universal7870: import sepolicy from 7580-common

thanks to @danwood76

sepolicy/audioserver.te

@@ -2,8 +2,8 @@
 unix_socket_connect(audioserver, property, rild)
 
 # /efs/maxim
-allow audioserver { efs_file sec_efs_file }:dir r_dir_perms;
+r_dir_file(audioserver, efs_file);
-allow audioserver { efs_file sec_efs_file }:file r_file_perms;
+r_dir_file(audioserver, sec_efs_file);
 
 # TFA98xx amplifier
 allow audioserver amplifier_device:chr_file rw_file_perms;

sepolicy/bluetooth.te

@@ -1,8 +1,6 @@
-# /dev/ttySAC0
+# /dev/ttySAC3
-allow bluetooth bluetooth_device:chr_file { rw_file_perms ioctl };
+allow bluetooth bluetooth_device:chr_file rw_file_perms ;
-
+allow hal_bluetooth_default bluetooth_device:chr_file rw_file_perms;
-# wcnss_filter
-allow bluetooth wcnss_filter:unix_stream_socket connectto;
 
 # /data/.cid.info
 allow bluetooth wifi_data_file:file r_file_perms;

sepolicy/cameraserver.te

@@ -2,17 +2,11 @@
 allow cameraserver camera_device:chr_file rw_file_perms;
 
 # /sys/devices/virtual/camera/*/*_camfw
-allow cameraserver sysfs_camera:file rw_file_perms;
-
-# searching for syses nodes
 allow cameraserver sysfs_camera:dir search;
+allow cameraserver sysfs_camera:file rw_file_perms;
 
 # /data/camera/ISP_CV
 allow cameraserver camera_data_file:file r_file_perms;
 
 # /data/media(/.*)?
-allow cameraserver media_rw_data_file:dir r_dir_perms;
+r_dir_file(cameraserver, media_rw_data_file);
-allow cameraserver media_rw_data_file:file r_file_perms;
-
-# sysfs_virtual
-allow cameraserver sysfs_virtual:dir search;

sepolicy/charger.te

@@ -1 +1 @@
-allow charger sysfs_charger:file { open read getattr };
+allow charger sysfs_usb_supply:file rw_file_perms;

sepolicy/cpboot-daemon.te

@@ -1,6 +1,6 @@
 # modem daemon sec label
-type cpboot-daemon, domain, coredomain;
+type cpboot-daemon, domain;
-type cpboot-daemon_exec, exec_type, file_type, system_file_type;
+type cpboot-daemon_exec, exec_type, file_type, vendor_file_type;
 
 net_domain(cpboot-daemon)
 init_daemon_domain(cpboot-daemon)
@@ -24,6 +24,8 @@ allow cpboot-daemon kmsg_device:chr_file rw_file_perms;
 allow cpboot-daemon mif_device:chr_file rw_file_perms;
 # /dev/mbin0
 allow cpboot-daemon emmcblk_device:blk_file r_file_perms;
+# /dev/spi_boot_link
+allow cpboot-daemon radio_device:chr_file rw_file_perms;
 # /dev/block/mmcblk0p13
 allow cpboot-daemon block_device:dir r_dir_perms;
 allow cpboot-daemon radio_block_device:blk_file r_file_perms;
@@ -36,12 +38,12 @@ allow cpboot-daemon efs_file:dir r_dir_perms;
 
 # /efs/nv_data.bin
 allow cpboot-daemon bin_nv_data_efs_file:file rw_file_perms;
+allow cpboot-daemon efs_file:file rw_file_perms;
 
-# /sys/bus/usb/devices/1-2/idVendor
+# /proc permissions
-allow cpboot-daemon sysfs:file r_file_perms;
-
-# /proc/cmdline
 allow cpboot-daemon proc_cmdline:file r_file_perms;
+allow cpboot-daemon proc_dt_firmware:dir search;
+allow cpboot-daemon proc_dt_firmware:file { open read };
 
 # set properties on boot
 set_prop(cpboot-daemon, cpboot-daemon_prop)

sepolicy/domain.te

@@ -1 +0,0 @@
-dontaudit domain kernel:system module_request;

sepolicy/file.te

@@ -4,6 +4,7 @@ type battery_efs_file, file_type;
 type baro_delta_factoryapp_efs_file, file_type;
 type bin_nv_data_efs_file, file_type;
 type sec_efs_file, file_type;
+
 # widewine, drm
 type cpk_efs_file, file_type;
 type drm_efs_file, file_type;
@@ -14,29 +15,39 @@ type radio_factoryapp_efs_file, file_type;
 type sensor_efs_file, file_type;
 type sensor_factoryapp_efs_file, file_type;
 type wifi_efs_file, file_type;
+
 # gps
 type gps_data_file, file_type, data_file_type, core_data_file_type;
 type gps_socket, file_type;
 
-### data types
+# proc
-type display_vendor_data_file, file_type, data_file_type;
+type proc_vm, fs_type, proc_type;
+type proc_dt_firmware, fs_type, proc_type;
+type proc_reset_reason, fs_type, proc_type;
+type proc_simslot_count, fs_type, proc_type;
+type proc_input_devices, fs_type, proc_type;
+type proc_sec, fs_type, proc_type;
 
 ### sysfs types
+#type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_mdnie, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_mipi, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_multipdp, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_sec, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_sec, fs_type, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_sensors, fs_type, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_input, fs_type, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_camera, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_charger, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_gps, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_brightness, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_light, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_input, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_wifi, fs_type, sysfs_type, mlstrustedobject;
-type sysfs_svc, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_usb_supply, sysfs_type, fs_type, mlstrustedobject;
-type sysfs_lcd, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_mmc, sysfs_type, fs_type, mlstrustedobject;
-type sysfs_modem, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_graphics, sysfs_type, fs_type, mlstrustedobject;
-type sysfs_virtual, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_ion, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_block, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_jack, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_v4l, sysfs_type, fs_type, mlstrustedobject;
+type sysfs_sswap, sysfs_type, fs_type, mlstrustedobject;
 
-# file
+### data types
-type mobicore_data_file, file_type, data_file_type, core_data_file_type;
+type display_vendor_data_file, file_type, data_file_type;
-
-allow sysfs_type tmpfs:filesystem associate;

sepolicy/file_contexts

@@ -1,11 +1,12 @@
 ##########################
 # Devices
+#
 /dev/mali[0-9]*              u:object_r:gpu_device:s0
 
 /dev/bcm2079x                u:object_r:nfc_device:s0
 /dev/sec-nfc                 u:object_r:nfc_device:s0
 
-/dev/ttySAC0                 u:object_r:bluetooth_device:s0
+/dev/ttySAC3                 u:object_r:bluetooth_device:s0
 
 /dev/s5p-smem                u:object_r:secmem_device:s0
 /dev/mobicore                u:object_r:tee_device:s0
@@ -16,24 +17,25 @@
 /dev/media[0-3]*             u:object_r:camera_device:s0
 /dev/m2m1shot_jpeg           u:object_r:camera_device:s0
 
-/dev/mtp_usb*                u:object_r:mtp_device:s0
-
 /dev/__cbd_msg_              u:object_r:mif_device:s0
 /dev/umts.*                  u:object_r:mif_device:s0
 /dev/ehci_power              u:object_r:mif_device:s0
 /dev/mipi-lli/lli_control    u:object_r:mif_device:s0
 
 /dev/gnss_ipc                u:object_r:gps_device:s0
-/dev/ttySAC[1-9]*            u:object_r:gps_device:s0
+/dev/ttySAC[0-1]*            u:object_r:gps_device:s0
+
+/dev/block/vnswap0           u:object_r:sswap_device:s0
 
 /dev/block/mmcblk0p[0-9]*    u:object_r:emmcblk_device:s0
 
 /dev/block/mmcblk0p10        u:object_r:boot_block_device:s0
 /dev/block/mmcblk0p11        u:object_r:recovery_block_device:s0
-/dev/block/mmcblk0p13        u:object_r:radio_block_device:s0
+/dev/block/mmcblk0p14        u:object_r:radio_block_device:s0
-/dev/block/mmcblk0p19        u:object_r:system_block_device:s0
+/dev/block/mmcblk0p17        u:object_r:frp_block_device:s0
-/dev/block/mmcblk0p20        u:object_r:cache_block_device:s0
+/dev/block/mmcblk0p20        u:object_r:system_block_device:s0
-/dev/block/mmcblk0p25        u:object_r:userdata_block_device:s0
+/dev/block/mmcblk0p21        u:object_r:cache_block_device:s0
+/dev/block/mmcblk0p23        u:object_r:userdata_block_device:s0
 
 /dev/rfkill                  u:object_r:rfkill_device:s0
 
@@ -46,12 +48,13 @@
 /dev/ttyBCM[0-9]*            u:object_r:bbd_device:s0
 
 /dev/esfp0                   u:object_r:fingerprint_device:s0
+/dev/vfsspi                  u:object_r:fingerprint_device:s0
 
 /dev/batch_io                u:object_r:sensor_device:s0
 /dev/ssp_sensorhub           u:object_r:sensor_device:s0
 
 # TFA98xx amplifier
-/dev/i2c-20                  u:object_r:amplifier_device:s0
+/dev/i2c-0                   u:object_r:amplifier_device:s0
 
 # Knox status
 /dev/knox_kap                u:object_r:knox_device:s0
@@ -79,7 +82,6 @@
 /efs/prov_data(/.*)?         u:object_r:prov_efs_file:s0
 /efs/wifi(/.*)?              u:object_r:wifi_efs_file:s0
 /efs/wv\.keys                u:object_r:cpk_efs_file:s0
-
 /cpefs(/.*)?                 u:object_r:sec_efs_file:s0
 
 ####################################
@@ -87,17 +89,14 @@
 /data/nfc(/.*)?              u:object_r:nfc_data_file:s0
 /data/\.cid\.info                  u:object_r:wifi_data_file:s0
 /data/misc/conn/\.wifiver\.info    u:object_r:wifi_data_file:s0
-
 /data/misc/radio(/.*)?       u:object_r:radio_data_file:s0
+/data/vendor/display(/.*)?   u:object_r:display_vendor_data_file:s0
 
 # gps
-/data/system/gps(/.*)?      u:object_r:gps_data_file:s0
+/data/system/gps(/.*)?       u:object_r:gps_data_file:s0
-/data/gps/ctrlpipe          u:object_r:gps_data_file:s0
+/data/gps/ctrlpipe                                   u:object_r:gps_data_file:s0
-/data/gps/\.gpslogd\.pipe   u:object_r:gps_data_file:s0
+/data/gps/\.gpslogd\.pipe                            u:object_r:gps_data_file:s0
-/data/gps/nmeapipe          u:object_r:gps_data_file:s0
+/data/gps/nmeapipe                                   u:object_r:gps_data_file:s0
-
-# mobicore
-/data/misc/mcRegistry(/.*)?  u:object_r:mobicore_data_file:s0
 
 /data/biometrics(/.*)?       u:object_r:fingerprintd_data_file:s0
 
@@ -106,25 +105,15 @@
 
 ####################################
 # sysfs files
-/sys/class/power_supply/battery/music -- u:object_r:sysfs:s0
+#/sys/class/power_supply/battery/music -- u:object_r:sysfs_writable:s0
-/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs:s0
+#/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs_writable:s0
+#/sys/class/lcd(/.*)?         -- u:object_r:sysfs_writable:s0
 
 # bluetooth
-/sys/devices/bluetooth/rfkill/rfkill0/state  u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/bluetooth.[0-9]*/rfkill/rfkill0/state  u:object_r:sysfs_bluetooth_writable:s0
-/sys/devices/bluetooth/rfkill/rfkill0/type   u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/bluetooth.[0-9]*/rfkill/rfkill0/type   u:object_r:sysfs_bluetooth_writable:s0
-/sys/devices/bluetooth/extldo                u:object_r:sysfs_bluetooth_writable:s0
+/sys/class/rfkill/rfkill0/state                     u:object_r:sysfs_bluetooth_writable:s0
-
+/sys/class/rfkill/rfkill0/type                      u:object_r:sysfs_bluetooth_writable:s0
-# brightness
-/sys/devices/[0-9]*\.dsim/backlight/panel/brightness          u:object_r:sysfs_brightness:s0
-/sys/devices/[0-9]*\.dsim/backlight/panel/max_brightness      u:object_r:sysfs_brightness:s0
-
-# camera
-/sys/devices/virtual/camera(/.*)?           u:object_r:sysfs_camera:s0
-
-# charger
-/sys/devices/battery/power_supply(/.*)                                     u:object_r:sysfs_charger:s0
-/sys/devices/13870000.i2c/i2c-7/7-003d/s2mu004-charger/power_supply(/.*)   u:object_r:sysfs_charger:s0
-/sys/devices/13830000.i2c/i2c-10/10-003b/power_supply(/.*)                 u:object_r:sysfs_charger:s0
 
 # CP device
 /dev/spi_boot_link              u:object_r:radio_device:s0
@@ -132,34 +121,11 @@
 # cbd
 /sys/devices/10f24000.mipi-lli/lli_control  u:object_r:sysfs_mipi:s0
 
-# livedisplay
-/data/vendor/display(/.*)?   u:object_r:display_vendor_data_file:s0
-
 # gps
-/sys/devices/soc0/machine      u:object_r:sysfs_gps:s0
+/sys/class/sec/gps                                  u:object_r:sysfs_gps:s0
-/sys/devices/soc0/revision     u:object_r:sysfs_gps:s0
+/sys/devices/soc0/machine                           u:object_r:sysfs_gps:s0
-
+/sys/devices/soc0/revision                          u:object_r:sysfs_gps:s0
-# input
+/sys/devices/139c0000.pinctrl/gpio/gpio137/value    u:object_r:sysfs_gps:s0
-/sys/devices/i2c@20/i2c-6/6-0020/input/input0(/.*)?         u:object_r:sysfs_input:s0
-/sys/devices/13890000.i2c/i2c-9/9-0048/input/input1(/.*)?   u:object_r:sysfs_input:s0
-/sys/devices/10610000.hsi2c/i2c-0/0-a004/input/input2(/.*)? u:object_r:sysfs_input:s0
-/sys/devices/gpio_keys/input/input3(/.*)?                   u:object_r:sysfs_input:s0
-/sys/devices/hall/input/input4(/.*)?                        u:object_r:sysfs_input:s0
-/sys/devices/certify_hall/input/input5(/.*)?                u:object_r:sysfs_input:s0
-
-# lcd
-/sys/devices/[0-9]*\.dsim/lcd/panel/adaptive_control    u:object_r:sysfs_lcd:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/alpm                u:object_r:sysfs_lcd:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/dpui                u:object_r:sysfs_lcd:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/dpui_dbg            u:object_r:sysfs_lcd:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/lcd_type            u:object_r:sysfs_lcd:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/lux                 u:object_r:sysfs_lcd:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/manufacture_code    u:object_r:sysfs_lcd:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/temperature         u:object_r:sysfs_lcd:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/window_type         u:object_r:sysfs_lcd:s0
-
-# modem
-/sys/module/modem_ctrl_ss310ap/parameters/ds_detect   u:object_r:sysfs_modem:s0
 
 # rild
 /sys/devices/virtual/misc/multipdp(/.*)     u:object_r:sysfs_multipdp:s0
@@ -167,42 +133,38 @@
 /dev/socket/rild-debug2                     u:object_r:rild_debug_socket:s0
 
 # mDNIe
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode          u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/accessibility       u:object_r:sysfs_mdnie:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario      u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode                u:object_r:sysfs_mdnie:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux           u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario            u:object_r:sysfs_mdnie:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB     u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux                 u:object_r:sysfs_mdnie:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/accessibility u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB           u:object_r:sysfs_mdnie:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/night_mode    u:object_r:sysfs_mdnie:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mdnie_ldu     u:object_r:sysfs_mdnie:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/whiteRGB      u:object_r:sysfs_mdnie:s0
 
-# sec
+# Lights
-/sys/class/sec(/.*)?           -- u:object_r:sysfs_sec:s0
+/sys/devices/virtual/sec/sec_touchkey/brightness        u:object_r:sysfs_light:s0
-
+/sys/devices/14800000.dsim/backlight/panel(/.*)?        u:object_r:sysfs_light:s0
-# svc
+/sys/class/leds(/.*)?                                   u:object_r:sysfs_light:s0
-/sys/devices/svc(/.*)?    u:object_r:sysfs_svc:s0
+/sys/devices/virtual/sec/led(/.*)?                      u:object_r:sysfs_light:s0
-
+/sys/class/lcd/panel/power_reduce                       u:object_r:sysfs_light:s0
-# virtual
+/sys/devices/i2c.24/i2c-6/6-0030/leds(/.*)?             u:object_r:sysfs_light:s0
-/sys/devices/virtual(/.*)?    u:object_r:sysfs_virtual:s0
 
+# Wifi
+/sys/module/dhd/parameters/firmware_path            u:object_r:sysfs_wifi:s0
 
 ####################################
 # deamons
 #
 
-/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/mcDriverDaemon   u:object_r:tee_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung                   u:object_r:hal_light_default_exec:s0
+/(vendor|system/vendor)/bin/modemloader      u:object_r:modemloader_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos                    u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/wifiloader       u:object_r:wifiloader_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.3-radio-service\.samsung                   u:object_r:hal_radio_default_exec:s0
-/(vendor|system/vendor)/bin/hw/sec\.android\.hardware\.nfc@1\.2-service		                u:object_r:hal_nfc_default_exec:s0
-/(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.samsung-exynos        u:object_r:hal_lineage_livedisplay_sysfs_exec:s0
-/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.samsung                     u:object_r:hal_lineage_touch_default_exec:s0
-/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.gnss@2\.0-service		                u:object_r:hal_gnss_default_exec:s0
 
-/(vendor|system/vendor)/bin/cbd		                                            u:object_r:cpboot-daemon_exec:s0
+/(vendor|system/vendor)/bin/cbd              u:object_r:cpboot-daemon_exec:s0
-/(vendor|system/vendor)/bin/gpsd             									u:object_r:gpsd_exec:s0
+/(vendor|system/vendor)/bin/gpsd             u:object_r:gpsd_exec:s0
-/(vendor|system/vendor)/bin/macloader        									u:object_r:macloader_exec:s0
+/(vendor|system/vendor)/bin/sswap            u:object_r:sswap_exec:s0
-/(vendor|system/vendor)/bin/mcDriverDaemon   							        u:object_r:tee_exec:s0
+
-/(vendor|system/vendor)/bin/modemloader      									u:object_r:modemloader_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.samsung-exynos    u:object_r:hal_lineage_livedisplay_sysfs_exec:s0
-/(vendor|system/vendor)/bin/sensorhubservice 									u:object_r:sensorhubservice_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.samsung                 u:object_r:hal_lineage_touch_default_exec:s0
-/(vendor|system/vendor)/bin/wcnss_filter     									u:object_r:wcnss_filter_exec:s0
+
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung               u:object_r:hal_light_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos                u:object_r:hal_power_default_exec:s0

sepolicy/fingerprintd.te

@@ -0,0 +1,16 @@
+# allow hal_fingerprint_default to communicate with various devices
+binder_call(system_app, hal_fingerprint_default)
+
+# kernel fp device
+allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
+
+# secure memory device
+allow hal_fingerprint_default secmem_device:chr_file rw_file_perms;
+
+# trust zone device
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default tee:unix_stream_socket connectto;
+
+# /data/biometrics/*
+allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms;
+allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;

sepolicy/fsck.te

@@ -1,2 +1,3 @@
-# /dev/block/mmcblk0p3
+# /dev/block/mmcblk0p[0-9]*
-allow fsck emmcblk_device:blk_file { read write open ioctl getattr };
+allow fsck emmcblk_device:blk_file rw_file_perms;
+allowxperm fsck emmcblk_device:blk_file ioctl { BLKDISCARDZEROES BLKROGET };

sepolicy/genfs_contexts

@@ -0,0 +1,115 @@
+genfscon proc /device-tree u:object_r:proc_dt_firmware:s0
+
+genfscon proc /sys/vm/dirty_ratio               u:object_r:proc_vm:s0
+genfscon proc /sys/vm/dirty_bytes               u:object_r:proc_vm:s0
+genfscon proc /sys/vm/dirty_background_bytes    u:object_r:proc_vm:s0
+genfscon proc /sys/vm/min_free_kbytes           u:object_r:proc_vm:s0
+
+genfscon proc /sys/vm/swappiness                u:object_r:proc_vm:s0
+genfscon proc /sys/vm/vfs_cache_pressure        u:object_r:proc_vm:s0
+
+genfscon proc /reset_reason     u:object_r:proc_reset_reason:s0
+genfscon proc /simslot_count    u:object_r:proc_simslot_count:s0
+
+genfscon proc /bus/input/devices    u:object_r:proc_input_devices:s0
+
+# SEC devices
+genfscon proc /sec_log          u:object_r:proc_sec:s0
+#genfscon sysfs /class/sec      u:object_r:sysfs_sec:s0
+
+# Power supply devices
+genfscon sysfs /devices/battery.20/power_supply                                     u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/i2c.26/i2c-8/8-0034/s2mu003-charger/power_supply            u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/13890000.hsi2c/i2c-2/2-0035/power_supply                    u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/platform/htc_battery/power_supply/ps                        u:object_r:sysfs_usb_supply:s0
+
+# Input devices
+genfscon sysfs /devices/virtual/sec/sec_touchkey                            u:object_r:sysfs_input:s0
+genfscon sysfs /devices/virtual/sec/sec_key                                 u:object_r:sysfs_input:s0
+genfscon sysfs /devices/virtual/sec/tsp                                     u:object_r:sysfs_input:s0
+genfscon sysfs /devices/virtual/secgpio_check                               u:object_r:sysfs_input:s0
+genfscon sysfs /devices/virtual/input                                       u:object_r:sysfs_input:s0
+
+# A3 power devices
+genfscon sysfs /devices/i2c.21/i2c-4/4-0035/power_supply                            u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/13890000.hsi2c/i2c-2/2-0034/s2mu003-charger/power_supply    u:object_r:sysfs_usb_supply:s0
+
+# A3 Input devices
+genfscon sysfs /devices/13850000.i2c/i2c-10/10-0050/input/input3            u:object_r:sysfs_input:s0
+genfscon sysfs /devices/i2c.23/i2c-5/5-0020/input/input2                    u:object_r:sysfs_input:s0
+
+# A5 power supply devices
+genfscon sysfs /devices/battery.43/power_supply                                     u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/i2c.42/i2c-7/7-0071/power_supply                            u:object_r:sysfs_usb_supply:s0
+genfscon sysfs /devices/13890000.hsi2c/i2c-2/2-0049/sm5705-charger/power_supply     u:object_r:sysfs_usb_supply:s0
+
+# A5 Input devices
+genfscon sysfs /devices/13850000.i2c/i2c-10/10-0020/input/input3            u:object_r:sysfs_input:s0
+genfscon sysfs /devices/i2c.20/i2c-4/4-0020/input/input2                    u:object_r:sysfs_input:s0
+genfscon sysfs /devices/virtual/fingerprint/fingerprint                     u:object_r:sysfs_input:s0
+
+# S5 NEO Input devices
+genfscon sysfs /devices/13860000.i2c/i2c-11/11-0048/input/input2            u:object_r:sysfs_input:s0
+genfscon sysfs /devices/i2c.22/i2c-4/4-0020/input/input1                    u:object_r:sysfs_input:s0
+
+# SEC GPIO input devices
+genfscon sysfs /class/secgpio_check/secgpio_check_all/gpioinit_check        u:object_r:sysfs_input:s0
+genfscon sysfs /class/secgpio_check/secgpio_check_all/gpiosleep_check       u:object_r:sysfs_input:s0
+genfscon sysfs /class/secgpio_check/secgpio_check_all/checked_sleepGPIO     u:object_r:sysfs_input:s0
+
+# Input booster
+genfscon sysfs /class/input_booster/level   u:object_r:sysfs_input:s0
+genfscon sysfs /class/input_booster/head    u:object_r:sysfs_input:s0
+genfscon sysfs /class/input_booster/tail    u:object_r:sysfs_input:s0
+
+# Swap
+genfscon sysfs /devices/virtual/block/vnswap0   u:object_r:sysfs_sswap:s0
+
+# CPU/Scheduler devices
+genfscon sysfs /power/cpufreq_table         u:object_r:sysfs_devices_system_cpu:s0
+genfscon sysfs /power/cpufreq_min_limit     u:object_r:sysfs_devices_system_cpu:s0
+genfscon sysfs /power/cpufreq_max_limit     u:object_r:sysfs_devices_system_cpu:s0
+
+genfscon sysfs /module/cpuidle/parameters/off                       u:object_r:sysfs_devices_system_cpu:s0
+genfscon sysfs /module/cpuidle_exynos64_smp/parameters/enable_mask  u:object_r:sysfs_devices_system_cpu:s0
+
+genfscon sysfs /module/workqueue/parameters/power_efficient         u:object_r:sysfs_devices_system_cpu:s0
+
+# Camera
+genfscon sysfs /devices/virtual/camera              u:object_r:sysfs_camera:s0
+
+# GPS
+genfscon sysfs /devices/virtual/sec/gps             u:object_r:sysfs_gps:s0
+
+# Audio sysfs
+genfscon sysfs /devices/virtual/audio/earjack       u:object_r:sysfs_jack:s0
+
+# USB lun device
+genfscon sysfs /devices/13580000.usb/gadget/lun0    u:object_r:sysfs_android_usb:s0
+
+# MMC block device cache files
+genfscon sysfs /devices/virtual/bdi/179:0/read_ahead_kb     u:object_r:sysfs_block:s0
+genfscon sysfs /devices/virtual/bdi/179:32/read_ahead_kb    u:object_r:sysfs_block:s0
+
+# ION
+genfscon sysfs /devices/virtual/ion_cma     u:object_r:sysfs_ion:s0
+
+# Sensors
+genfscon sysfs /devices/virtual/sensors                             u:object_r:sysfs_sensors:s0
+genfscon sysfs /devices/13870000.hsi2c/i2c-0/0-0028/iio:device0     u:object_r:sysfs_sensors:s0
+genfscon sysfs /devices/13870000.hsi2c/i2c-0/0-0068/iio:device1     u:object_r:sysfs_sensors:s0
+genfscon sysfs /devices/13870000.hsi2c/i2c-0/0-002e/iio:device2     u:object_r:sysfs_sensors:s0
+
+
+genfscon sysfs /devices/13540000.dwmmc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmc:s0
+
+genfscon sysfs /devices/virtual/net/rmnet0 u:object_r:sysfs_net:s0
+genfscon sysfs /devices/virtual/net/rmnet1 u:object_r:sysfs_net:s0
+genfscon sysfs /devices/virtual/net/rmnet2 u:object_r:sysfs_net:s0
+genfscon sysfs /devices/virtual/net/rmnet3 u:object_r:sysfs_net:s0
+
+genfscon sysfs /devices/14830000.decon_fb  u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/14800000.dsim      u:object_r:sysfs_graphics:s0
+
+# video4linux
+genfscon sysfs /devices/12800000.mfc0/video4linux   u:object_r:sysfs_v4l:s0

sepolicy/gpsd.te

@@ -1,7 +1,7 @@
-type gpsd, domain, coredomain;
+type gpsd, domain;
-type gpsd_exec, exec_type, file_type, system_file_type;
+type gpsd_exec, exec_type, file_type, vendor_file_type;
 
-init_daemon_domain(gpsd);
+init_daemon_domain(gpsd)
 
 # Automatically label files created in /data/system/gps as gps_data_file
 file_type_auto_trans(gpsd, system_data_file, gps_data_file)
@@ -10,7 +10,7 @@ file_type_auto_trans(gpsd, system_data_file, gps_data_file)
 unix_socket_connect(gpsd, property, rild)
 unix_socket_connect(gpsd, property, netd)
 
-allow gpsd system_server:unix_stream_socket { read write setopt };
+allow gpsd system_server:unix_stream_socket rw_socket_perms;
 
 binder_call(gpsd, system_server)
 binder_use(gpsd)
@@ -21,23 +21,33 @@ type_transition gpsd gps_data_file:sock_file gps_socket;
 allow gpsd dnsproxyd_socket:sock_file write;
 allow gpsd fwmarkd_socket:sock_file write;
 allow gpsd gps_socket:sock_file create_file_perms;
-allow gpsd self:udp_socket { create bind connect read setopt write }; 
+allow gpsd self:udp_socket create_socket_perms;
- 
-# sysfs_gps
-allow gpsd system_file:dir { open read getattr };
-allow gpsd sysfs_gps:file { open read getattr };
 
-# /dev/ttySAC0
+# sysfs_gps
-allow gpsd bluetooth_device:chr_file { getattr setattr rw_file_perms };
+allow gpsd sysfs_gps:dir search;
-allow gpsd gps_device:chr_file { getattr setattr rw_file_perms };
+allow gpsd sysfs_gps:lnk_file read;
-allow gpsd gps_data_file:dir { search write add_name remove_name rw_dir_perms };
+allow gpsd sysfs_gps:file rw_file_perms;
-allow gpsd gps_data_file:fifo_file { unlink create setattr getattr rw_file_perms };
+
+# /dev/ttySAC3
+allow gpsd gps_device:chr_file { setattr rw_file_perms };
+allow gpsd gps_data_file:dir rw_dir_perms;
+allow gpsd gps_data_file:fifo_file create_file_perms;
 
 allow gpsd sysfs_wake_lock:file rw_file_perms;
 
-allow gpsd sensorservice_service:service_manager { find };
+allow gpsd sensorservice_service:service_manager find;
 
 # /dev/umts_boot0
 allow gpsd mif_device:chr_file r_file_perms;
 
-allow gpsd shell_exec:file execute;
+# TCP sockets
+allow gpsd port:tcp_socket { name_connect name_bind };
+allow gpsd self:tcp_socket create_socket_perms;
+allow gpsd node:tcp_socket node_bind;
+
+# sec sysfs files
+#allow gpsd sysfs_sec:dir search;
+
+# hwservicemanager ready prop
+allow gpsd hwservicemanager:binder call;
+allow gpsd hwservicemanager_prop:file { open read getattr};

sepolicy/hal_audio_default.te

@@ -1 +0,0 @@
-allow hal_audio_default amplifier_device:chr_file { open read write ioctl };

sepolicy/hal_bluetooth_default.te

@@ -1 +1,6 @@
-allow hal_bluetooth_default device:chr_file ioctl;
+# /dev/ttySAC3
+allow hal_bluetooth_default bluetooth_device:chr_file rw_file_perms;
+
+# /efs
+allow hal_bluetooth_default efs_file:dir search;
+r_dir_file(hal_bluetooth_default, bluetooth_efs_file)

sepolicy/hal_camera_default.te

@@ -1,5 +1,6 @@
-# vndbinder
+allow hal_camera_default sysfs_camera:dir search;
-allow hal_camera_default vndbinder_device:chr_file rw_file_perms;
+allow hal_camera_default sysfs_camera:file rw_file_perms;
 
-# sysfs
+allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
-allow hal_camera_default sysfs_virtual:dir search;
+
+vndbinder_use(hal_camera_default)

sepolicy/hal_drm_default.te

@@ -1,5 +1,10 @@
-allow hal_drm_default vndbinder_device:chr_file { ioctl open read write };
+vndbinder_use(hal_drm_default)
 
-allow hal_drm_default secmem_device:chr_file { read write open getattr ioctl };
+# /dev/s5p-smem
+allow hal_drm_default secmem_device:chr_file rw_file_perms;
+allow hal_drm_default tee:unix_stream_socket connectto;
 allow hal_drm_default efs_file:dir search;
-allow hal_drm_default cpk_efs_file:file { open read getattr };
+allow hal_drm_default cpk_efs_file:file r_file_perms;
+
+allow hal_drm_default media_data_file:file create_file_perms;
+allow hal_drm_default media_data_file:dir create_dir_perms;

sepolicy/hal_fingerprint_default.te

@@ -1,20 +1,2 @@
-# allow hal_fingerprint_default to communicate with various devices
+allow hal_fingerprint_default sysfs_input:dir search;
-binder_call(system_app, hal_fingerprint_default);
+allow hal_fingerprint_default sysfs_input:file rw_file_perms;
-
-# kernel fp device
-allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
-
-# secure memory device
-allow hal_fingerprint_default secmem_device:chr_file rw_file_perms;
-
-# trust zone device
-allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
-allow hal_fingerprint_default tee:unix_stream_socket connectto;
-
-# /data/biometrics/*
-allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms;
-allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
-
-# sysfs_virtual
-allow hal_fingerprint_default sysfs_virtual:dir { read open search };
-allow hal_fingerprint_default sysfs_virtual:file { read open };

sepolicy/hal_gnss_default.te

@@ -1,4 +1,5 @@
-allow hal_gnss_default gps_data_file:file getattr;
+vndbinder_use(hal_gnss_default)
-allow hal_gnss_default vndbinder_device:chr_file { ioctl open read write };
-allow hal_gnss_default gpsd:unix_stream_socket connectto;
 
+# Allow gnss to access the gpsd data files
+allow hal_gnss_default gps_data_file:dir w_dir_perms;
+allow hal_gnss_default gps_data_file:fifo_file create_file_perms;

sepolicy/hal_graphics_composer.te

@@ -0,0 +1,7 @@
+# Graphics sysfs
+allow hal_graphics_composer_default sysfs_graphics:dir  search;
+allow hal_graphics_composer_default sysfs_graphics:file rw_file_perms;
+
+# uevent socket
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+

sepolicy/hal_health_default.te

@@ -0,0 +1,2 @@
+r_dir_file(hal_health_default, sysfs_usb_supply)
+allow hal_health_default sysfs_usb_supply:file rw_file_perms;

sepolicy/hal_light_default.te

@@ -1,3 +1,13 @@
-allow hal_light_default sysfs_brightness:file { open read write getattr };
+allow hal_light_default sysfs_light:dir search;
-allow hal_light_default sysfs_virtual:dir search;
+allow hal_light_default sysfs_light:file rw_file_perms;
-allow hal_light_default sysfs_virtual:file { read write open getattr };
+
+allow hal_light_default sysfs_graphics:dir search;
+allow hal_light_default sysfs_graphics:file rw_file_perms;
+
+allow hal_light_default sysfs_input:dir search;
+allow hal_light_default sysfs_input:lnk_file read;
+allow hal_light_default sysfs_input:file rw_file_perms;
+
+allow hal_light_default sysfs_sec:dir search;
+allow hal_light_default sysfs_sec:lnk_file read;
+allow hal_light_default sysfs_sec:file rw_file_perms;

sepolicy/hal_lineage_livedisplay_sysfs.te

@@ -1,6 +1,14 @@
 # Allow LiveDisplay to store files under /data/vendor/display and access them
 allow hal_lineage_livedisplay_sysfs display_vendor_data_file:dir rw_dir_perms;
 allow hal_lineage_livedisplay_sysfs display_vendor_data_file:file create_file_perms;
+
 # Allow LiveDisplay to read and write to files in sysfs_graphics, sysfs_mdnie
-allow hal_lineage_livedisplay_sysfs sysfs_mdnie:dir search;
+allow hal_lineage_livedisplay_sysfs {
-allow hal_lineage_livedisplay_sysfs sysfs_mdnie:file rw_file_perms;
+    sysfs_graphics
+    sysfs_mdnie
+}:dir search;
+
+allow hal_lineage_livedisplay_sysfs {
+    sysfs_graphics
+    sysfs_mdnie
+}:file rw_file_perms;

sepolicy/hal_lineage_touch_default.te

@@ -1,6 +1,2 @@
 allow hal_lineage_touch_default sysfs_input:dir search;
 allow hal_lineage_touch_default sysfs_input:file rw_file_perms;
-
-allow hal_lineage_touch_default sysfs_virtual:dir search;
-allow hal_lineage_touch_default sysfs_virtual:file { open read getattr };
-allow hal_lineage_touch_default sysfs_virtual:lnk_file read;

sepolicy/hal_power_default.te

@@ -2,12 +2,18 @@
 allow hal_power_default sysfs:dir r_dir_perms;
 allow hal_power_default sysfs:file r_file_perms;
 
-allow hal_power_default sysfs_devices_system_cpu:file write;
+# Input devices
+allow hal_power_default sysfs_input:dir r_dir_perms;
+allow hal_power_default sysfs_input:file rw_file_perms;
 
-allow hal_power_default sysfs_input:dir { open read search };
+# CPU devices
-allow hal_power_default sysfs_input:file { open read write getattr };
+allow hal_power_default sysfs_devices_system_cpu:dir search;
+allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms;
 
-allow hal_power_default sysfs_virtual:dir { open read search };
+# Lights
-allow hal_power_default sysfs_virtual:file { open read write getattr };
+allow hal_power_default sysfs_light:dir search;
-allow hal_power_default sysfs:dir { read open };
+allow hal_power_default sysfs_light:file rw_file_perms;
-allow hal_power_default sysfs:file { read write open };
+
+# Graphics
+allow hal_power_default sysfs_graphics:dir search;
+allow hal_power_default sysfs_graphics:file rw_file_perms;

sepolicy/hal_sensors_default.te

@@ -1,3 +0,0 @@
-allow hal_sensors_default input_device:dir { open read search };
-allow hal_sensors_default sysfs:dir { open read };
-

sepolicy/hal_wifi_default.te

@@ -1,15 +1,8 @@
-#### hal_wifi_default
-#
-
-# wifi_data_file
-allow hal_wifi_default wifi_data_file:file { read write open };
-
-# /efs
 allow hal_wifi_default efs_file:dir search;
 
-# /efs/wifi
 allow hal_wifi_default wifi_efs_file:dir search;
-allow hal_wifi_default wifi_efs_file:file { open read };
+allow hal_wifi_default wifi_efs_file:file r_file_perms;
 
-# load .ko modules
+allow hal_wifi_default wifi_data_file:file r_file_perms;
-allow hal_wifi_default self:capability sys_module;
+
+allow hal_wifi_default sysfs_wifi:file write;

sepolicy/hal_wifi_supplicant_default.te

@@ -1,2 +0,0 @@
-allow hal_wifi_supplicant_default rfkill_device:chr_file { open read };
-

sepolicy/healthd.te

@@ -1,5 +1,3 @@
-# healthd
-allow healthd device:dir rw_dir_perms;
 allow healthd rtc_device:chr_file rw_file_perms;
-allow healthd sysfs:file { open read getattr };
+
-allow healthd sysfs_charger:file { open read getattr };
+allow healthd sysfs_usb_supply:file rw_file_perms;

sepolicy/init.te

@@ -4,18 +4,17 @@ allow init debugfs:dir mounton;
 # Mount EFS on /efs
 allow init efs_file:dir  mounton;
 
+# Mount CPEFS on /cpefs
+allow init sec_efs_file:dir mounton;
+
 # /dev/block/mmcblk0p[0-9]
 allow init emmcblk_device:blk_file rw_file_perms;
 
-allow init block_device:lnk_file { setattr };
+allow init block_device:lnk_file setattr;
 allow init tmpfs:lnk_file create_file_perms;
 
 # /sys/class/power_supply/battery and /sys/class/android_usb/android0
-allow init proc:file { getattr setattr read write open };
+allow init sysfs_usb_supply:file { rw_file_perms setattr };
-
-# Shim libs
-allow init cameraserver:process noatsecure;
-allow init hal_fingerprint_default:process noatsecure;
 
 # /data
 allow init sdcardd_exec:file r_file_perms;
@@ -23,34 +22,74 @@ allow init sdcardd_exec:file r_file_perms;
 # sysfs iio:device[0-9]
 allow init sysfs:lnk_file setattr;
 
+# sysfs ion device
+allow init sysfs_ion:file setattr;
+
+# sysfs usb device
+allow init sysfs_android_usb:file setattr;
+
 # read/chown mDNIE symlinks
-allow init sysfs_mdnie:lnk_file { read setattr };
+allow init sysfs_mdnie:lnk_file { r_file_perms setattr };
+allow init sysfs_mdnie:file rw_file_perms;
 
 # read/chown camera firmware
 allow init sysfs_camera:file { relabelto setattr };
 allow init sysfs_camera:filesystem associate;
 
-# sysfs
+# WiFi firmware permissions
+allow init sysfs_wifi:file setattr;
+
+# Input devices
+allow init sysfs_input:file { rw_file_perms setattr };
+
+# BT permissions
 allow init sysfs_bluetooth_writable:file setattr;
-allow init sysfs_mdnie:file setattr;
+
-allow init sysfs_multipdp:file setattr;
+# GPS permissions
-allow init sysfs_devices_system_cpu:file write;
+allow init sysfs_gps:lnk_file read;
-allow init sysfs_gps:file setattr;
+allow init sysfs_gps:file { rw_file_perms setattr };
-allow init sysfs_sec:file setattr ;
+allow init gps_data_file:fifo_file write;
-allow init sysfs_brightness:file setattr;
+allow init gps_data_file:file lock;
-allow init sysfs_input:file setattr;
+allow init gps_device:chr_file { open read write };
-allow init sysfs_lcd:file { setattr open };
+
-allow init sysfs_svc:file setattr;
+# CPU permissions
-allow init sysfs_modem:file { setattr open write };
+allow init sysfs_devices_system_cpu:file rw_file_perms;
-allow init sysfs_wlan_fwpath:file setattr;
+
-allow init sysfs_virtual:file { open setattr write };
+# umts permissions
-allow init sysfs_virtual:lnk_file read;
+allow init mif_device:chr_file rw_file_perms;
-allow init sysfs_charger:file setattr;
+
-allow init sysfs:file setattr;
+# sswap permissions
+allow init sswap_device:blk_file write;
+allow init sysfs_sswap:file { open write };
+
+# Block device sysfs
+allow init sysfs_block:file rw_file_perms;
+
+# Audio Jack
+allow init sysfs_jack:file setattr;
 
 unix_socket_connect(init, property, rild)
-allow init socket_device:sock_file { unlink create setattr };
 
-allow init tee_device:chr_file { read write open ioctl getattr };
+# Allow access to /proc/device-tree nodes
-allow init system_file:file execute;
+r_dir_file(init, proc_dt_firmware)
-allow init sysfs_modem:file r_file_perms;
+
+allow init sysfs_mmc:file { w_file_perms setattr };
+allow init sysfs_net:file rw_file_perms;
+allow init sysfs_graphics:file { rw_file_perms setattr };
+allow init sysfs_light:file { rw_file_perms setattr };
+allow init sysfs_light:lnk_file { rw_file_perms setattr };
+allow init sysfs_mdnie:file setattr;
+allow init sysfs_sec:file { rw_file_perms setattr };
+allow init sysfs_sec:lnk_file read;
+allow init sysfs_sensors:file { rw_file_perms setattr };
+allow init sysfs_sensors:lnk_file read;
+allow init sysfs_multipdp:file setattr;
+
+# Proc files
+allow init proc_reset_reason:file { rw_file_perms setattr };
+allow init proc_vm:file rw_file_perms;
+allow init proc_simslot_count:file rw_file_perms;
+allow init proc_sec:file { rw_file_perms setattr };
+
+# Sockets
+allow init socket_device:sock_file { read write getattr setattr create unlink };

sepolicy/installd.te

@@ -1,3 +0,0 @@
-# TbStorage (mobicore)
-allow installd mobicore_data_file:dir { rw_dir_perms rmdir };
-allow installd device:file { read write open };

sepolicy/kernel.te

@@ -1,27 +1,22 @@
 allow kernel self:capability { chown mknod };
-dontaudit kernel kernel:capability { dac_override dac_read_search };
 
 # /dev/mbin0
 allow kernel emmcblk_device:blk_file r_file_perms;
-allow kernel device:blk_file { create setattr getattr unlink };
-# /bus/usb/001/001
-allow kernel device:dir { create write remove_name rmdir add_name };
-allow kernel device:chr_file { create setattr getattr unlink };
 
 # /sys/devices/system/cpu/cpu[0-9]/cpufreq/*
-allow kernel sysfs_devices_system_cpu:file { setattr };
+allow kernel sysfs_devices_system_cpu:file setattr;
-allow kernel sysfs:file { setattr };
 
 # /efs contents
 allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:dir r_dir_perms;
 allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:file rw_file_perms;
 
 # /efs/wifi/.mac.info
-allow kernel wifi_efs_file:dir r_dir_perms;
+r_dir_file(kernel, wifi_efs_file);
-allow kernel wifi_efs_file:file r_file_perms;
 
 # /data/misc/conn/.wifiver.info
 allow kernel wifi_data_file:file rw_file_perms;
 
-# sysfs_lcd
+# Allow kernel to search tmpfs
-allow kernel sysfs_lcd:file { open read };
+allow kernel tmpfs:dir search;
+
+allow kernel self:capability sys_module;

sepolicy/macloader.te

@@ -1,30 +0,0 @@
-#### macloader
-#
-type macloader, domain, coredomain;
-type macloader_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(macloader)
-
-allow macloader self:capability { chown fowner fsetid };
-allow macloader self:process execmem;
-
-# Write into /data
-allow macloader system_data_file:dir { add_name search write };
-allow macloader system_file:file execute_no_trans;
-
-# /data/.cid.info
-# Automatically label files created in /data/ as wifi_data_file
-file_type_auto_trans(macloader, system_data_file, wifi_data_file)
-
-allow macloader wifi_data_file:dir create_dir_perms;
-allow macloader wifi_data_file:file { create_file_perms getattr setattr };
-
-# /sys/module/dhd/parameters/nvram_path
-allow macloader sysfs:file rw_file_perms;
-
-# /efs
-allow macloader efs_file:dir r_dir_perms;
-
-# /efs/wifi/.mac.info
-allow macloader wifi_efs_file:dir r_dir_perms;
-allow macloader wifi_efs_file:file r_file_perms;

sepolicy/mediacode.te

@@ -1,5 +0,0 @@
-# /system/lib/omx/
-allow mediacodec system_file:dir r_dir_perms;
-
-# /sys/class/video4linux/video6/name
-allow mediacodec sysfs:file r_file_perms;

sepolicy/mediacodec.te

@@ -1,11 +1,5 @@
 # /system/lib/omx/
 allow mediacodec system_file:dir r_dir_perms;
 
-# /sys/class/video4linux/video6/name
+# /sys/class/video4linux/*
-allow mediacodec sysfs:file r_file_perms;
+r_dir_file(mediacodec, sysfs_v4l);
-
-allow mediacodec sysfs:dir { open read };
-
-# sysfs_virtual
-allow mediacodec sysfs_virtual:dir { open read search };
-allow mediacodec sysfs_virtual:file { open read };

sepolicy/mediadrmserver.te

@@ -1,2 +0,0 @@
-allow mediadrmserver media_data_file:file { getattr open read create write };
-allow mediadrmserver media_data_file:dir { getattr write search add_name };

sepolicy/mediaextractor.te

@@ -1 +0,0 @@
-allow mediaextractor fuse:file { read getattr };

sepolicy/mediaserver.te

@@ -5,8 +5,8 @@ allow mediaserver efs_file:dir r_dir_perms;
 allow mediaserver efs_file:file r_file_perms;
 
 # /dev/m2m1shot_jpeg
-allow mediaserver camera_device:chr_file { read write open getattr ioctl };
+allow mediaserver camera_device:chr_file rw_file_perms;
 
 # Snap permissions
-allow mediaserver sensorservice_service:service_manager { find };
+allow mediaserver sensorservice_service:service_manager find;
-allow mediaserver system_server:unix_stream_socket { read write };
+allow mediaserver system_server:unix_stream_socket rw_stream_socket_perms;

sepolicy/modemloader.te

@@ -1,7 +1,7 @@
 #### modemloader
 #
-type modemloader, domain, coredomain;
+type modemloader, domain;
-type modemloader_exec, exec_type, file_type, system_file_type;
+type modemloader_exec, exec_type, file_type, vendor_file_type;
 
 init_daemon_domain(modemloader)
 

sepolicy/netd.te

@@ -1,4 +1,4 @@
 allow netd self:capability sys_module;
 allow netd gpsd:fd use;
-allow netd gpsd:udp_socket { read write getopt setopt };
+allow netd gpsd:udp_socket rw_socket_perms;
-allow netd device:file { read write open };
+allow netd gpsd:tcp_socket rw_socket_perms;

sepolicy/nfc.te

@@ -1,2 +0,0 @@
-allow nfc sec_efs_file:dir search;
-allow nfc efs_file:dir search;

sepolicy/property.te

@@ -6,3 +6,6 @@ type modemloader_prop, property_type;
 
 # mobicore (tee)
 type tee_prop, property_type;
+
+# sswap
+type sswap_prop, property_type;

sepolicy/property_contexts

@@ -17,3 +17,6 @@ persist.ril.modem.board    u:object_r:radio_prop:s0
 persist.ril.ims.eutranParam u:object_r:radio_prop:s0
 persist.ril.ims.utranParam  u:object_r:radio_prop:s0
 persist.ril.interfaceconf.failed u:object_r:radio_prop:s0
+
+# sswap
+persist.sys.swapoff     u:object_r:sswap_prop:s0

sepolicy/rild.te

@@ -1,17 +1,16 @@
 # Allow rild to change perms
-allow rild self:capability { chown };
+allow rild self:capability chown;
 
 # Allow additiional efs access
-allow rild bin_nv_data_efs_file:file create_file_perms;
+r_dir_file(rild, imei_efs_file);
-allow rild imei_efs_file:dir r_dir_perms;
+r_dir_file(rild, app_efs_file);
-allow rild imei_efs_file:file rw_file_perms;
-allow rild app_efs_file:dir r_dir_perms;
-allow rild app_efs_file:file r_file_perms;
 
-# /dev
+# /efs/nv_data.bin
-allow rild audioserver:dir r_dir_perms;
+allow rild bin_nv_data_efs_file:file create_file_perms;
-# /proc/<pid>/cmdline
+allowxperm rild bin_nv_data_efs_file:file ioctl { 0x6601 0x6602 };
-allow rild audioserver:file r_file_perms;
+
+# audioserver
+r_dir_file(rild, audioserver);
 
 # /dev/mbin0
 allow rild block_device:dir r_dir_perms;
@@ -23,15 +22,17 @@ allow rild mif_device:chr_file rw_file_perms;
 # /sys/devices/virtual/misc/multipdp/waketime
 allow rild sysfs_multipdp:file rw_file_perms;
 
+allow rild sysfs_input:file rw_file_perms;
+
 # /proc/sys/net/ipv6/conf/*/accept_ra_defrtr
 allow rild proc_net:file rw_file_perms;
 
-allow rild gpsd:dir r_dir_perms;
+r_dir_file(rild, gpsd);
-allow rild gpsd:file r_file_perms;
+
+allow rild proc_qtaguid_stat:file r_file_perms;
 
 # rild reads /proc/pid/cmdline of mediaserver
-allow rild mediaserver:dir { open read search getattr };
+r_dir_file(rild, mediaserver);
-allow rild mediaserver:file { open read getattr };
 
 # /data/misc/radio/*
 allow rild radio_data_file:dir rw_dir_perms;
@@ -40,10 +41,10 @@ allow rild radio_data_file:file create_file_perms;
 allow rild radio_data_file:lnk_file r_file_perms;
 
 # sdcard/SDET_PLMN/input/MNCMCC.txt
-allow rild storage_file:dir { r_dir_perms };
+allow rild storage_file:dir r_dir_perms;
-allow rild storage_file:lnk_file { r_file_perms };
+allow rild storage_file:lnk_file r_file_perms;
-allow rild mnt_user_file:dir { r_dir_perms };
+allow rild mnt_user_file:dir r_dir_perms;
-allow rild mnt_user_file:lnk_file { r_file_perms };
+allow rild mnt_user_file:lnk_file r_file_perms;
 
 # Modem firmware download
 allow rild radio_block_device:blk_file r_file_perms;
@@ -53,3 +54,6 @@ set_prop(modemloader, radio_prop)
 
 # /dev/knox_kap
 allow rild knox_device:chr_file r_file_perms;
+
+# /data/media/0
+allow rild media_rw_data_file:dir r_dir_perms;

sepolicy/sensorhubservice.te

@@ -1,24 +0,0 @@
-#### sensorhubservice
-#
-type sensorhubservice, domain, coredomain;
-type sensorhubservice_exec, exec_type, file_type, system_file_type;
-type sensorhubservice_service, app_api_service, system_server_service, service_manager_type;
-init_daemon_domain(sensorhubservice)
-
-# /dev/input[0-9]*
-allow sensorhubservice input_device:dir r_dir_perms;
-allow sensorhubservice { input_device sensor_device }:chr_file rw_file_perms;
-
-# binder call
-allow sensorhubservice servicemanager:binder { call transfer };
-
-allow sensorhubservice sysfs:file { getattr open read };
-
-# sysfs_virtual
-allow sensorhubservice sysfs_virtual:file { open read getattr setattr };
-allow sensorhubservice sysfs_virtual:dir { open read search };
-allow sensorhubservice sysfs_virtual:lnk_file read;
-
-allow sensorhubservice sysfs_input:dir search;
-allow sensorhubservice sysfs_input:lnk_file read;
-allow sensorhubservice sysfs_input:file { read write open getattr };

sepolicy/service_contexts

@@ -1,13 +1,2 @@
-vendor.samsung_slsi.hardware.ExynosHWCServiceTW::IExynosHWCServiceTW  u:object_r:hal_vendor_surfaceflinger_hwservice:s0
+# HWC
-vendor.samsung.hardware.gnss::ISecGnss                                u:object_r:hal_gnss_hwservice:s0
+Exynos.HWCService                           u:object_r:surfaceflinger_service:s0
-vendor.trustonic.tee::ITee                        u:object_r:hal_tee_hwservice:s0
-vendor.trustonic.teeregistry::ITeeRegistry        u:object_r:hal_teeregistry_hwservice:s0
-vendor.samsung.hardware.security.widevine.keyprovisioning::ISehWidevineKeyProvisioning        u:object_r:hal_wvkprov_hwservice:s0
-vendor.samsung.hardware.bluetooth.a2dp::ISehBluetoothAudioOffload		u:object_r:hal_bluetooth_a2dp_hwservice:s0
-vendor.samsung.hardware.bluetooth.a2dpsink::ISehBluetoothA2dpSinkProvidersFactory		u:object_r:hal_bluetooth_a2dp_hwservice:s0
-vendor.samsung.hardware.snap::ISehSnap                         u:object_r:snap_hwservice:s0
-vendor.samsung.hardware.radio.bridge::ISehBridge            u:object_r:hal_telephony_hwservice:s0
-vendor.samsung.hardware.radio::ISehRadio                    u:object_r:hal_telephony_hwservice:s0
-vendor.samsung.hardware.radio.channel::ISehChannel          u:object_r:hal_telephony_hwservice:s0
-com.qualcomm.qti.ant::IAntHci              u:object_r:hal_bluetooth_hwservice:s0
-

sepolicy/servicemanager.te

@@ -1,3 +0,0 @@
-allow servicemanager sensorhubservice:dir search;
-allow servicemanager sensorhubservice:file { getattr open read };
-allow servicemanager sensorhubservice:process getattr;

sepolicy/sswap.te

@@ -0,0 +1,18 @@
+type sswap, domain;
+type sswap_exec, exec_type, file_type, vendor_file_type;
+type sswap_device, dev_type;
+
+init_daemon_domain(sswap);
+
+allow sswap sswap_device:blk_file rw_file_perms;
+allow sswap sysfs_sswap:file rw_file_perms;
+allow sswap sysfs_sswap:dir search;
+allow sswap block_device:dir search;
+allow sswap self:capability sys_admin;
+
+allow sswap proc_meminfo:file r_file_perms;
+
+allow sswap properties_device:dir r_dir_perms;
+r_dir_file(sswap, proc_stat);
+
+set_prop(sswap, sswap_prop)

sepolicy/surfaceflinger.te

@@ -1,3 +1,4 @@
 # HWC
 allow surfaceflinger secmem_device:chr_file rw_file_perms;
-allow surfaceflinger sysfs:file { getattr open read };
+allow surfaceflinger sysfs_graphics:file rw_file_perms;
+r_dir_file(surfaceflinger, sysfs_graphics)

sepolicy/sysfs_sec.te

@@ -1,2 +0,0 @@
-#============= sysfs_sec ==============
-allow sysfs_sec sysfs:filesystem associate;

sepolicy/system_app.te

@@ -1,3 +1,4 @@
 allow system_app sysfs_mdnie:{ file lnk_file } rw_file_perms;
 allow system_app sysfs_mdnie:dir search;
+allow system_app sysfs_graphics:dir search;
 allow system_app wificond:binder call;

sepolicy/system_server.te

@@ -1,7 +1,3 @@
-# /dev/mbin0
-allow system_server emmcblk_device:dir search;
-allow system_server emmcblk_device:blk_file { read write open ioctl getattr };
-
 # /efs
 allow system_server efs_file:dir r_dir_perms;
 
@@ -26,12 +22,13 @@ allow system_server app_efs_file:dir r_dir_perms;
 allow system_server app_efs_file:file r_file_perms;
 
 # WifiMachine
-allow system_server self:capability { sys_module };
+allow system_server self:capability sys_module;
 allow system_server wifi_efs_file:dir r_dir_perms;
 allow system_server wifi_efs_file:file r_file_perms;
 
 # mDNIE
 allow system_server sysfs_mdnie:lnk_file rw_file_perms;
+#allow system_server sysfs_mdnie:dir rw_dir_perms;
 allow system_server sysfs_mdnie:file rw_file_perms;
 
 # memtrack HAL
@@ -41,17 +38,20 @@ allow system_server debugfs:dir r_dir_perms;
 allow system_server sensor_device:chr_file rw_file_perms;
 allow system_server baro_delta_factoryapp_efs_file:file r_file_perms;
 allow system_server sensor_factoryapp_efs_file:file r_file_perms;
-
+allow system_server sysfs_sensors:file rw_file_perms;
-# sysfs
-allow system_server sysfs_brightness:file write;
-allow system_server sysfs_input:file write;
-allow system_server sysfs_sec:file write;
-allow system_server sysfs_devices_system_cpu:file write;
-allow system_server sysfs_virtual:file write;
 
 # /data/system/gps/xtraee.bin
 allow system_server gps_data_file:file create_file_perms;
 
-unix_socket_connect(system_server, property, gpsd)
+# Bluetooth buildprop
+get_prop(system_server, bluetooth_prop)
 
-allow system_server proc:file { read open getattr };
+# Grpahics sysfs
+allow system_server sysfs_graphics:file rw_file_perms;
+
+# Input sysfs
+allow system_server sysfs_input:file rw_file_perms;
+
+allow system_server proc_input_devices:file r_file_perms;
+
+unix_socket_connect(system_server, property, gpsd)

sepolicy/tee.te

@@ -1,11 +1,9 @@
-# mobicore
-
-# Allow to create files and directories /data/app/mcRegistry
-file_type_auto_trans(tee, apk_data_file, mobicore_data_file);
-
 # /efs
 allow tee { efs_file prov_efs_file }:dir r_dir_perms;
 allow tee { efs_file prov_efs_file }:file r_file_perms;
 
+# Allow mobicore to search apk data
+allow tee apk_data_file:dir search;
+
 # sys.mobicore.enable
 set_prop(tee, tee_prop)

sepolicy/toolbox.te

@@ -1,6 +0,0 @@
-allow toolbox block_device:dir { add_name write };
-allow toolbox block_device:lnk_file create;
-allow toolbox emmcblk_device:blk_file setattr;
-allow toolbox self:capability { chown fowner fsetid };
-allow toolbox sysfs:file getattr;
-allow toolbox sysfs_devices_system_cpu:file setattr;

sepolicy/ueventd.te

@@ -1,11 +1,14 @@
 # /dev/block/mmcblk0p[0-9]
-allow ueventd emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open };
+allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink rw_file_perms };
 
 # /sys/devices/virtual/misc/multipdp/uevent
 allow ueventd sysfs_multipdp:file rw_file_perms;
 
-allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink };
-
 # read/chown camera firmware
-allow ueventd sysfs_camera:file { relabelto getattr rw_file_perms };
+allow ueventd sysfs_camera:file { relabelto rw_file_perms };
 allow ueventd sysfs_camera:filesystem associate;
+
+allow ueventd sysfs_usb_supply:file w_file_perms;
+
+# Allow access to /proc/device-tree nodes
+r_dir_file(ueventd, proc_dt_firmware)

sepolicy/vold.te

@@ -2,7 +2,7 @@
 allow vold efs_file:dir r_dir_perms;
 # /dev/block/mmcblk0p[0-9]
 allow vold emmcblk_device:dir create_dir_perms;
-allow vold emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open };
+allow vold emmcblk_device:blk_file { setattr unlink rw_file_perms };
 
-# sysfs_virtual
+allow vold sysfs_mmc:file w_file_perms;
-allow vold sysfs_virtual:file write;
+r_dir_file(vold, proc_dt_firmware)

sepolicy/wcnss_filter.te

@@ -1,8 +0,0 @@
-type wcnss_filter, domain, coredomain;
-type wcnss_filter_exec, exec_type, file_type, system_file_type;
-
-init_daemon_domain(wcnss_filter)
-
-allow wcnss_filter bluetooth_device:chr_file rw_file_perms;
-
-set_prop(wcnss_filter, bluetooth_prop);

sepolicy/webview_zygote.te

@@ -1 +0,0 @@
-allow webview_zygote zygote:unix_dgram_socket write;

sepolicy/wifiloader.te

@@ -1,11 +1,22 @@
-# wifiloader
+#### wifiloader
+#
 type wifiloader, domain;
-type wifiloader_exec, exec_type, file_type;
+type wifiloader_exec, exec_type, file_type, vendor_file_type;
 
 init_daemon_domain(wifiloader)
+unix_socket_connect(wifiloader, property, init)
 
 allow wifiloader proc:file r_file_perms;
+allow wifiloader sysfs_wlan_fwpath:file setattr;
+allow wifiloader wifi_data_file:file rw_file_perms;
+set_prop(wifiloader, wifi_prop);
+
+# /efs
+allow wifiloader efs_file:dir search;
+
+# /efs/wifi
+allow wifiloader wifi_efs_file:dir search;
+allow wifiloader wifi_efs_file:file r_file_perms;
 
 # load .ko modules
-allow kernel self:capability sys_module;
+allow wifiloader self:capability { chown sys_module };
-allow wifiloader self:capability sys_module;

sepolicy/zygote.te

@@ -1 +1 @@
-allow zygote proc_cmdline:file { getattr open read write };
+dontaudit zygote proc_cmdline:file r_file_perms;

sepolicy_minimal/file.te

@@ -1,3 +0,0 @@
-type sec_efs_file, file_type;
-
-

sepolicy_minimal/file_contexts

@@ -1,3 +0,0 @@
-/cpefs(/.*)?              u:object_r:sec_efs_file:s0
-
-