universal7870: update sepolicy (wip)

sepolicy/audioserver.te

@@ -1,5 +1,9 @@
 # Allow rild to connect to gpsd
 unix_socket_connect(audioserver, property, rild)
 
+# /efs/maxim
 allow audioserver { efs_file sec_efs_file }:dir r_dir_perms;
 allow audioserver { efs_file sec_efs_file }:file r_file_perms;
+
+# TFA98xx amplifier
+allow audioserver amplifier_device:chr_file rw_file_perms;

sepolicy/bluetooth.te

@@ -1,5 +1,8 @@
 # /dev/ttySAC0
 allow bluetooth bluetooth_device:chr_file { rw_file_perms ioctl };
 
+# wcnss_filter
+allow bluetooth wcnss_filter:unix_stream_socket connectto;
+
 # /data/.cid.info
 allow bluetooth wifi_data_file:file r_file_perms;

sepolicy/cameraserver.te

@@ -1,18 +1,18 @@
+# /dev/m2m1shot_jpeg
+allow cameraserver camera_device:chr_file rw_file_perms;
+
 # /sys/devices/virtual/camera/*/*_camfw
-allow cameraserver sysfs_camera_writable:file rw_file_perms;
+allow cameraserver sysfs_camera:file rw_file_perms;
 
 # searching for syses nodes
-allow cameraserver sysfs_camera_writable:dir search;
+allow cameraserver sysfs_camera:dir search;
+
+# /data/camera/ISP_CV
+allow cameraserver camera_data_file:file r_file_perms;
 
 # /data/media(/.*)?
 allow cameraserver media_rw_data_file:dir r_dir_perms;
 allow cameraserver media_rw_data_file:file r_file_perms;
 
-# /dev/m2m1shot_jpeg
+# sysfs_virtual
-allow cameraserver camera_device:chr_file rw_file_perms;
+allow cameraserver sysfs_virtual:dir search;
-
-# /sys/devices/virtual/camera/*/*_camfw
-allow cameraserver sysfs_camera_writable:file rw_file_perms;
-
-# /data/camera/ISP_CV
-allow cameraserver camera_data_file:file r_file_perms;

sepolicy/charger.te

@@ -0,0 +1 @@
+allow charger sysfs_charger:file { open read getattr };

sepolicy/cpboot-daemon.te

@@ -1,11 +1,11 @@
 # modem daemon sec label
-type cpboot-daemon, domain;
+type cpboot-daemon, domain, coredomain;
-type cpboot-daemon_exec, exec_type, file_type;
+type cpboot-daemon_exec, exec_type, file_type, system_file_type;
 
 net_domain(cpboot-daemon)
 init_daemon_domain(cpboot-daemon)
 wakelock_use(cpboot-daemon)
-#unix_socket_connect(cpboot-daemon, property, init)
+set_prop(cpboot-daemon, modemloader_prop)
 
 allow cpboot-daemon self:capability { setuid setgid };
 
@@ -14,22 +14,23 @@ allow cpboot-daemon self:capability { setuid setgid };
 allow cpboot-daemon kernel:system syslog_read;
 allow cpboot-daemon cgroup:dir create_dir_perms;
 
+# /dev/log/*
+#allow cpboot-daemon log_device:dir r_dir_perms;
+#allow cpboot-daemon log_device:chr_file rw_file_perms;
 # /dev/kmsg (write to kernel log)
 allow cpboot-daemon kmsg_device:chr_file rw_file_perms;
 
 # /dev/umts_boot0
 allow cpboot-daemon mif_device:chr_file rw_file_perms;
-
 # /dev/mbin0
 allow cpboot-daemon emmcblk_device:blk_file r_file_perms;
-
-# /dev/spi_boot_link
-allow cpboot-daemon radio_device:chr_file rw_file_perms;
-
 # /dev/block/mmcblk0p13
 allow cpboot-daemon block_device:dir r_dir_perms;
 allow cpboot-daemon radio_block_device:blk_file r_file_perms;
 
+# /dev/mipi-lli/lli_control
+allow cpboot-daemon sysfs_mipi:file rw_file_perms;
+
 # /efs
 allow cpboot-daemon efs_file:dir r_dir_perms;
 
@@ -40,7 +41,7 @@ allow cpboot-daemon bin_nv_data_efs_file:file rw_file_perms;
 allow cpboot-daemon sysfs:file r_file_perms;
 
 # /proc/cmdline
-allow cpboot-daemon proc:file r_file_perms;
+allow cpboot-daemon proc_cmdline:file r_file_perms;
 
 # set properties on boot
 set_prop(cpboot-daemon, cpboot-daemon_prop)

sepolicy/device.te

@@ -1,26 +1,35 @@
-# /dev/s5p-smem
+# /dev/ttySAC3
-type secmem_device, dev_type;
+type bluetooth_device, dev_type;
 
-# /dev/umts*
+# /dev/block/mmcblk0p[0-9] (/dev/mbin0)
-type mif_device, dev_type;
-
-# /dev/block/mmcblk0p[0-9]
 type emmcblk_device, file_type;
 
+# Radio block device mounted on /efs.
+type radio_block_device, dev_type;
+
+# /dev/umts_boot*, /dev/ehci_power
+type mif_device, dev_type;
+
 # /dev/rfkill
 type rfkill_device, dev_type;
 
-# efs
+# /dev/s5p-smem
-type efs_block_device, dev_type;
+type secmem_device, dev_type;
 
-# radio
+# /dev/bbd*, /dev/ttyBCM[0-9]*
-type radio_block_device, dev_type;
+type bbd_device, dev_type;
 
-# gps
+# /dev/vfsspi
-type gps_device, dev_type;
+type fingerprint_device, dev_type;
 
-# bluetooth
+# /dev/batch_io
-type bluetooth_device, dev_type;
+type sensor_device, dev_type;
+
+# /dev/i2c-20 - TFA98xx amplifier
+type amplifier_device, dev_type;
 
 # /dev/knox_kap
 type knox_device, dev_type;
+
+# GPS
+type gps_device, dev_type;

sepolicy/domain.te

@@ -1 +1 @@
-dontaudit domain kernel:system module_request;
+dontaudit domain kernel:system module_request;

sepolicy/file.te

@@ -1,23 +1,42 @@
-# efs types
+### efs types
 type app_efs_file, file_type;
 type battery_efs_file, file_type;
+type baro_delta_factoryapp_efs_file, file_type;
 type bin_nv_data_efs_file, file_type;
-type nv_log_efs_file, file_type;
+type sec_efs_file, file_type;
+# widewine, drm
 type cpk_efs_file, file_type;
+type drm_efs_file, file_type;
+type factorymode_factoryapp_efs_file, file_type;
 type imei_efs_file, file_type;
 type prov_efs_file, file_type;
-type sec_efs_file, file_type;
+type radio_factoryapp_efs_file, file_type;
-type wifi_efs_file, file_type;
 type sensor_efs_file, file_type;
-
+type sensor_factoryapp_efs_file, file_type;
-# general types
+type wifi_efs_file, file_type;
-type mobicore_data_file, file_type, data_file_type, core_data_file_type;
+# gps
 type gps_data_file, file_type, data_file_type, core_data_file_type;
-type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
+type gps_socket, file_type;
 
-# sysfs types
+### data types
-type sysfs_mdnie_writable, fs_type, sysfs_type, mlstrustedobject;
+type display_vendor_data_file, file_type, data_file_type;
-type sysfs_sec, fs_type, sysfs_type, fs_type, mlstrustedobject;
+
-type sysfs_camera_writable, fs_type, sysfs_type, mlstrustedobject;
+### sysfs types
+type sysfs_mdnie, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_mipi, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_multipdp, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_sec, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_camera, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_charger, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_gps, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_brightness, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_input, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_svc, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_lcd, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_modem, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_virtual, fs_type, sysfs_type, mlstrustedobject;
+
+# file
+type mobicore_data_file, file_type, data_file_type, core_data_file_type;
 
 allow sysfs_type tmpfs:filesystem associate;

sepolicy/file_contexts

@@ -1,10 +1,15 @@
-# devices
+##########################
+# Devices
 /dev/mali[0-9]*              u:object_r:gpu_device:s0
-/dev/mali.*                  u:object_r:video_device:s0
+
+/dev/bcm2079x                u:object_r:nfc_device:s0
+/dev/sec-nfc                 u:object_r:nfc_device:s0
 
 /dev/ttySAC0                 u:object_r:bluetooth_device:s0
 
 /dev/s5p-smem                u:object_r:secmem_device:s0
+/dev/mobicore                u:object_r:tee_device:s0
+/dev/mobicore-user           u:object_r:tee_device:s0
 
 /dev/v4l-subdev[0-9]*        u:object_r:video_device:s0
 /dev/m2m1shot_scaler[0-9]*   u:object_r:video_device:s0
@@ -13,14 +18,14 @@
 
 /dev/mtp_usb*                u:object_r:mtp_device:s0
 
+/dev/__cbd_msg_              u:object_r:mif_device:s0
 /dev/umts.*                  u:object_r:mif_device:s0
+/dev/ehci_power              u:object_r:mif_device:s0
+/dev/mipi-lli/lli_control    u:object_r:mif_device:s0
 
 /dev/gnss_ipc                u:object_r:gps_device:s0
 /dev/ttySAC[1-9]*            u:object_r:gps_device:s0
 
-/dev/socket/rild2            u:object_r:rild_socket:s0
-/dev/socket/rild-debug2      u:object_r:rild_debug_socket:s0
-
 /dev/block/mmcblk0p[0-9]*    u:object_r:emmcblk_device:s0
 
 /dev/block/mmcblk0p10        u:object_r:boot_block_device:s0
@@ -32,62 +37,172 @@
 
 /dev/rfkill                  u:object_r:rfkill_device:s0
 
+/dev/bbd_control             u:object_r:bbd_device:s0
+/dev/bbd_packet              u:object_r:bbd_device:s0
+/dev/bbd_patch               u:object_r:bbd_device:s0
+/dev/bbd_reliable            u:object_r:bbd_device:s0
+/dev/bbd_sensor              u:object_r:bbd_device:s0
+/dev/bbd_sio                 u:object_r:bbd_device:s0
+/dev/ttyBCM[0-9]*            u:object_r:bbd_device:s0
+
+/dev/esfp0                   u:object_r:fingerprint_device:s0
+
+/dev/batch_io                u:object_r:sensor_device:s0
+/dev/ssp_sensorhub           u:object_r:sensor_device:s0
+
+# TFA98xx amplifier
+/dev/i2c-20                  u:object_r:amplifier_device:s0
+
 # Knox status
 /dev/knox_kap                u:object_r:knox_device:s0
 
+####################################
 # efs files
-/efs/FactoryApp(/.*)?         u:object_r:app_efs_file:s0
+/efs/FactoryApp(/.*)?        u:object_r:app_efs_file:s0
-/efs/FactoryApp/gyro_cal_data u:object_r:sensor_efs_file:s0
+/efs/FactoryApp/baro_delta   u:object_r:baro_delta_factoryapp_efs_file:s0
+/efs/FactoryApp/factorymode  u:object_r:factorymode_factoryapp_efs_file:s0
+/efs/FactoryApp/fdata        u:object_r:radio_factoryapp_efs_file:s0
+/efs/FactoryApp/hist_nv      u:object_r:radio_factoryapp_efs_file:s0
+/efs/FactoryApp/prox_cal     u:object_r:sensor_factoryapp_efs_file:s0
+/efs/FactoryApp/test_nv      u:object_r:radio_factoryapp_efs_file:s0
 
 /efs/Battery(/.*)?           u:object_r:battery_efs_file:s0
 /efs/bluetooth(/.*)?         u:object_r:bluetooth_efs_file:s0
+/efs/drm(/.*)?               u:object_r:drm_efs_file:s0
 /efs/gyro_cal_data           u:object_r:sensor_efs_file:s0
-/efs/cpk/h2k.dat             u:object_r:cpk_efs_file:s0
 /efs/h2k\.dat                u:object_r:cpk_efs_file:s0
 /efs/imei(/.*)?              u:object_r:imei_efs_file:s0
 /efs/nv_data.bin(.*)         u:object_r:bin_nv_data_efs_file:s0
+/efs/nv.log                  u:object_r:bin_nv_data_efs_file:s0
 /efs/\.nv_core\.bak(.*)      u:object_r:bin_nv_data_efs_file:s0
-/efs/nv.log                  u:object_r:nv_log_efs_file:s0
 /efs/prov(/.*)?              u:object_r:prov_efs_file:s0
 /efs/prov_data(/.*)?         u:object_r:prov_efs_file:s0
-/efs/sec_efs(/.*)?           u:object_r:sec_efs_file:s0
+/efs/wifi(/.*)?              u:object_r:wifi_efs_file:s0
-/efs/wifi(/.*)?               u:object_r:wifi_efs_file:s0
+/efs/wv\.keys                u:object_r:cpk_efs_file:s0
-/efs/wv.keys                 u:object_r:cpk_efs_file:s0
 
+/cpefs(/.*)?                 u:object_r:sec_efs_file:s0
+
+####################################
 # data files
-/data/camera(/.*)?                                   u:object_r:camera_data_file:s0
+/data/nfc(/.*)?              u:object_r:nfc_data_file:s0
-/data/misc/radio(/.*)?                               u:object_r:radio_data_file:s0
+/data/\.cid\.info                  u:object_r:wifi_data_file:s0
-/data/system/gps(/.*)?                               u:object_r:gps_data_file:s0
+/data/misc/conn/\.wifiver\.info    u:object_r:wifi_data_file:s0
-/data/\.cid\.info                                    u:object_r:wifi_data_file:s0
-/data/misc/conn/\.wifiver\.info                       u:object_r:wifi_data_file:s0
 
+/data/misc/radio(/.*)?       u:object_r:radio_data_file:s0
+
+# gps
+/data/system/gps(/.*)?      u:object_r:gps_data_file:s0
+/data/gps/ctrlpipe          u:object_r:gps_data_file:s0
+/data/gps/\.gpslogd\.pipe   u:object_r:gps_data_file:s0
+/data/gps/nmeapipe          u:object_r:gps_data_file:s0
+
+# mobicore
+/data/misc/mcRegistry(/.*)?  u:object_r:mobicore_data_file:s0
+
+/data/biometrics(/.*)?       u:object_r:fingerprintd_data_file:s0
+
+# camera
+/data/camera/ISP_CV          u:object_r:camera_data_file:s0
+
+####################################
 # sysfs files
-/sys/class/power_supply/battery/music             -- u:object_r:sysfs_writable:s0
+/sys/class/power_supply/battery/music -- u:object_r:sysfs:s0
-/sys/class/devfreq/exynos5-busfreq-mif(/.*)?      -- u:object_r:sysfs_writable:s0
+/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs:s0
-/sys/class/lcd(/.*)?                              -- u:object_r:sysfs_writable:s0
-/sys/class/sec(/.*)?                              -- u:object_r:sysfs_sec:s0
 
 # bluetooth
-/sys/devices/bluetooth/rfkill/rfkill0/state          u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/bluetooth/rfkill/rfkill0/state  u:object_r:sysfs_bluetooth_writable:s0
-/sys/devices/bluetooth/rfkill/rfkill0/type           u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/bluetooth/rfkill/rfkill0/type   u:object_r:sysfs_bluetooth_writable:s0
-/sys/devices/bluetooth/extldo                        u:object_r:sysfs_bluetooth_writable:s0
+/sys/devices/bluetooth/extldo                u:object_r:sysfs_bluetooth_writable:s0
 
-/sys/devices/virtual/camera(/.*)?                    u:object_r:sysfs_camera_writable:s0
+# brightness
+/sys/devices/[0-9]*\.dsim/backlight/panel/brightness          u:object_r:sysfs_brightness:s0
+/sys/devices/[0-9]*\.dsim/backlight/panel/max_brightness      u:object_r:sysfs_brightness:s0
 
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode       u:object_r:sysfs_mdnie_writable:s0
+# camera
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario   u:object_r:sysfs_mdnie_writable:s0
+/sys/devices/virtual/camera(/.*)?           u:object_r:sysfs_camera:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/night_mode u:object_r:sysfs_mdnie_writable:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux        u:object_r:sysfs_mdnie_writable:s0
-/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB  u:object_r:sysfs_mdnie_writable:s0
 
-/system/bin/modemloader                              u:object_r:modemloader_exec:s0
+# charger
-/system/bin/wifiloader                                u:object_r:wifiloader_exec:s0
+/sys/devices/battery/power_supply(/.*)                                     u:object_r:sysfs_charger:s0
-/system/bin/cbd                                      u:object_r:cpboot-daemon_exec:s0
+/sys/devices/13870000.i2c/i2c-7/7-003d/s2mu004-charger/power_supply(/.*)   u:object_r:sysfs_charger:s0
-/system/bin/gpsd                                     u:object_r:gpsd_exec:s0
+/sys/devices/13830000.i2c/i2c-10/10-003b/power_supply(/.*)                 u:object_r:sysfs_charger:s0
 
-# Mobicore
+# CP device
-/dev/mobicore                u:object_r:tee_device:s0
+/dev/spi_boot_link              u:object_r:radio_device:s0
-/dev/mobicore-user           u:object_r:tee_device:s0
-/data/misc/mcRegistry(/.*)?  u:object_r:tee_data_file:s0
-/system/bin/mcDriverDaemon   u:object_r:tee_exec:s0
 
+# cbd
+/sys/devices/10f24000.mipi-lli/lli_control  u:object_r:sysfs_mipi:s0
+
+# livedisplay
+/data/vendor/display(/.*)?   u:object_r:display_vendor_data_file:s0
+
+# gps
+/sys/devices/soc0/machine      u:object_r:sysfs_gps:s0
+/sys/devices/soc0/revision     u:object_r:sysfs_gps:s0
+
+# input
+/sys/devices/i2c@20/i2c-6/6-0020/input/input0(/.*)?         u:object_r:sysfs_input:s0
+/sys/devices/13890000.i2c/i2c-9/9-0048/input/input1(/.*)?   u:object_r:sysfs_input:s0
+/sys/devices/10610000.hsi2c/i2c-0/0-a004/input/input2(/.*)? u:object_r:sysfs_input:s0
+/sys/devices/gpio_keys/input/input3(/.*)?                   u:object_r:sysfs_input:s0
+/sys/devices/hall/input/input4(/.*)?                        u:object_r:sysfs_input:s0
+/sys/devices/certify_hall/input/input5(/.*)?                u:object_r:sysfs_input:s0
+
+# lcd
+/sys/devices/[0-9]*\.dsim/lcd/panel/adaptive_control    u:object_r:sysfs_lcd:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/alpm                u:object_r:sysfs_lcd:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/dpui                u:object_r:sysfs_lcd:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/dpui_dbg            u:object_r:sysfs_lcd:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/lcd_type            u:object_r:sysfs_lcd:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/lux                 u:object_r:sysfs_lcd:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/manufacture_code    u:object_r:sysfs_lcd:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/temperature         u:object_r:sysfs_lcd:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/window_type         u:object_r:sysfs_lcd:s0
+
+# modem
+/sys/module/modem_ctrl_ss310ap/parameters/ds_detect   u:object_r:sysfs_modem:s0
+
+# rild
+/sys/devices/virtual/misc/multipdp(/.*)     u:object_r:sysfs_multipdp:s0
+/dev/socket/rild2                           u:object_r:rild_socket:s0
+/dev/socket/rild-debug2                     u:object_r:rild_debug_socket:s0
+
+# mDNIe
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode          u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario      u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux           u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB     u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/accessibility u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/night_mode    u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mdnie_ldu     u:object_r:sysfs_mdnie:s0
+/sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/whiteRGB      u:object_r:sysfs_mdnie:s0
+
+# sec
+/sys/class/sec(/.*)?           -- u:object_r:sysfs_sec:s0
+
+# svc
+/sys/devices/svc(/.*)?    u:object_r:sysfs_svc:s0
+
+# virtual
+/sys/devices/virtual(/.*)?    u:object_r:sysfs_virtual:s0
+
+
+####################################
+# deamons
+#
+
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung                   u:object_r:hal_light_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos                    u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.radio@1\.3-radio-service\.samsung                   u:object_r:hal_radio_default_exec:s0
+/(vendor|system/vendor)/bin/hw/sec\.android\.hardware\.nfc@1\.2-service		                u:object_r:hal_nfc_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.samsung-exynos        u:object_r:hal_lineage_livedisplay_sysfs_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.samsung                     u:object_r:hal_lineage_touch_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.gnss@2\.0-service		                u:object_r:hal_gnss_default_exec:s0
+
+/(vendor|system/vendor)/bin/cbd		                                            u:object_r:cpboot-daemon_exec:s0
+/(vendor|system/vendor)/bin/gpsd             									u:object_r:gpsd_exec:s0
+/(vendor|system/vendor)/bin/macloader        									u:object_r:macloader_exec:s0
+/(vendor|system/vendor)/bin/mcDriverDaemon   							        u:object_r:tee_exec:s0
+/(vendor|system/vendor)/bin/modemloader      									u:object_r:modemloader_exec:s0
+/(vendor|system/vendor)/bin/sensorhubservice 									u:object_r:sensorhubservice_exec:s0
+/(vendor|system/vendor)/bin/wcnss_filter     									u:object_r:wcnss_filter_exec:s0

sepolicy/fsck.te

@@ -1,3 +1,2 @@
 # /dev/block/mmcblk0p3
-allow fsck emmcblk_device:blk_file rw_file_perms;
+allow fsck emmcblk_device:blk_file { read write open ioctl getattr };
-allow fsck efs_block_device:blk_file { ioctl open read write };

sepolicy/gpsd.te

@@ -1,37 +1,43 @@
-# gps daemon sec label
+type gpsd, domain, coredomain;
-type gpsd, domain;
+type gpsd_exec, exec_type, file_type, system_file_type;
-type gpsd_exec, exec_type, file_type;
 
-init_daemon_domain(gpsd)
+init_daemon_domain(gpsd);
-wakelock_use(gpsd)
 
 # Automatically label files created in /data/system/gps as gps_data_file
 file_type_auto_trans(gpsd, system_data_file, gps_data_file)
 
-# Allow rild to connect to gpsd
+# Allow rild and netd to connect to gpsd
 unix_socket_connect(gpsd, property, rild)
+unix_socket_connect(gpsd, property, netd)
 
 allow gpsd system_server:unix_stream_socket { read write setopt };
 
 binder_call(gpsd, system_server)
 binder_use(gpsd)
 
+# Sockets
+type_transition gpsd gps_data_file:sock_file gps_socket;
+
+allow gpsd dnsproxyd_socket:sock_file write;
+allow gpsd fwmarkd_socket:sock_file write;
+allow gpsd gps_socket:sock_file create_file_perms;
+allow gpsd self:udp_socket { create bind connect read setopt write }; 
+ 
+# sysfs_gps
+allow gpsd system_file:dir { open read getattr };
+allow gpsd sysfs_gps:file { open read getattr };
+
 # /dev/ttySAC0
 allow gpsd bluetooth_device:chr_file { getattr setattr rw_file_perms };
 allow gpsd gps_device:chr_file { getattr setattr rw_file_perms };
-allow gpsd gps_data_file:dir { search write add_name remove_name };
+allow gpsd gps_data_file:dir { search write add_name remove_name rw_dir_perms };
-allow gpsd gps_data_file:file { create rw_file_perms };
 allow gpsd gps_data_file:fifo_file { unlink create setattr getattr rw_file_perms };
 
 allow gpsd sysfs_wake_lock:file rw_file_perms;
 
-allow gpsd sysfs:file { open read getattr };
+allow gpsd sensorservice_service:service_manager { find };
-
-allow gpsd dnsproxyd_socket:sock_file write;
-allow gpsd fwmarkd_socket:sock_file write;
-allow gpsd netd:unix_stream_socket connectto;
-allow gpsd self:udp_socket { connect create read setopt write };
 
+# /dev/umts_boot0
 allow gpsd mif_device:chr_file r_file_perms;
-allow gpsd shell_exec:file { execute execute_no_trans getattr open read };
+
-allow gpsd toolbox_exec:file { execute execute_no_trans getattr open read };
+allow gpsd shell_exec:file execute;

sepolicy/hal_audio_default.te

@@ -0,0 +1 @@
+allow hal_audio_default amplifier_device:chr_file { open read write ioctl };

sepolicy/hal_camera_default.te

@@ -1,5 +1,5 @@
-allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
+# vndbinder
-allow hal_camera_default sysfs_camera_writable:dir search;
+allow hal_camera_default vndbinder_device:chr_file rw_file_perms;
-allow hal_camera_default sysfs_camera_writable:file { getattr open read write };
-allow hal_camera_default vndbinder_device:chr_file { read write open ioctl};
 
+# sysfs
+allow hal_camera_default sysfs_virtual:dir search;

sepolicy/hal_fingerprint_default.te

@@ -0,0 +1,20 @@
+# allow hal_fingerprint_default to communicate with various devices
+binder_call(system_app, hal_fingerprint_default);
+
+# kernel fp device
+allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
+
+# secure memory device
+allow hal_fingerprint_default secmem_device:chr_file rw_file_perms;
+
+# trust zone device
+allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
+allow hal_fingerprint_default tee:unix_stream_socket connectto;
+
+# /data/biometrics/*
+allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms;
+allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
+
+# sysfs_virtual
+allow hal_fingerprint_default sysfs_virtual:dir { read open search };
+allow hal_fingerprint_default sysfs_virtual:file { read open };

sepolicy/hal_light_default.te

@@ -0,0 +1,3 @@
+allow hal_light_default sysfs_brightness:file { open read write getattr };
+allow hal_light_default sysfs_virtual:dir search;
+allow hal_light_default sysfs_virtual:file { read write open getattr };

sepolicy/hal_lineage_livedisplay_sysfs.te

@@ -0,0 +1,6 @@
+# Allow LiveDisplay to store files under /data/vendor/display and access them
+allow hal_lineage_livedisplay_sysfs display_vendor_data_file:dir rw_dir_perms;
+allow hal_lineage_livedisplay_sysfs display_vendor_data_file:file create_file_perms;
+# Allow LiveDisplay to read and write to files in sysfs_graphics, sysfs_mdnie
+allow hal_lineage_livedisplay_sysfs sysfs_mdnie:dir search;
+allow hal_lineage_livedisplay_sysfs sysfs_mdnie:file rw_file_perms;

sepolicy/hal_lineage_touch_default.te

@@ -0,0 +1,6 @@
+allow hal_lineage_touch_default sysfs_input:dir search;
+allow hal_lineage_touch_default sysfs_input:file rw_file_perms;
+
+allow hal_lineage_touch_default sysfs_virtual:dir search;
+allow hal_lineage_touch_default sysfs_virtual:file { open read getattr };
+allow hal_lineage_touch_default sysfs_virtual:lnk_file read;

sepolicy/hal_power_default.te

@@ -1,3 +1,13 @@
-allow hal_power_default sysfs:file { open write read };
+# Allow reading of sysfs nodes to find input devices
+allow hal_power_default sysfs:dir r_dir_perms;
+allow hal_power_default sysfs:file r_file_perms;
+
 allow hal_power_default sysfs_devices_system_cpu:file write;
-allow hal_power_default sysfs:dir { open read };
+
+allow hal_power_default sysfs_input:dir { open read search };
+allow hal_power_default sysfs_input:file { open read write getattr };
+
+allow hal_power_default sysfs_virtual:dir { open read search };
+allow hal_power_default sysfs_virtual:file { open read write getattr };
+allow hal_power_default sysfs:dir { read open };
+allow hal_power_default sysfs:file { read write open };

sepolicy/hal_wifi_default.te

@@ -1,6 +1,15 @@
-allow hal_wifi_default sysfs:file write;
+#### hal_wifi_default
+#
+
+# wifi_data_file
+allow hal_wifi_default wifi_data_file:file { read write open };
+
+# /efs
+allow hal_wifi_default efs_file:dir search;
+
+# /efs/wifi
 allow hal_wifi_default wifi_efs_file:dir search;
 allow hal_wifi_default wifi_efs_file:file { open read };
-allow hal_wifi_default system_data_file:file { open read };
+
-allow hal_wifi_default efs_file:dir search;
+# load .ko modules
-allow hal_wifi_default wifi_data_file:file { open read write };
+allow hal_wifi_default self:capability sys_module;

sepolicy/healthd.te

@@ -1,3 +1,5 @@
 # healthd
 allow healthd device:dir rw_dir_perms;
-allow healthd rtc_device:chr_file rw_file_perms;
+allow healthd rtc_device:chr_file rw_file_perms;
+allow healthd sysfs:file { open read getattr };
+allow healthd sysfs_charger:file { open read getattr };

sepolicy/init.te

@@ -11,10 +11,11 @@ allow init block_device:lnk_file { setattr };
 allow init tmpfs:lnk_file create_file_perms;
 
 # /sys/class/power_supply/battery and /sys/class/android_usb/android0
-allow init sysfs:dir r_dir_perms;
+allow init proc:file { getattr setattr read write open };
 
-# required for LD_SHIM_LIBS
+# Shim libs
-allow init { domain -lmkd -crash_dump }:process noatsecure;
+allow init cameraserver:process noatsecure;
+allow init hal_fingerprint_default:process noatsecure;
 
 # /data
 allow init sdcardd_exec:file r_file_perms;
@@ -23,15 +24,33 @@ allow init sdcardd_exec:file r_file_perms;
 allow init sysfs:lnk_file setattr;
 
 # read/chown mDNIE symlinks
-allow init sysfs_mdnie_writable:lnk_file { read setattr };
+allow init sysfs_mdnie:lnk_file { read setattr };
 
 # read/chown camera firmware
-allow init sysfs_camera_writable:file { relabelto setattr };
+allow init sysfs_camera:file { relabelto setattr };
-allow init sysfs_camera_writable:filesystem associate;
+allow init sysfs_camera:filesystem associate;
 
+# sysfs
+allow init sysfs_bluetooth_writable:file setattr;
+allow init sysfs_mdnie:file setattr;
+allow init sysfs_multipdp:file setattr;
+allow init sysfs_devices_system_cpu:file write;
+allow init sysfs_gps:file setattr;
+allow init sysfs_sec:file setattr ;
+allow init sysfs_brightness:file setattr;
+allow init sysfs_input:file setattr;
+allow init sysfs_lcd:file { setattr open };
+allow init sysfs_svc:file setattr;
+allow init sysfs_modem:file { setattr open write };
+allow init sysfs_wlan_fwpath:file setattr;
+allow init sysfs_virtual:file { open setattr write };
+allow init sysfs_virtual:lnk_file read;
+allow init sysfs_charger:file setattr;
+allow init sysfs:file setattr;
+
+unix_socket_connect(init, property, rild)
 allow init socket_device:sock_file { unlink create setattr };
 
-allow init sysfs_sec:lnk_file read;
+allow init tee_device:chr_file { read write open ioctl getattr };
-
+allow init system_file:file execute;
-allow init block_device:blk_file write;
+allow init sysfs_modem:file r_file_perms;
-allow init property_socket:sock_file write;

sepolicy/installd.te

@@ -1,2 +1,3 @@
 # TbStorage (mobicore)
-allow installd tee_data_file:dir { rw_dir_perms rmdir }; 
+allow installd mobicore_data_file:dir { rw_dir_perms rmdir };
+allow installd device:file { read write open };

sepolicy/kernel.te

@@ -1,29 +1,27 @@
 allow kernel self:capability { chown mknod };
+dontaudit kernel kernel:capability { dac_override dac_read_search };
 
 # /dev/mbin0
 allow kernel emmcblk_device:blk_file r_file_perms;
 allow kernel device:blk_file { create setattr getattr unlink };
-
 # /bus/usb/001/001
 allow kernel device:dir { create write remove_name rmdir add_name };
 allow kernel device:chr_file { create setattr getattr unlink };
 
 # /sys/devices/system/cpu/cpu[0-9]/cpufreq/*
 allow kernel sysfs_devices_system_cpu:file { setattr };
-allow kernel sysfs:file { setattr open };
+allow kernel sysfs:file { setattr };
 
 # /efs contents
 allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:dir r_dir_perms;
 allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:file rw_file_perms;
 
-allow kernel sysfs_sec:dir search;
-allow kernel sysfs_sec:lnk_file read;
-
-allow kernel device:blk_file { create setattr };
-
 # /efs/wifi/.mac.info
 allow kernel wifi_efs_file:dir r_dir_perms;
 allow kernel wifi_efs_file:file r_file_perms;
 
 # /data/misc/conn/.wifiver.info
 allow kernel wifi_data_file:file rw_file_perms;
+
+# sysfs_lcd
+allow kernel sysfs_lcd:file { open read };

sepolicy/macloader.te

@@ -0,0 +1,30 @@
+#### macloader
+#
+type macloader, domain, coredomain;
+type macloader_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(macloader)
+
+allow macloader self:capability { chown fowner fsetid };
+allow macloader self:process execmem;
+
+# Write into /data
+allow macloader system_data_file:dir { add_name search write };
+allow macloader system_file:file execute_no_trans;
+
+# /data/.cid.info
+# Automatically label files created in /data/ as wifi_data_file
+file_type_auto_trans(macloader, system_data_file, wifi_data_file)
+
+allow macloader wifi_data_file:dir create_dir_perms;
+allow macloader wifi_data_file:file { create_file_perms getattr setattr };
+
+# /sys/module/dhd/parameters/nvram_path
+allow macloader sysfs:file rw_file_perms;
+
+# /efs
+allow macloader efs_file:dir r_dir_perms;
+
+# /efs/wifi/.mac.info
+allow macloader wifi_efs_file:dir r_dir_perms;
+allow macloader wifi_efs_file:file r_file_perms;

sepolicy/mediacodec.te

@@ -0,0 +1,11 @@
+# /system/lib/omx/
+allow mediacodec system_file:dir r_dir_perms;
+
+# /sys/class/video4linux/video6/name
+allow mediacodec sysfs:file r_file_perms;
+
+allow mediacodec sysfs:dir { open read };
+
+# sysfs_virtual
+allow mediacodec sysfs_virtual:dir { open read search };
+allow mediacodec sysfs_virtual:file { open read };

sepolicy/mediadrmserver.te

@@ -0,0 +1,2 @@
+allow mediadrmserver media_data_file:file { getattr open read create write };
+allow mediadrmserver media_data_file:dir { getattr write search add_name };

sepolicy/mediaextractor.te

@@ -1 +1 @@
-allow mediaextractor fuse:file { getattr read };
+allow mediaextractor fuse:file { read getattr };

sepolicy/mediaserver.te

@@ -10,5 +10,3 @@ allow mediaserver camera_device:chr_file { read write open getattr ioctl };
 # Snap permissions
 allow mediaserver sensorservice_service:service_manager { find };
 allow mediaserver system_server:unix_stream_socket { read write };
-
-allow mediaserver ion_device:chr_file write;

sepolicy/modemloader.te

@@ -1,9 +1,10 @@
-# modemloader
+#### modemloader
-type modemloader, domain;
+#
-type modemloader_exec, exec_type, file_type;
+type modemloader, domain, coredomain;
+type modemloader_exec, exec_type, file_type, system_file_type;
 
 init_daemon_domain(modemloader)
 
 allow modemloader proc:file r_file_perms;
 
-set_prop(modemloader, modemloader_prop);
+set_prop(modemloader, modemloader_prop)

sepolicy/netd.te

@@ -1,4 +1,4 @@
 allow netd self:capability sys_module;
-
 allow netd gpsd:fd use;
-allow netd gpsd:udp_socket { getopt read setopt write };
+allow netd gpsd:udp_socket { read write getopt setopt };
+allow netd device:file { read write open };

sepolicy/nfc.te

@@ -0,0 +1,2 @@
+allow nfc sec_efs_file:dir search;
+allow nfc efs_file:dir search;

sepolicy/property_contexts

@@ -3,10 +3,6 @@ persist.bluetooth_fw_ver    u:object_r:bluetooth_prop:s0
 ro.bluetooth.tty            u:object_r:bluetooth_prop:s0
 wc_transport.               u:object_r:bluetooth_prop:s0
 
-# radio
-persist.ril.modem.board    u:object_r:radio_prop:s0
-persist.ril.ims.eutranParam u:object_r:radio_prop:s0
-
 # modemloader
 hw.revision            u:object_r:modemloader_prop:s0
 ro.cbd.dt_revision     u:object_r:modemloader_prop:s0
@@ -15,3 +11,9 @@ ro.modemloader.done    u:object_r:modemloader_prop:s0
 
 # mobicore
 sys.mobicoredaemon.enable         u:object_r:tee_prop:s0
+
+# radio
+persist.ril.modem.board    u:object_r:radio_prop:s0
+persist.ril.ims.eutranParam u:object_r:radio_prop:s0
+persist.ril.ims.utranParam  u:object_r:radio_prop:s0
+persist.ril.interfaceconf.failed u:object_r:radio_prop:s0

sepolicy/rild.te

@@ -4,13 +4,12 @@ allow rild self:capability { chown };
 # Allow additiional efs access
 allow rild bin_nv_data_efs_file:file create_file_perms;
 allow rild imei_efs_file:dir r_dir_perms;
-allow rild imei_efs_file:file r_file_perms;
+allow rild imei_efs_file:file rw_file_perms;
 allow rild app_efs_file:dir r_dir_perms;
 allow rild app_efs_file:file r_file_perms;
 
 # /dev
 allow rild audioserver:dir r_dir_perms;
-
 # /proc/<pid>/cmdline
 allow rild audioserver:file r_file_perms;
 
@@ -18,9 +17,12 @@ allow rild audioserver:file r_file_perms;
 allow rild block_device:dir r_dir_perms;
 allow rild emmcblk_device:blk_file r_file_perms;
 
-# /dev/umts*
+# /dev/umts_boot0, /dev/umts_ipc0
 allow rild mif_device:chr_file rw_file_perms;
 
+# /sys/devices/virtual/misc/multipdp/waketime
+allow rild sysfs_multipdp:file rw_file_perms;
+
 # /proc/sys/net/ipv6/conf/*/accept_ra_defrtr
 allow rild proc_net:file rw_file_perms;
 
@@ -34,7 +36,6 @@ allow rild mediaserver:file { open read getattr };
 # /data/misc/radio/*
 allow rild radio_data_file:dir rw_dir_perms;
 allow rild radio_data_file:file create_file_perms;
-
 # /data/data/com.android.providers.telephony/databases/telephony.db
 allow rild radio_data_file:lnk_file r_file_perms;
 
@@ -50,11 +51,5 @@ allow rild radio_block_device:blk_file r_file_perms;
 # persist.ril.modem.board
 set_prop(modemloader, radio_prop)
 
-allow rild sec_efs_file:file getattr;
-allow rild sec_efs_file:dir search;
-allow rild sysfs:dir r_dir_perms;
-allow rild sysfs_sec:dir search;
-allow rild sysfs_sec:lnk_file read;
-
 # /dev/knox_kap
 allow rild knox_device:chr_file r_file_perms;

sepolicy/sensorhubservice.te

@@ -0,0 +1,24 @@
+#### sensorhubservice
+#
+type sensorhubservice, domain, coredomain;
+type sensorhubservice_exec, exec_type, file_type, system_file_type;
+type sensorhubservice_service, app_api_service, system_server_service, service_manager_type;
+init_daemon_domain(sensorhubservice)
+
+# /dev/input[0-9]*
+allow sensorhubservice input_device:dir r_dir_perms;
+allow sensorhubservice { input_device sensor_device }:chr_file rw_file_perms;
+
+# binder call
+allow sensorhubservice servicemanager:binder { call transfer };
+
+allow sensorhubservice sysfs:file { getattr open read };
+
+# sysfs_virtual
+allow sensorhubservice sysfs_virtual:file { open read getattr setattr };
+allow sensorhubservice sysfs_virtual:dir { open read search };
+allow sensorhubservice sysfs_virtual:lnk_file read;
+
+allow sensorhubservice sysfs_input:dir search;
+allow sensorhubservice sysfs_input:lnk_file read;
+allow sensorhubservice sysfs_input:file { read write open getattr };

sepolicy/service_contexts

@@ -1,2 +1,13 @@
-# HWC
+vendor.samsung_slsi.hardware.ExynosHWCServiceTW::IExynosHWCServiceTW  u:object_r:hal_vendor_surfaceflinger_hwservice:s0
-Exynos.HWCService                           u:object_r:surfaceflinger_service:s0
+vendor.samsung.hardware.gnss::ISecGnss                                u:object_r:hal_gnss_hwservice:s0
+vendor.trustonic.tee::ITee                        u:object_r:hal_tee_hwservice:s0
+vendor.trustonic.teeregistry::ITeeRegistry        u:object_r:hal_teeregistry_hwservice:s0
+vendor.samsung.hardware.security.widevine.keyprovisioning::ISehWidevineKeyProvisioning        u:object_r:hal_wvkprov_hwservice:s0
+vendor.samsung.hardware.bluetooth.a2dp::ISehBluetoothAudioOffload		u:object_r:hal_bluetooth_a2dp_hwservice:s0
+vendor.samsung.hardware.bluetooth.a2dpsink::ISehBluetoothA2dpSinkProvidersFactory		u:object_r:hal_bluetooth_a2dp_hwservice:s0
+vendor.samsung.hardware.snap::ISehSnap                         u:object_r:snap_hwservice:s0
+vendor.samsung.hardware.radio.bridge::ISehBridge            u:object_r:hal_telephony_hwservice:s0
+vendor.samsung.hardware.radio::ISehRadio                    u:object_r:hal_telephony_hwservice:s0
+vendor.samsung.hardware.radio.channel::ISehChannel          u:object_r:hal_telephony_hwservice:s0
+com.qualcomm.qti.ant::IAntHci              u:object_r:hal_bluetooth_hwservice:s0
+

sepolicy/servicemanager.te

@@ -0,0 +1,3 @@
+allow servicemanager sensorhubservice:dir search;
+allow servicemanager sensorhubservice:file { getattr open read };
+allow servicemanager sensorhubservice:process getattr;

sepolicy/surfaceflinger.te

@@ -1,2 +1,3 @@
 # HWC
 allow surfaceflinger secmem_device:chr_file rw_file_perms;
+allow surfaceflinger sysfs:file { getattr open read };

sepolicy/system_app.te

@@ -1,3 +1,3 @@
-allow system_app sysfs_mdnie_writable:{ file lnk_file } rw_file_perms;
+allow system_app sysfs_mdnie:{ file lnk_file } rw_file_perms;
-allow system_app sysfs_mdnie_writable:dir search;
+allow system_app sysfs_mdnie:dir search;
 allow system_app wificond:binder call;

sepolicy/system_server.te

@@ -1,10 +1,11 @@
 # /dev/mbin0
 allow system_server emmcblk_device:dir search;
+allow system_server emmcblk_device:blk_file { read write open ioctl getattr };
 
 # /efs
 allow system_server efs_file:dir r_dir_perms;
 
-# /efs/FactoryApp/gyro_cal_data
+# /efs/gyro_cal_data
 allow system_server sensor_efs_file:file r_file_perms;
 
 # /data/system/gps/.gps.interface.pipe.*
@@ -15,7 +16,7 @@ allow system_server gps_data_file:fifo_file create_file_perms;
 allow system_server gps_data_file:dir rw_dir_perms;
 
 # /data/system/gps/chip.info
-allow system_server gps_data_file:file create_file_perms;
+allow system_server gps_data_file:file r_file_perms;
 
 # /efs/prox_cal
 allow system_server efs_file:file r_file_perms;
@@ -30,22 +31,27 @@ allow system_server wifi_efs_file:dir r_dir_perms;
 allow system_server wifi_efs_file:file r_file_perms;
 
 # mDNIE
-allow system_server sysfs_mdnie_writable:lnk_file rw_file_perms;
+allow system_server sysfs_mdnie:lnk_file rw_file_perms;
-allow system_server sysfs_mdnie_writable:dir r_dir_perms;
+allow system_server sysfs_mdnie:file rw_file_perms;
-allow system_server sysfs_mdnie_writable:file rw_file_perms;
 
 # memtrack HAL
 allow system_server debugfs:dir r_dir_perms;
-allow system_server debugfs:file r_file_perms;
+
+# sensor HAL
+allow system_server sensor_device:chr_file rw_file_perms;
+allow system_server baro_delta_factoryapp_efs_file:file r_file_perms;
+allow system_server sensor_factoryapp_efs_file:file r_file_perms;
+
+# sysfs
+allow system_server sysfs_brightness:file write;
+allow system_server sysfs_input:file write;
+allow system_server sysfs_sec:file write;
+allow system_server sysfs_devices_system_cpu:file write;
+allow system_server sysfs_virtual:file write;
 
 # /data/system/gps/xtraee.bin
 allow system_server gps_data_file:file create_file_perms;
 
-allow system_server emmcblk_device:blk_file { getattr ioctl open read write };
+unix_socket_connect(system_server, property, gpsd)
-allow system_server gps_data_file:dir { add_name remove_name write search };
+
-allow system_server gps_data_file:file { create setattr unlink write };
+allow system_server proc:file { read open getattr };
-allow system_server gpsd:unix_stream_socket connectto;
-allow system_server sysfs_sec:dir search;
-allow system_server sysfs_sec:lnk_file read;
-allow system_server crash_dump:process getpgid;
-allow system_server unlabeled:dir write;

sepolicy/tee.te

@@ -1,11 +1,11 @@
 # mobicore
 
 # Allow to create files and directories /data/app/mcRegistry
-file_type_auto_trans(tee, apk_data_file, tee_data_file);
+file_type_auto_trans(tee, apk_data_file, mobicore_data_file);
 
 # /efs
 allow tee { efs_file prov_efs_file }:dir r_dir_perms;
 allow tee { efs_file prov_efs_file }:file r_file_perms;
 
 # sys.mobicore.enable
-set_prop(tee, tee_prop) 
+set_prop(tee, tee_prop)

sepolicy/ueventd.te

@@ -1,11 +1,11 @@
 # /dev/block/mmcblk0p[0-9]
-#allow ueventd emmcblk_device:blk_file create_file_perms;
+allow ueventd emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open };
 
-allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink getattr };
+# /sys/devices/virtual/misc/multipdp/uevent
+allow ueventd sysfs_multipdp:file rw_file_perms;
+
+allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink };
 
 # read/chown camera firmware
-allow ueventd sysfs_camera_writable:file { relabelto getattr rw_file_perms };
+allow ueventd sysfs_camera:file { relabelto getattr rw_file_perms };
-allow ueventd sysfs_camera_writable:filesystem associate;
+allow ueventd sysfs_camera:filesystem associate;
-
-allow ueventd sysfs_sec:dir { open read relabelto search };
-allow ueventd sysfs_sec:lnk_file relabelto;

sepolicy/uncrypt.te

@@ -1,2 +1,2 @@
 allow uncrypt emmcblk_device:blk_file w_file_perms;
-allow uncrypt emmcblk_device:dir r_dir_perms;
+allow uncrypt emmcblk_device:dir r_dir_perms;

sepolicy/vold.te

@@ -2,4 +2,7 @@
 allow vold efs_file:dir r_dir_perms;
 # /dev/block/mmcblk0p[0-9]
 allow vold emmcblk_device:dir create_dir_perms;
-#allow vold emmcblk_device:blk_file create_file_perms;
+allow vold emmcblk_device:blk_file { ioctl read write create getattr setattr lock append unlink open };
+
+# sysfs_virtual
+allow vold sysfs_virtual:file write;

sepolicy/wcnss_filter.te

@@ -0,0 +1,8 @@
+type wcnss_filter, domain, coredomain;
+type wcnss_filter_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(wcnss_filter)
+
+allow wcnss_filter bluetooth_device:chr_file rw_file_perms;
+
+set_prop(wcnss_filter, bluetooth_prop);

sepolicy/webview_zygote.te

@@ -0,0 +1 @@
+allow webview_zygote zygote:unix_dgram_socket write;

sepolicy/zygote.te

@@ -0,0 +1 @@
+allow zygote proc_cmdline:file { getattr open read write };