qcom,spmi:qcom,pmi8998@2:qcom,qpnp-smb2/power_supply/main u:object_r:sysfs_battery_supply:s0
+
+# SSR
+genfscon sysfs /devices/platform/soc/aae0000.qcom,venus/subsys0/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/aae0000.qcom,venus/subsys0/restart_level u:object_r:sysfs_ssr_toggle:s0
+
+genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys1/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/soc:qcom,ipa_fws/subsys1/restart_level u:object_r:sysfs_ssr_toggle:s0
+
+genfscon sysfs /devices/platform/soc/soc:qcom,kgsl-hyp/subsys2/restart_level u:object_r:sysfs_ssr_toggle:s0
+
+genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys3/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/17300000.qcom,lpass/subsys3/restart_level u:object_r:sysfs_ssr_toggle:s0
+
+genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/subsys4/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/5c00000.qcom,ssc/subsys4/restart_level u:object_r:sysfs_ssr_toggle:s0
+
+genfscon sysfs /devices/platform/soc/8300000.qcom,turing/subsys5/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/8300000.qcom,turing/subsys5/restart_level u:object_r:sysfs_ssr_toggle:s0
+
+genfscon sysfs /devices/platform/soc/4080000.qcom,mss/subsys6/name u:object_r:sysfs_ssr:s0
+genfscon sysfs /devices/platform/soc/4080000.qcom,mss/subsys6/restart_level u:object_r:sysfs_ssr_toggle:s0
+
+genfscon debugfs /wlan0                               u:object_r:debugfs_wlan:s0
+genfscon debugfs /sched_features                      u:object_r:debugfs_sched_features:s0
+
+genfscon sysfs /devices/platform/soc/ae00000.qcom,mdss_mdp/idle_state    u:object_r:sysfs_graphics:s0
+
+#genfscon sysfs /class/devfreq                         u:object_r:sysfs_devfreq:s0
+
+genfscon sysfs /power/rpmh_stats/master_stats         u:object_r:sysfs_rpm:s0
+genfscon sysfs /power/system_sleep/stats              u:object_r:sysfs_system_sleep_stats:s0
+genfscon sysfs /kernel/wlan/power_stats               u:object_r:sysfs_power_stats:s0

sepolicy/vendor/hal_bluetooth.te

@@ -0,0 +1 @@
+allow hal_bluetooth vendor_data_file:file r_file_perms;

sepolicy/vendor/hal_camera_default.te

@@ -0,0 +1,7 @@
+allow hal_camera_default sysfs:file read;
+allow hal_camera_default sdcardfs:dir { search };
+allow hal_camera_default sdcardfs:file { rw_file_perms };
+allow hal_camera_default nfc_data_file: dir { search open};
+allow hal_camera_default default_android_hwservice:hwservice_manager find;
+allow hal_camera_default mnt_vendor_file:dir { add_name write };
+allow hal_camera_default mnt_vendor_file:file { create getattr open read write };

sepolicy/vendor/hal_fingerprint.te

@@ -0,0 +1 @@
+get_prop(hal_fingerprint, default_prop)

sepolicy/vendor/hal_light.te

@@ -0,0 +1 @@
+allow hal_light sysfs_oem:file getattr;

sepolicy/vendor/hal_power_default.te

@@ -0,0 +1,28 @@
+allow hal_power_default debugfs_wlan:dir r_dir_perms;
+allow hal_power_default debugfs_wlan:file r_file_perms;
+
+allow hal_power_default sysfs_graphics:dir search;
+allow hal_power_default sysfs_graphics:file r_file_perms;
+
+allow hal_power_default sysfs_rpm:file r_file_perms;
+allow hal_power_default sysfs_system_sleep_stats:file r_file_perms;
+
+# To do powerhint on nodes defined in powerhint.json
+allow hal_power_default sysfs_devfreq:dir search;
+allow hal_power_default sysfs_devfreq:{ file lnk_file } rw_file_perms;
+allow hal_power_default sysfs_kgsl:dir search;
+allow hal_power_default sysfs_kgsl:{ file lnk_file } rw_file_perms;
+allow hal_power_default sysfs_msm_subsys:dir search;
+allow hal_power_default sysfs_msm_subsys:file rw_file_perms;
+allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms;
+allow hal_power_default device_latency:chr_file rw_file_perms;
+
+allow hal_power_default input_device:dir r_dir_perms;
+allow hal_power_default input_device:chr_file rw_file_perms;
+
+# To get/set powerhal state property
+set_prop(hal_power_default, vendor_power_prop)
+allow hal_power_default system_prop:file r_file_perms;
+
+# Rule for hal_power_default to access graphics composer process
+unix_socket_connect(hal_power_default, pps, hal_graphics_composer_default);

sepolicy/vendor/hal_usb.te

@@ -0,0 +1,2 @@
+# Allow hal_usb to read and write to sysfs_oem
+allow hal_usb sysfs_oem:file rw_file_perms;

sepolicy/vendor/hal_wifi.te

@@ -0,0 +1 @@
+allow hal_wifi proc_net:file w_file_perms;

sepolicy/vendor/hwservice_contexts

@@ -1,2 +1 @@
 vendor.display.color::IDisplayColor      u:object_r:hal_display_color_hwservice:s0
-vendor.qti.hardware.fm::IFmHci           u:object_r:hal_fm_hwservice:s0

sepolicy/vendor/hwservicemanager.te

@@ -0,0 +1 @@
+allow hwservicemanager init:binder transfer;

sepolicy/vendor/init.te

@@ -0,0 +1,13 @@
+# Allow init to mount wlan kernel module
+allow init vendor_file:file mounton;
+
+# Allow init to mount vendor configs
+allow init vendor_configs_file:dir mounton;
+
+# Allow init to chown/chmod on pseudo files in /sys
+allow init sysfs_type:file { open read setattr };
+
+# Allow init create cgroups
+allow init cgroup:file create;
+
+permissive init;

sepolicy/vendor/iorap_prefetcherd.te

@@ -0,0 +1,2 @@
+r_dir_file(iorap_prefetcherd, media_rw_data_file)
+r_dir_file(iorap_prefetcherd, radio_data_file)

sepolicy/vendor/platform_app.te

@@ -0,0 +1 @@
+allow platform_app sysfs_graphics:file r_file_perms;

sepolicy/vendor/property.te

@@ -0,0 +1,5 @@
+type vendor_camera_prop, property_type;
+#type camera_prop, property_type;
+#type vendor_display_prop, property_type;
+#type vendor_audio_prop, property_type;
+type vendor_power_prop, property_type;

sepolicy/vendor/property_contexts

@@ -0,0 +1,14 @@
+audio.                            u:object_r:vendor_audio_prop:s0
+persist.audio                     u:object_r:vendor_audio_prop:s0
+persist.speaker                   u:object_r:vendor_audio_prop:s0
+
+#Camera
+persist.camera.                   u:object_r:exported_system_prop:s0
+ro.camera.                        u:object_r:exported_system_prop:s0
+
+# Powerhal
+vendor.powerhal.state      u:object_r:vendor_power_prop:s0
+vendor.powerhal.audio      u:object_r:vendor_power_prop:s0
+vendor.powerhal.lpm        u:object_r:vendor_power_prop:s0
+vendor.powerhal.init       u:object_r:vendor_power_prop:s0
+vendor.powerhal.rendering  u:object_r:vendor_power_prop:s0

sepolicy/vendor/system_server.te

@@ -0,0 +1,2 @@
+allow system_server default_android_hwservice:hwservice_manager find;
+allow system_server init:binder call;

sepolicy/vendor/vendor_init.te

@@ -0,0 +1,13 @@
+permissive vendor_init;
+
+#type qti_init_shell_exec, exec_type, vendor_file_type,file_type;
+
+# Allow vendor_init to set public_vendor_default_prop
+set_prop(vendor_init, public_vendor_default_prop)
+typeattribute vendor_init data_between_core_and_vendor_violators;
+
+# Allow vendor_init to check encryption status of system_data_file
+allow vendor_init system_data_file:dir { ioctl open read setattr };
+
+# Allow vendor_init to set vendor_camera_prop
+set_prop(vendor_init, vendor_camera_prop)

sepolicy/vendor/vndservice.te

@@ -0,0 +1 @@
+type power_stats_service, vndservice_manager_type;