universal7570: import sepolicy from 7870

The sepolicy before seems to be broken Change-Id: I890a28429f03e47a183a0a0b755987f3495994c3
2025-10-31 00:08:53 +01:00 · 2021-03-13 05:07:20 +07:00 · 2021-03-13 05:07:20 +07:00 · f0e4521a9f
commit f0e4521a9f
parent f22a0e7cdd
53 changed files with 1095 additions and 58 deletions
--- a/sepolicy/audioloader.te
+++ b/sepolicy/audioloader.te
@ -1,9 +0,0 @@
 type audioloader, domain, coredomain;
 type audioloader_exec, exec_type, file_type;
 init_daemon_domain(audioloader)
 binder_use(audioloader)
 binder_call(audioloader, audioserver)
 binder_call(audioserver, audioloader)
 allow audioloader audioserver_service:service_manager find;
--- a/sepolicy/audioserver.te
+++ b/sepolicy/audioserver.te
@ -0,0 +1,9 @@
 # Allow rild to connect to gpsd
 # unix_socket_connect(audioserver, property, rild)
 # /efs/maxim
 r_dir_file(audioserver, efs_file);
 r_dir_file(audioserver, sec_efs_file);
 # TFA98xx amplifier
 allow audioserver amplifier_device:chr_file rw_file_perms;
--- a/sepolicy/bluetooth.te
+++ b/sepolicy/bluetooth.te
@ -0,0 +1,6 @@
 # /dev/ttySAC3
 allow bluetooth bluetooth_device:chr_file rw_file_perms ;
 allow hal_bluetooth_default bluetooth_device:chr_file rw_file_perms;
 # /data/.cid.info
 allow bluetooth wifi_data_file:file r_file_perms;
--- a/sepolicy/cameraserver.te
+++ b/sepolicy/cameraserver.te
@ -0,0 +1,12 @@
 # /dev/m2m1shot_jpeg
 allow cameraserver camera_device:chr_file rw_file_perms;
 # /sys/devices/virtual/camera/*/*_camfw
 allow cameraserver sysfs_camera:dir search;
 allow cameraserver sysfs_camera:file rw_file_perms;
 # /data/camera/ISP_CV
 allow cameraserver camera_data_file:file r_file_perms;
 # /data/media(/.*)?
 r_dir_file(cameraserver, media_rw_data_file);
--- a/sepolicy/charger.te
+++ b/sepolicy/charger.te
@ -0,0 +1 @@
 allow charger sysfs_usb_supply:file rw_file_perms;
--- a/sepolicy/cpboot-daemon.te
+++ b/sepolicy/cpboot-daemon.te
@ -0,0 +1,51 @@
 # modem daemon sec label
 type cpboot-daemon, domain;
 type cpboot-daemon_exec, exec_type, file_type, vendor_file_type;
 net_domain(cpboot-daemon)
 init_daemon_domain(cpboot-daemon)
 wakelock_use(cpboot-daemon)
 set_prop(cpboot-daemon, modemloader_prop)
 allow cpboot-daemon self:capability { setuid setgid };
 # FIXME neverallow rule
 # allow cpboot-daemon self:capability mknod;
 allow cpboot-daemon kernel:system syslog_read;
 allow cpboot-daemon cgroup:dir create_dir_perms;
 # /dev/log/*
 #allow cpboot-daemon log_device:dir r_dir_perms;
 #allow cpboot-daemon log_device:chr_file rw_file_perms;
 # /dev/kmsg (write to kernel log)
 allow cpboot-daemon kmsg_device:chr_file rw_file_perms;
 # /dev/umts_boot0
 allow cpboot-daemon mif_device:chr_file rw_file_perms;
 # /dev/mbin0
 allow cpboot-daemon emmcblk_device:blk_file r_file_perms;
 # /dev/spi_boot_link
 allow cpboot-daemon radio_device:chr_file rw_file_perms;
 # /dev/block/mmcblk0p13
 allow cpboot-daemon block_device:dir r_dir_perms;
 allow cpboot-daemon radio_block_device:blk_file r_file_perms;
 # /dev/mipi-lli/lli_control
 allow cpboot-daemon sysfs_mipi:file rw_file_perms;
 # /efs
 allow cpboot-daemon efs_file:dir r_dir_perms;
 # /efs/nv_data.bin
 allow cpboot-daemon bin_nv_data_efs_file:file rw_file_perms;
 allow cpboot-daemon efs_file:file rw_file_perms;
 # /proc permissions
 allow cpboot-daemon proc_cmdline:file r_file_perms;
 allow cpboot-daemon proc_dt_firmware:dir search;
 allow cpboot-daemon proc_dt_firmware:file { open read };
 # set properties on boot
 set_prop(cpboot-daemon, cpboot-daemon_prop)
 set_prop(cpboot-daemon, radio_prop)
 set_prop(cpboot-daemon, system_prop)
--- a/sepolicy/device.te
+++ b/sepolicy/device.te
@ -0,0 +1,35 @@
 # /dev/ttySAC3
 type bluetooth_device, dev_type;
 # /dev/block/mmcblk0p[0-9] (/dev/mbin0)
 type emmcblk_device, file_type;
 # Radio block device mounted on /efs.
 type radio_block_device, dev_type;
 # /dev/umts_boot*, /dev/ehci_power
 type mif_device, dev_type;
 # /dev/rfkill
 type rfkill_device, dev_type;
 # /dev/s5p-smem
 type secmem_device, dev_type;
 # /dev/bbd*, /dev/ttyBCM[0-9]*
 type bbd_device, dev_type;
 # /dev/vfsspi
 type fingerprint_device, dev_type;
 # /dev/batch_io
 type sensor_device, dev_type;
 # /dev/i2c-20 - TFA98xx amplifier
 type amplifier_device, dev_type;
 # /dev/knox_kap
 type knox_device, dev_type;
 # GPS
 type gps_device, dev_type;
--- a/sepolicy/file.te
+++ b/sepolicy/file.te
@ -0,0 +1,65 @@
 ### efs types
 type app_efs_file, file_type;
 type battery_efs_file, file_type;
 type baro_delta_factoryapp_efs_file, file_type;
 type bin_nv_data_efs_file, file_type;
 type sec_efs_file, file_type;
 # widewine, drm
 type cpk_efs_file, file_type;
 type drm_efs_file, file_type;
 type factorymode_factoryapp_efs_file, file_type;
 type imei_efs_file, file_type;
 type prov_efs_file, file_type;
 type radio_factoryapp_efs_file, file_type;
 type sensor_efs_file, file_type;
 type sensor_factoryapp_efs_file, file_type;
 type wifi_efs_file, file_type;
 # gps
 type gps_data_file, file_type, data_file_type, core_data_file_type;
 type gps_socket, file_type;
 # proc
 type proc_vm, fs_type, proc_type;
 type proc_dt_firmware, fs_type, proc_type;
 type proc_reset_reason, fs_type, proc_type;
 type proc_simslot_count, fs_type, proc_type;
 type proc_input_devices, fs_type, proc_type;
 type proc_sec, fs_type, proc_type;
 ### sysfs types
 #type sysfs_writable, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_mdnie, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_mipi, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_multipdp, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_sec, fs_type, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_sensors, fs_type, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_input, fs_type, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_camera, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_gps, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_light, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_wifi, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_usb_supply, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_mmc, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_graphics, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_ion, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_block, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_jack, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_v4l, sysfs_type, fs_type, mlstrustedobject;
 type sysfs_sswap, sysfs_type, fs_type, mlstrustedobject;
 ### data types
 type biometrics_vendor_data_file, file_type, data_file_type;
 type camera_vendor_data_file, file_type, data_file_type;
 type conn_vendor_data_file, file_type, data_file_type;
 type display_vendor_data_file, file_type, data_file_type;
 type gk_vendor_data_file, file_type, data_file_type;
 type gps_vendor_data_file, file_type, data_file_type;
 type log_vendor_data_file, file_type, data_file_type;
 type log_cbd_vendor_data_file, file_type, data_file_type;
 type media_vendor_data_file, file_type, data_file_type;
 type mediadrm_vendor_data_file, file_type, data_file_type;
 type radio_vendor_data_file, file_type, data_file_type;
 type sswap_vendor_data_file, file_type, data_file_type;
 type wifi_vendor_data_file, file_type, data_file_type;
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@ -1,22 +1,221 @@
-# Audio
+##########################
-/system/bin/audioloader u:object_r:audioloader_exec:s0
+# Devices
-/system/etc/usb_audio_policy_configuration.xml u:object_r:vendor_configs_file:s0
+#
 /dev/mali[0-9]*              u:object_r:gpu_device:s0
-# Bluetooth
+/dev/bcm2079x                u:object_r:nfc_device:s0
-/sys/devices/platform/bluetooth/rfkill/rfkill0/state    u:object_r:sysfs_bluetooth_writable:s0
+/dev/sec-nfc                 u:object_r:nfc_device:s0
 /sys/devices/platform/bluetooth/rfkill/rfkill0/type    u:object_r:sysfs_bluetooth_writable:s0
-# Block device for ZRAM
+/dev/ttySAC3                 u:object_r:bluetooth_device:s0
 /dev/block/zram0 u:object_r:swap_block_device:s0
-# LPM
+/dev/s5p-smem                u:object_r:secmem_device:s0
-/system/bin/lpm u:object_r:lpm_exec:s0
+/dev/mobicore                u:object_r:tee_device:s0
 /dev/mobicore-user           u:object_r:tee_device:s0
-# Power HAL
+/dev/v4l-subdev[0-9]*        u:object_r:video_device:s0
-/system/bin/hw/android.hardware\.power@1\.0-service\.7570 u:object_r:hal_power_7570_exec:s0
+/dev/m2m1shot_scaler[0-9]*   u:object_r:video_device:s0
 /dev/media[0-3]*             u:object_r:camera_device:s0
 /dev/m2m1shot_jpeg           u:object_r:camera_device:s0
-# Lights HAL
+/dev/__cbd_msg_              u:object_r:mif_device:s0
-/system/bin/hw/android.hardware\.light@2\.0-service\.7570 u:object_r:hal_light_7570_exec:s0
+/dev/umts.*                  u:object_r:mif_device:s0
 /dev/ehci_power              u:object_r:mif_device:s0
 /dev/mipi-lli/lli_control    u:object_r:mif_device:s0
-# Vibrator HAL
+/dev/ttyBCM[0-9]*            u:object_r:bbd_device:s0
-/system/bin/hw/android.hardware\.vibrator@1\.0-service\.7570 u:object_r:hal_vibrator_7570_exec:s0
+/dev/ttySAC[0-9]*            u:object_r:bluetooth_device:s0
 #/dev/ttySAC0                 u:object_r:hci_attach_dev:s0
 /dev/block/vnswap0           u:object_r:sswap_device:s0
 /dev/block/mmcblk0p[0-9]*    u:object_r:emmcblk_device:s0
 #/dev/block/platform/13540000.dwmmc0/by-name/EFS u:object_r:efs_block_device:s0
 #/dev/block/platform/13540000.dwmmc0/by-name/CPEFS   u:object_r:sec_efs_file:s0
 #/dev/block/platform/13540000.dwmmc0/by-name/RADIO u:object_r:radio_block_device:s0
 /dev/rfkill                  u:object_r:rfkill_device:s0
 /dev/bbd_control             u:object_r:bbd_device:s0
 /dev/bbd_packet              u:object_r:bbd_device:s0
 /dev/bbd_patch               u:object_r:bbd_device:s0
 /dev/bbd_reliable            u:object_r:bbd_device:s0
 /dev/bbd_sensor              u:object_r:bbd_device:s0
 /dev/bbd_sio                 u:object_r:bbd_device:s0
 #/dev/ttyBCM[0-9]*            u:object_r:bbd_device:s0
 /dev/esfp0                   u:object_r:fingerprint_device:s0
 /dev/vfsspi                  u:object_r:fingerprint_device:s0
 /dev/batch_io                u:object_r:sensor_device:s0
 /dev/ssp_sensorhub           u:object_r:sensor_device:s0
 # TFA98xx amplifier
 /dev/i2c-0                   u:object_r:amplifier_device:s0
 # Knox status
 /dev/knox_kap                u:object_r:knox_device:s0
 ####################################
 # efs files
 /efs/FactoryApp(/.*)?        u:object_r:app_efs_file:s0
 /efs/FactoryApp/baro_delta   u:object_r:baro_delta_factoryapp_efs_file:s0
 /efs/FactoryApp/factorymode  u:object_r:factorymode_factoryapp_efs_file:s0
 /efs/FactoryApp/fdata        u:object_r:radio_factoryapp_efs_file:s0
 /efs/FactoryApp/hist_nv      u:object_r:radio_factoryapp_efs_file:s0
 /efs/FactoryApp/prox_cal     u:object_r:sensor_factoryapp_efs_file:s0
 /efs/FactoryApp/test_nv      u:object_r:radio_factoryapp_efs_file:s0
 /efs/Battery(/.*)?           u:object_r:battery_efs_file:s0
 /efs/bluetooth(/.*)?         u:object_r:bluetooth_efs_file:s0
 /efs/drm(/.*)?               u:object_r:drm_efs_file:s0
 /efs/gyro_cal_data           u:object_r:sensor_efs_file:s0
 /efs/h2k\.dat                u:object_r:cpk_efs_file:s0
 /efs/imei(/.*)?              u:object_r:imei_efs_file:s0
 /efs/nv_data.bin(.*)         u:object_r:bin_nv_data_efs_file:s0
 /efs/nv.log                  u:object_r:bin_nv_data_efs_file:s0
 /efs/\.nv_core\.bak(.*)      u:object_r:bin_nv_data_efs_file:s0
 /efs/prov(/.*)?              u:object_r:prov_efs_file:s0
 /efs/prov_data(/.*)?         u:object_r:prov_efs_file:s0
 /efs/wifi(/.*)?              u:object_r:wifi_efs_file:s0
 /efs/wv\.keys                u:object_r:cpk_efs_file:s0
 /cpefs(/.*)?                 u:object_r:sec_efs_file:s0
 ####################################
 # data files
 /data/nfc(/.*)?              u:object_r:nfc_data_file:s0
 /data/\.cid\.info                  u:object_r:wifi_data_file:s0
 /data/misc/conn/\.wifiver\.info    u:object_r:wifi_data_file:s0
 /data/misc/radio(/.*)?       u:object_r:radio_data_file:s0
 # gps
 /data/system/gps(/.*)?       u:object_r:gps_data_file:s0
 /data/gps/ctrlpipe                                   u:object_r:gps_data_file:s0
 /data/gps/\.gpslogd\.pipe                            u:object_r:gps_data_file:s0
 /data/gps/nmeapipe                                   u:object_r:gps_data_file:s0
 /data/biometrics(/.*)?       u:object_r:fingerprintd_data_file:s0
 # camera
 /data/camera/ISP_CV          u:object_r:camera_data_file:s0
 # vendor
 /data/vendor/biometrics(/.*)?                u:object_r:biometrics_vendor_data_file:s0
 /data/vendor/conn(/.*)?                      u:object_r:conn_vendor_data_file:s0
 /data/vendor/gps(/.*)?                       u:object_r:gps_vendor_data_file:s0
 /data/vendor/wifi(/.*)?                      u:object_r:wifi_vendor_data_file:s0
 /data/vendor/log(/.*)?                       u:object_r:log_vendor_data_file:s0
 /data/vendor/log/cbd(/.*)?                   u:object_r:log_cbd_vendor_data_file:s0
 /data/vendor/secradio(/.*)?                  u:object_r:radio_vendor_data_file:s0
 /data/vendor/camera(/.*)?                    u:object_r:camera_vendor_data_file:s0
 /data/vendor/display(/.*)?                   u:object_r:display_vendor_data_file:s0
 /data/vendor/media(/.*)?                     u:object_r:media_vendor_data_file:s0
 /data/vendor/mediadrm(/.*)?                  u:object_r:mediadrm_vendor_data_file:s0
 /data/vendor/gk(/.*)?                        u:object_r:gk_vendor_data_file:s0
 /data/camera(/.*)?                           u:object_r:camera_data_file:s0
 ####################################
 # sysfs files
 #/sys/class/power_supply/battery/music -- u:object_r:sysfs_writable:s0
 #/sys/class/devfreq/exynos5-busfreq-mif(/.*)? -- u:object_r:sysfs_writable:s0
 #/sys/class/lcd(/.*)?         -- u:object_r:sysfs_writable:s0
 # bluetooth
 /sys/devices/bluetooth.[0-9]*/rfkill/rfkill0/state  u:object_r:sysfs_bluetooth_writable:s0
 /sys/devices/bluetooth.[0-9]*/rfkill/rfkill0/type   u:object_r:sysfs_bluetooth_writable:s0
 /sys/class/rfkill/rfkill0/state                     u:object_r:sysfs_bluetooth_writable:s0
 /sys/class/rfkill/rfkill0/type                      u:object_r:sysfs_bluetooth_writable:s0
 # CP device
 /dev/spi_boot_link              u:object_r:radio_device:s0
 # cbd
 /sys/devices/10f24000.mipi-lli/lli_control  u:object_r:sysfs_mipi:s0
 # efs
 #/cpefs(/.*)?                                 u:object_r:sec_efs_file:s0
 #/efs/Battery(/.*)?                           u:object_r:battery_efs_file:s0
 #/efs/DAK(/.*)?                               u:object_r:prov_efs_file:s0
 #/efs/afc(/.*)?                               u:object_r:sec_efs_file:s0
 #/efs/bluetooth(/.*)?                         u:object_r:bluetooth_efs_file:s0
 #/efs/cpk(/.*)?                               u:object_r:cpk_efs_file:s0
 #/efs/imei(/.*)?                              u:object_r:imei_efs_file:s0
 #/efs/nfc(/.*)?                               u:object_r:nfc_efs_file:s0
 #/efs/nv_data\.bin(.*)                        u:object_r:bin_nv_data_efs_file:s0
 #/efs/pfw_data(/.*)?                          u:object_r:pfw_efs_file:s0
 #/efs/prov(/.*)?                              u:object_r:prov_efs_file:s0
 #/efs/prov_data(/.*)?                         u:object_r:prov_efs_file:s0
 #/efs/root(/.*)?                              u:object_r:app_efs_file:s0
 #/efs/tee(/.*)?                               u:object_r:tee_efs_file:s0
 #/efs/wifi(/.*)?                              u:object_r:wifi_efs_file:s0
 /mnt/vendor/efs(/.*)?                        u:object_r:efs_file:s0
 /mnt/vendor/efs/DAK(/.*)?                    u:object_r:prov_efs_file:s0
 /mnt/vendor/efs/afc(/.*)?                    u:object_r:sec_efs_file:s0
 /mnt/vendor/efs/bluetooth(/.*)?              u:object_r:bluetooth_efs_file:s0
 /mnt/vendor/efs/cpk(/.*)?                    u:object_r:cpk_efs_file:s0
 /mnt/vendor/efs/imei(/.*)?                   u:object_r:imei_efs_file:s0
 /mnt/vendor/efs/nv_data\.bin(.*)             u:object_r:bin_nv_data_efs_file:s0
 #/mnt/vendor/efs/pfw_data(/.*)?               u:object_r:pfw_efs_file:s0
 /mnt/vendor/efs/prov(/.*)?                   u:object_r:prov_efs_file:s0
 /mnt/vendor/efs/prov_data(/.*)?              u:object_r:prov_efs_file:s0
 /mnt/vendor/efs/root(/.*)?                   u:object_r:app_efs_file:s0
 #/mnt/vendor/efs/tee(/.*)?                    u:object_r:tee_efs_file:s0
 /mnt/vendor/efs/wifi(/.*)?                   u:object_r:wifi_efs_file:s0
 # gps
 /sys/class/sec/gps                                  u:object_r:sysfs_gps:s0
 /sys/devices/soc0/machine                           u:object_r:sysfs_gps:s0
 /sys/devices/soc0/revision                          u:object_r:sysfs_gps:s0
 /sys/devices/139c0000.pinctrl/gpio/gpio137/value    u:object_r:sysfs_gps:s0
 # rild
 /sys/devices/virtual/misc/multipdp(/.*)     u:object_r:sysfs_multipdp:s0
 /dev/socket/rild2                           u:object_r:rild_socket:s0
 /dev/socket/rild-debug2                     u:object_r:rild_debug_socket:s0
 # mDNIe
 /sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/accessibility       u:object_r:sysfs_mdnie:s0
 /sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/mode                u:object_r:sysfs_mdnie:s0
 /sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/scenario            u:object_r:sysfs_mdnie:s0
 /sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/lux                 u:object_r:sysfs_mdnie:s0
 /sys/devices/[0-9]*\.dsim/lcd/panel/mdnie/sensorRGB           u:object_r:sysfs_mdnie:s0
 # Lights
 /sys/devices/virtual/sec/sec_touchkey/brightness        u:object_r:sysfs_light:s0
 /sys/devices/14800000.dsim/backlight/panel(/.*)?        u:object_r:sysfs_light:s0
 /sys/class/leds(/.*)?                                   u:object_r:sysfs_light:s0
 /sys/devices/virtual/sec/led(/.*)?                      u:object_r:sysfs_light:s0
 /sys/class/lcd/panel/power_reduce                       u:object_r:sysfs_light:s0
 /sys/devices/i2c.24/i2c-6/6-0030/leds(/.*)?             u:object_r:sysfs_light:s0
 # Wifi
 /sys/module/dhd/parameters/firmware_path            u:object_r:sysfs_wifi:s0
 ####################################
 # deamons
 #
 /(vendor|system/vendor)/bin/mcDriverDaemon   u:object_r:tee_exec:s0
 /(vendor|system/vendor)/bin/modemloader      u:object_r:modemloader_exec:s0
 /(vendor|system/vendor)/bin/wifiloader       u:object_r:wifiloader_exec:s0
 /(vendor|system/vendor)/bin/cbd              u:object_r:cpboot-daemon_exec:s0
 /(vendor|system/vendor)/bin/gpsd             u:object_r:gpsd_exec:s0
 /(vendor|system/vendor)/bin/sswap            u:object_r:sswap_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.lineage\.livedisplay@2\.0-service\.samsung-exynos    u:object_r:hal_lineage_livedisplay_sysfs_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.lineage\.touch@1\.0-service\.samsung                 u:object_r:hal_lineage_touch_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.clearkey    u:object_r:hal_drm_clearkey_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]\.[0-9]-service\.widevine    u:object_r:hal_drm_widevine_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.samsung               u:object_r:hal_light_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.samsung u:object_r:hal_fingerprint_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.0-service\.exynos                u:object_r:hal_power_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@2\.0-service\.samsung                u:object_r:hal_thermal_default_exec:s0
 # Samsung proprietaries
 /(vendor|system/vendor)/bin/hw/sec\.android\.hardware\.nfc@1\.2-service		                u:object_r:hal_nfc_default_exec:s0
 /(vendor|system/vendor)/bin/hw/vendor\.samsung\.hardware\.gnss@2\.0-service                 u:object_r:hal_gnss_default_exec:s0
--- a/sepolicy/fingerprintd.te
+++ b/sepolicy/fingerprintd.te
@ -0,0 +1,16 @@
 # allow hal_fingerprint_default to communicate with various devices
 binder_call(system_app, hal_fingerprint_default)
 # kernel fp device
 allow hal_fingerprint_default fingerprint_device:chr_file rw_file_perms;
 # secure memory device
 allow hal_fingerprint_default secmem_device:chr_file rw_file_perms;
 # trust zone device
 allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
 allow hal_fingerprint_default tee:unix_stream_socket connectto;
 # /data/biometrics/*
 # allow hal_fingerprint_default fingerprintd_data_file:dir create_dir_perms;
 # allow hal_fingerprint_default fingerprintd_data_file:file create_file_perms;
--- a/sepolicy/fsck.te
+++ b/sepolicy/fsck.te
@ -0,0 +1,3 @@
 # /dev/block/mmcblk0p[0-9]*
 allow fsck emmcblk_device:blk_file rw_file_perms;
 allowxperm fsck emmcblk_device:blk_file ioctl { BLKDISCARDZEROES BLKROGET };
--- a/sepolicy/genfs_contexts
+++ b/sepolicy/genfs_contexts
@ -0,0 +1,115 @@
 genfscon proc /device-tree u:object_r:proc_dt_firmware:s0
 genfscon proc /sys/vm/dirty_ratio               u:object_r:proc_vm:s0
 genfscon proc /sys/vm/dirty_bytes               u:object_r:proc_vm:s0
 genfscon proc /sys/vm/dirty_background_bytes    u:object_r:proc_vm:s0
 genfscon proc /sys/vm/min_free_kbytes           u:object_r:proc_vm:s0
 genfscon proc /sys/vm/swappiness                u:object_r:proc_vm:s0
 genfscon proc /sys/vm/vfs_cache_pressure        u:object_r:proc_vm:s0
 genfscon proc /reset_reason     u:object_r:proc_reset_reason:s0
 genfscon proc /simslot_count    u:object_r:proc_simslot_count:s0
 genfscon proc /bus/input/devices    u:object_r:proc_input_devices:s0
 # SEC devices
 genfscon proc /sec_log          u:object_r:proc_sec:s0
 #genfscon sysfs /class/sec      u:object_r:sysfs_sec:s0
 # Power supply devices
 genfscon sysfs /devices/battery.20/power_supply                                     u:object_r:sysfs_usb_supply:s0
 genfscon sysfs /devices/i2c.26/i2c-8/8-0034/s2mu003-charger/power_supply            u:object_r:sysfs_usb_supply:s0
 genfscon sysfs /devices/13890000.hsi2c/i2c-2/2-0035/power_supply                    u:object_r:sysfs_usb_supply:s0
 genfscon sysfs /devices/platform/htc_battery/power_supply/ps                        u:object_r:sysfs_usb_supply:s0
 # Input devices
 genfscon sysfs /devices/virtual/sec/sec_touchkey                            u:object_r:sysfs_input:s0
 genfscon sysfs /devices/virtual/sec/sec_key                                 u:object_r:sysfs_input:s0
 genfscon sysfs /devices/virtual/sec/tsp                                     u:object_r:sysfs_input:s0
 genfscon sysfs /devices/virtual/secgpio_check                               u:object_r:sysfs_input:s0
 genfscon sysfs /devices/virtual/input                                       u:object_r:sysfs_input:s0
 # A3 power devices
 genfscon sysfs /devices/i2c.21/i2c-4/4-0035/power_supply                            u:object_r:sysfs_usb_supply:s0
 genfscon sysfs /devices/13890000.hsi2c/i2c-2/2-0034/s2mu003-charger/power_supply    u:object_r:sysfs_usb_supply:s0
 # A3 Input devices
 genfscon sysfs /devices/13850000.i2c/i2c-10/10-0050/input/input3            u:object_r:sysfs_input:s0
 genfscon sysfs /devices/i2c.23/i2c-5/5-0020/input/input2                    u:object_r:sysfs_input:s0
 # A5 power supply devices
 genfscon sysfs /devices/battery.43/power_supply                                     u:object_r:sysfs_usb_supply:s0
 genfscon sysfs /devices/i2c.42/i2c-7/7-0071/power_supply                            u:object_r:sysfs_usb_supply:s0
 genfscon sysfs /devices/13890000.hsi2c/i2c-2/2-0049/sm5705-charger/power_supply     u:object_r:sysfs_usb_supply:s0
 # A5 Input devices
 genfscon sysfs /devices/13850000.i2c/i2c-10/10-0020/input/input3            u:object_r:sysfs_input:s0
 genfscon sysfs /devices/i2c.20/i2c-4/4-0020/input/input2                    u:object_r:sysfs_input:s0
 genfscon sysfs /devices/virtual/fingerprint/fingerprint                     u:object_r:sysfs_input:s0
 # S5 NEO Input devices
 genfscon sysfs /devices/13860000.i2c/i2c-11/11-0048/input/input2            u:object_r:sysfs_input:s0
 genfscon sysfs /devices/i2c.22/i2c-4/4-0020/input/input1                    u:object_r:sysfs_input:s0
 # SEC GPIO input devices
 genfscon sysfs /class/secgpio_check/secgpio_check_all/gpioinit_check        u:object_r:sysfs_input:s0
 genfscon sysfs /class/secgpio_check/secgpio_check_all/gpiosleep_check       u:object_r:sysfs_input:s0
 genfscon sysfs /class/secgpio_check/secgpio_check_all/checked_sleepGPIO     u:object_r:sysfs_input:s0
 # Input booster
 genfscon sysfs /class/input_booster/level   u:object_r:sysfs_input:s0
 genfscon sysfs /class/input_booster/head    u:object_r:sysfs_input:s0
 genfscon sysfs /class/input_booster/tail    u:object_r:sysfs_input:s0
 # Swap
 genfscon sysfs /devices/virtual/block/vnswap0   u:object_r:sysfs_sswap:s0
 # CPU/Scheduler devices
 genfscon sysfs /power/cpufreq_table         u:object_r:sysfs_devices_system_cpu:s0
 genfscon sysfs /power/cpufreq_min_limit     u:object_r:sysfs_devices_system_cpu:s0
 genfscon sysfs /power/cpufreq_max_limit     u:object_r:sysfs_devices_system_cpu:s0
 genfscon sysfs /module/cpuidle/parameters/off                       u:object_r:sysfs_devices_system_cpu:s0
 genfscon sysfs /module/cpuidle_exynos64_smp/parameters/enable_mask  u:object_r:sysfs_devices_system_cpu:s0
 genfscon sysfs /module/workqueue/parameters/power_efficient         u:object_r:sysfs_devices_system_cpu:s0
 # Camera
 genfscon sysfs /devices/virtual/camera              u:object_r:sysfs_camera:s0
 # GPS
 genfscon sysfs /devices/virtual/sec/gps             u:object_r:sysfs_gps:s0
 # Audio sysfs
 genfscon sysfs /devices/virtual/audio/earjack       u:object_r:sysfs_jack:s0
 # USB lun device
 genfscon sysfs /devices/13580000.usb/gadget/lun0    u:object_r:sysfs_android_usb:s0
 # MMC block device cache files
 genfscon sysfs /devices/virtual/bdi/179:0/read_ahead_kb     u:object_r:sysfs_block:s0
 genfscon sysfs /devices/virtual/bdi/179:32/read_ahead_kb    u:object_r:sysfs_block:s0
 # ION
 genfscon sysfs /devices/virtual/ion_cma     u:object_r:sysfs_ion:s0
 # Sensors
 genfscon sysfs /devices/virtual/sensors                             u:object_r:sysfs_sensors:s0
 genfscon sysfs /devices/13870000.hsi2c/i2c-0/0-0028/iio:device0     u:object_r:sysfs_sensors:s0
 genfscon sysfs /devices/13870000.hsi2c/i2c-0/0-0068/iio:device1     u:object_r:sysfs_sensors:s0
 genfscon sysfs /devices/13870000.hsi2c/i2c-0/0-002e/iio:device2     u:object_r:sysfs_sensors:s0
 genfscon sysfs /devices/13540000.dwmmc0/mmc_host/mmc0/mmc0:0001/block/mmcblk0 u:object_r:sysfs_mmc:s0
 genfscon sysfs /devices/virtual/net/rmnet0 u:object_r:sysfs_net:s0
 genfscon sysfs /devices/virtual/net/rmnet1 u:object_r:sysfs_net:s0
 genfscon sysfs /devices/virtual/net/rmnet2 u:object_r:sysfs_net:s0
 genfscon sysfs /devices/virtual/net/rmnet3 u:object_r:sysfs_net:s0
 genfscon sysfs /devices/14830000.decon_fb  u:object_r:sysfs_graphics:s0
 genfscon sysfs /devices/14800000.dsim      u:object_r:sysfs_graphics:s0
 # video4linux
 genfscon sysfs /devices/12800000.mfc0/video4linux   u:object_r:sysfs_v4l:s0
--- a/sepolicy/gpsd.te
+++ b/sepolicy/gpsd.te
@ -0,0 +1,36 @@
 type gpsd, domain, netdomain;
 type gpsd_exec, exec_type, vendor_file_type, file_type;
 # gpsd is started by init, type transit from init domain to gpsd domain
 init_daemon_domain(gpsd)
 allow gpsd rild:unix_stream_socket connectto;
 get_prop(gpsd, exported_radio_prop)
 get_prop(gpsd, exported_config_prop)
 get_prop(gpsd, hwservicemanager_prop)
 hwbinder_use(gpsd)
 allow gpsd system_suspend_hwservice:hwservice_manager { find };
 allow gpsd fwk_sensor_hwservice:hwservice_manager { find };
 binder_call(gpsd, system_suspend_server)
 binder_call(gpsd, system_server)
 binder_call(system_server, gpsd)
 allow gpsd self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow gpsd self:{ tcp_socket udp_socket } create_stream_socket_perms;
 allow gpsd port:tcp_socket { name_bind name_connect };
 allow gpsd port:udp_socket name_bind;
 allow gpsd node:{ tcp_socket udp_socket } node_bind;
 # /acct/tasks
 allow gpsd cgroup:file getattr;
 # /dev/socket/fwmarkd
 allow gpsd fwmarkd_socket:sock_file write;
 # /data/vendor/gps
 allow gpsd gps_vendor_data_file:dir rw_dir_perms;
 allow gpsd gps_vendor_data_file:file create_file_perms;
 allow gpsd gps_vendor_data_file:fifo_file create_file_perms;
--- a/sepolicy/hal_bluetooth_default.te
+++ b/sepolicy/hal_bluetooth_default.te
@ -0,0 +1,6 @@
 # /dev/ttySAC3
 allow hal_bluetooth_default bluetooth_device:chr_file rw_file_perms;
 # /efs
 allow hal_bluetooth_default efs_file:dir search;
 r_dir_file(hal_bluetooth_default, bluetooth_efs_file)
--- a/sepolicy/hal_camera_default.te
+++ b/sepolicy/hal_camera_default.te
@ -0,0 +1,6 @@
 allow hal_camera_default sysfs_camera:dir search;
 allow hal_camera_default sysfs_camera:file rw_file_perms;
 allow hal_camera_default hal_graphics_mapper_hwservice:hwservice_manager find;
 vndbinder_use(hal_camera_default)
--- a/sepolicy/hal_drm_clearkey.te
+++ b/sepolicy/hal_drm_clearkey.te
@ -0,0 +1,10 @@
 # hal_drm_clearkey.te
 type hal_drm_clearkey, domain;
 hal_server_domain(hal_drm_clearkey, hal_drm)
 type hal_drm_clearkey_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_drm_clearkey)
 hwbinder_use(hal_drm_clearkey)
 get_prop(hal_drm_clearkey, hwservicemanager_prop)
--- a/sepolicy/hal_drm_default.te
+++ b/sepolicy/hal_drm_default.te
@ -0,0 +1,10 @@
 vndbinder_use(hal_drm_default)
 # /dev/s5p-smem
 allow hal_drm_default secmem_device:chr_file rw_file_perms;
 allow hal_drm_default tee:unix_stream_socket connectto;
 allow hal_drm_default efs_file:dir search;
 allow hal_drm_default cpk_efs_file:file r_file_perms;
 allow hal_drm_default media_vendor_data_file:file create_file_perms;
 allow hal_drm_default media_vendor_data_file:dir create_dir_perms;
--- a/sepolicy/hal_drm_widevine.te
+++ b/sepolicy/hal_drm_widevine.te
@ -0,0 +1,23 @@
 # hal_drm_widevine.te
 type hal_drm_widevine, domain;
 hal_server_domain(hal_drm_widevine, hal_drm)
 type hal_drm_widevine_exec, exec_type, vendor_file_type, file_type;
 init_daemon_domain(hal_drm_widevine)
 allow hal_drm_widevine mediacodec:fd use;
 allow hal_drm_widevine { appdomain -isolated_app }:fd use;
 # /data/vendor/mediadrm/
 allow hal_drm_widevine mediadrm_vendor_data_file:dir create_dir_perms;
 allow hal_drm_widevine mediadrm_vendor_data_file:file create_file_perms;
 # /dev/s5p-smem
 allow hal_drm_widevine secmem_device:chr_file rw_file_perms;
 # /dev/tzdev
 #allow hal_drm_widevine tz_user_device:chr_file rw_file_perms;
 # /efs/wv.keys
 allow hal_drm_widevine efs_file:dir search;
 allow hal_drm_widevine sec_efs_file:file r_file_perms;
--- a/sepolicy/hal_fingerprint_default.te
+++ b/sepolicy/hal_fingerprint_default.te
@ -0,0 +1,2 @@
 allow hal_fingerprint_default sysfs_input:dir search;
 allow hal_fingerprint_default sysfs_input:file rw_file_perms;
--- a/sepolicy/hal_gnss_default.te
+++ b/sepolicy/hal_gnss_default.te
@ -0,0 +1,12 @@
 # hal_gnss_default.te
 # cgroups tasks
 allow hal_gnss_default cgroup:file getattr;
 # /data/vendor/gps
 allow hal_gnss_default gps_vendor_data_file:dir rw_dir_perms;
 allow hal_gnss_default gps_vendor_data_file:file create_file_perms;
 allow hal_gnss_default gps_vendor_data_file:fifo_file create_file_perms;
 # /mnt/vendor
 allow hal_gnss_default mnt_vendor_file:dir search;
--- a/sepolicy/hal_graphics_composer.te
+++ b/sepolicy/hal_graphics_composer.te
@ -0,0 +1,7 @@
 # Graphics sysfs
 allow hal_graphics_composer_default sysfs_graphics:dir  search;
 allow hal_graphics_composer_default sysfs_graphics:file rw_file_perms;
 # uevent socket
 allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
--- a/sepolicy/hal_health_default.te
+++ b/sepolicy/hal_health_default.te
@ -0,0 +1,2 @@
 r_dir_file(hal_health_default, sysfs_usb_supply)
 allow hal_health_default sysfs_usb_supply:file rw_file_perms;
--- a/sepolicy/hal_light_7570.te
+++ b/sepolicy/hal_light_7570.te
@ -1,7 +0,0 @@
 type hal_light_7570, domain, coredomain;
 hal_server_domain(hal_light_7570, hal_light)
 type hal_light_7570_exec, exec_type, file_type;
 init_daemon_domain(hal_light_7570)
 allow hal_light_7570 sysfs:file rw_file_perms;
--- a/sepolicy/hal_light_default.te
+++ b/sepolicy/hal_light_default.te
@ -0,0 +1,13 @@
 allow hal_light_default sysfs_light:dir search;
 allow hal_light_default sysfs_light:file rw_file_perms;
 allow hal_light_default sysfs_graphics:dir search;
 allow hal_light_default sysfs_graphics:file rw_file_perms;
 allow hal_light_default sysfs_input:dir search;
 allow hal_light_default sysfs_input:lnk_file read;
 allow hal_light_default sysfs_input:file rw_file_perms;
 allow hal_light_default sysfs_sec:dir search;
 allow hal_light_default sysfs_sec:lnk_file read;
 allow hal_light_default sysfs_sec:file rw_file_perms;
--- a/sepolicy/hal_lineage_livedisplay_sysfs.te
+++ b/sepolicy/hal_lineage_livedisplay_sysfs.te
@ -0,0 +1,14 @@
 # Allow LiveDisplay to store files under /data/vendor/display and access them
 allow hal_lineage_livedisplay_sysfs display_vendor_data_file:dir rw_dir_perms;
 allow hal_lineage_livedisplay_sysfs display_vendor_data_file:file create_file_perms;
 # Allow LiveDisplay to read and write to files in sysfs_graphics, sysfs_mdnie
 allow hal_lineage_livedisplay_sysfs {
    sysfs_graphics
    sysfs_mdnie
 }:dir search;
 allow hal_lineage_livedisplay_sysfs {
    sysfs_graphics
    sysfs_mdnie
 }:file rw_file_perms;
--- a/sepolicy/hal_lineage_touch_default.te
+++ b/sepolicy/hal_lineage_touch_default.te
@ -0,0 +1,2 @@
 allow hal_lineage_touch_default sysfs_input:dir search;
 allow hal_lineage_touch_default sysfs_input:file rw_file_perms;
--- a/sepolicy/hal_power_7570.te
+++ b/sepolicy/hal_power_7570.te
@ -1,9 +0,0 @@
 type hal_power_7570, domain, coredomain;
 hal_server_domain(hal_power_7570, hal_power)
 type hal_power_7570_exec, exec_type, file_type;
 init_daemon_domain(hal_power_7570)
 allow hal_power_7570 cgroup:file rw_file_perms;
 allow hal_power_7570 sysfs:file rw_file_perms;
 allow hal_power_7570 sysfs_devices_system_cpu:file rw_file_perms;
--- a/sepolicy/hal_power_default.te
+++ b/sepolicy/hal_power_default.te
@ -0,0 +1,19 @@
 # Allow reading of sysfs nodes to find input devices
 allow hal_power_default sysfs:dir r_dir_perms;
 allow hal_power_default sysfs:file r_file_perms;
 # Input devices
 allow hal_power_default sysfs_input:dir r_dir_perms;
 allow hal_power_default sysfs_input:file rw_file_perms;
 # CPU devices
 allow hal_power_default sysfs_devices_system_cpu:dir search;
 allow hal_power_default sysfs_devices_system_cpu:file rw_file_perms;
 # Lights
 allow hal_power_default sysfs_light:dir search;
 allow hal_power_default sysfs_light:file rw_file_perms;
 # Graphics
 allow hal_power_default sysfs_graphics:dir search;
 allow hal_power_default sysfs_graphics:file rw_file_perms;
--- a/sepolicy/hal_sensors_default.te
+++ b/sepolicy/hal_sensors_default.te
@ -0,0 +1,4 @@
 # hal_sensors_default.te
 # cgroup tasks
 allow hal_sensors_default cgroup:file getattr;
--- a/sepolicy/hal_vibrator_7570.te
+++ b/sepolicy/hal_vibrator_7570.te
@ -1,8 +0,0 @@
 type hal_vibrator_7570, domain, coredomain;
 hal_server_domain(hal_vibrator_7570, hal_vibrator)
 type hal_vibrator_7570_exec, exec_type, file_type;
 init_daemon_domain(hal_vibrator_7570)
 allow hal_vibrator_7570 sysfs:file rw_file_perms;
 allow hal_vibrator_7570 sysfs_vibrator:file rw_file_perms;
--- a/sepolicy/hal_wifi_default.te
+++ b/sepolicy/hal_wifi_default.te
@ -0,0 +1,8 @@
 allow hal_wifi_default efs_file:dir search;
 allow hal_wifi_default wifi_efs_file:dir search;
 allow hal_wifi_default wifi_efs_file:file r_file_perms;
 # allow hal_wifi_default wifi_data_file:file r_file_perms;
 allow hal_wifi_default sysfs_wifi:file write;
--- a/sepolicy/healthd.te
+++ b/sepolicy/healthd.te
@ -0,0 +1,3 @@
 allow healthd rtc_device:chr_file rw_file_perms;
 allow healthd sysfs_usb_supply:file rw_file_perms;
--- a/sepolicy/init.te
+++ b/sepolicy/init.te
@ -1,5 +1,97 @@
-allow init vendor_configs_file:file mounton;
+# Mount debugfs on /sys/kernel/debug.
-allow init vendor_overlay_file:dir mounton;
+allow init debugfs:dir mounton;
-allow init ram_device:blk_file write;
+
-allow init sysfs_zram:file { create_file_perms rw_file_perms };
+# Mount EFS on /efs
-allow init sysfs_zram:dir rw_dir_perms;
+allow init efs_file:dir  mounton;
 # Mount CPEFS on /cpefs
 allow init sec_efs_file:dir mounton;
 # /dev/block/mmcblk0p[0-9]
 allow init emmcblk_device:blk_file rw_file_perms;
 allow init block_device:lnk_file setattr;
 allow init tmpfs:lnk_file create_file_perms;
 # /sys/class/power_supply/battery and /sys/class/android_usb/android0
 allow init sysfs_usb_supply:file { rw_file_perms setattr };
 # /data
 allow init sdcardd_exec:file r_file_perms;
 # sysfs iio:device[0-9]
 allow init sysfs:lnk_file setattr;
 # sysfs ion device
 allow init sysfs_ion:file setattr;
 # sysfs usb device
 allow init sysfs_android_usb:file setattr;
 # read/chown mDNIE symlinks
 allow init sysfs_mdnie:lnk_file { r_file_perms setattr };
 allow init sysfs_mdnie:file rw_file_perms;
 # read/chown camera firmware
 allow init sysfs_camera:file { relabelto setattr };
 allow init sysfs_camera:filesystem associate;
 # WiFi firmware permissions
 allow init sysfs_wifi:file setattr;
 # Input devices
 allow init sysfs_input:file { rw_file_perms setattr };
 # BT permissions
 allow init sysfs_bluetooth_writable:file setattr;
 # GPS permissions
 allow init sysfs_gps:lnk_file read;
 allow init sysfs_gps:file { rw_file_perms setattr };
 allow init gps_data_file:fifo_file write;
 allow init gps_data_file:file lock;
 allow init gps_device:chr_file { open read write };
 # CPU permissions
 allow init sysfs_devices_system_cpu:file rw_file_perms;
 # umts permissions
 allow init mif_device:chr_file rw_file_perms;
 # sswap permissions
 allow init sswap_device:blk_file write;
 allow init sysfs_sswap:file { open write };
 # Block device sysfs
 allow init sysfs_block:file rw_file_perms;
 # Audio Jack
 allow init sysfs_jack:file setattr;
 unix_socket_connect(init, property, rild)
 # Allow access to /proc/device-tree nodes
 r_dir_file(init, proc_dt_firmware)
 allow init sysfs_mmc:file { w_file_perms setattr };
 allow init sysfs_net:file rw_file_perms;
 allow init sysfs_graphics:file { rw_file_perms setattr };
 allow init sysfs_light:file { rw_file_perms setattr };
 allow init sysfs_light:lnk_file { rw_file_perms setattr };
 allow init sysfs_mdnie:file setattr;
 allow init sysfs_sec:file { rw_file_perms setattr };
 allow init sysfs_sec:lnk_file read;
 allow init sysfs_sensors:file { rw_file_perms setattr };
 allow init sysfs_sensors:lnk_file read;
 allow init sysfs_multipdp:file setattr;
 # Proc files
 allow init proc_reset_reason:file { rw_file_perms setattr };
 allow init proc_vm:file rw_file_perms;
 allow init proc_simslot_count:file rw_file_perms;
 allow init proc_sec:file { rw_file_perms setattr };
 # Sockets
 allow init socket_device:sock_file { read write getattr setattr create unlink };
 # allow init hal_drm_hwservice:hwservice_manager add;
--- a/sepolicy/kernel.te
+++ b/sepolicy/kernel.te
@ -1 +1,22 @@
-allow kernel vendor_file:file r_file_perms;
+allow kernel self:capability { chown mknod };
 # /dev/mbin0
 allow kernel emmcblk_device:blk_file r_file_perms;
 # /sys/devices/system/cpu/cpu[0-9]/cpufreq/*
 allow kernel sysfs_devices_system_cpu:file setattr;
 # /efs contents
 allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:dir r_dir_perms;
 allow kernel { app_efs_file battery_efs_file efs_file sensor_efs_file }:file rw_file_perms;
 # /efs/wifi/.mac.info
 r_dir_file(kernel, wifi_efs_file);
 # /data/misc/conn/.wifiver.info
 allow kernel wifi_data_file:file rw_file_perms;
 # Allow kernel to search tmpfs
 allow kernel tmpfs:dir search;
 allow kernel self:capability sys_module;
--- a/sepolicy/lpm.te
+++ b/sepolicy/lpm.te
@ -1 +0,0 @@
 type lpm_exec, exec_type, file_type;
--- a/sepolicy/mediacodec.te
+++ b/sepolicy/mediacodec.te
@ -0,0 +1,5 @@
 # /system/lib/omx/
 allow mediacodec system_file:dir r_dir_perms;
 # /sys/class/video4linux/*
 r_dir_file(mediacodec, sysfs_v4l);
--- a/sepolicy/mediaserver.te
+++ b/sepolicy/mediaserver.te
@ -0,0 +1,12 @@
 # /efs
 allow mediaserver efs_file:dir r_dir_perms;
 # /efs/wv.keys
 allow mediaserver efs_file:file r_file_perms;
 # /dev/m2m1shot_jpeg
 allow mediaserver camera_device:chr_file rw_file_perms;
 # Snap permissions
 allow mediaserver sensorservice_service:service_manager find;
 allow mediaserver system_server:unix_stream_socket rw_stream_socket_perms;
--- a/sepolicy/modemloader.te
+++ b/sepolicy/modemloader.te
@ -0,0 +1,10 @@
 #### modemloader
 #
 type modemloader, domain;
 type modemloader_exec, exec_type, file_type, vendor_file_type;
 init_daemon_domain(modemloader)
 allow modemloader proc:file r_file_perms;
 set_prop(modemloader, modemloader_prop)
--- a/sepolicy/netd.te
+++ b/sepolicy/netd.te
@ -0,0 +1,4 @@
 # allow netd self:capability sys_module;
 # allow netd gpsd:fd use;
 # allow netd gpsd:udp_socket rw_socket_perms;
 # allow netd gpsd:tcp_socket rw_socket_perms;
--- a/sepolicy/property.te
+++ b/sepolicy/property.te
@ -0,0 +1,11 @@
 # CP-Boot Daemon
 type cpboot-daemon_prop, property_type;
 # modemloader
 type modemloader_prop, property_type;
 # mobicore (tee)
 type tee_prop, property_type;
 # sswap
 type sswap_prop, property_type;
--- a/sepolicy/property_contexts
+++ b/sepolicy/property_contexts
@ -0,0 +1,22 @@
 # bluetooth
 persist.bluetooth_fw_ver    u:object_r:bluetooth_prop:s0
 ro.bluetooth.tty            u:object_r:bluetooth_prop:s0
 wc_transport.               u:object_r:bluetooth_prop:s0
 # modemloader
 hw.revision            u:object_r:modemloader_prop:s0
 ro.cbd.dt_revision     u:object_r:modemloader_prop:s0
 ril.cbd.dt_revision    u:object_r:modemloader_prop:s0
 ro.modemloader.done    u:object_r:modemloader_prop:s0
 # mobicore
 sys.mobicoredaemon.enable         u:object_r:tee_prop:s0
 # radio
 persist.ril.modem.board    u:object_r:radio_prop:s0
 persist.ril.ims.eutranParam u:object_r:radio_prop:s0
 persist.ril.ims.utranParam  u:object_r:radio_prop:s0
 persist.ril.interfaceconf.failed u:object_r:radio_prop:s0
 # sswap
 persist.sys.swapoff     u:object_r:sswap_prop:s0
--- a/sepolicy/rild.te
+++ b/sepolicy/rild.te
@ -0,0 +1,66 @@
 # rild.te
 allow rild block_device:dir search;
 allow rild mnt_vendor_file:dir { getattr search };
 # audio hal
 allow rild hal_audio_default:dir search;
 allow rild hal_audio_default:file r_file_perms;
 # gps
 allow rild gpsd:dir search;
 allow rild gpsd:file r_file_perms;
 # /data
 allow rild system_data_file:dir getattr;
 # /data/vendor/log
 allow rild log_vendor_data_file:dir rw_dir_perms;
 allow rild log_vendor_data_file:file create_file_perms;
 # /dev/block/platform/.+/by-name/radio
 allow rild radio_block_device:blk_file r_file_perms;
 # /dev/drb
 # allow rild drb_device:chr_file rw_file_perms;
 # /dev/umts_*
 # /dev/umts_ipc*
 # allow rild vendor_radio_device:chr_file rw_file_perms;
 # /data/vendor/secradio
 allow rild radio_vendor_data_file:dir rw_dir_perms;
 allow rild radio_vendor_data_file:file create_file_perms;
 # /efs/FactoryApp/
 # /mnt/vendor/efs/root
 allow rild app_efs_file:dir r_dir_perms;
 allow rild app_efs_file:file { rw_file_perms setattr };
 # /efs/imei
 allow rild imei_efs_file:dir r_dir_perms;
 allow rild imei_efs_file:file r_file_perms;
 # /mnt/vendor/efs/
 allow rild prov_efs_file:dir r_dir_perms;
 allow rild prov_efs_file:file r_file_perms;
 # /mnt/vendor/efs/nv_data.bin
 allow rild bin_nv_data_efs_file:file { rw_file_perms setattr unlink };
 # /proc/net/xt_qtaguid/iface_stat_fmt
 allow rild proc_qtaguid_stat:file r_file_perms;
 # /proc/sys/net/ipv6/conf/*/accept_ra_defrtr
 allow rild proc_net:file rw_file_perms;
 # mdc.
 # persist.sys.omc_support
 # ro.csc.
 get_prop(rild, exported_config_prop);
 # ro.boot.cpboot, ril.NwNmId[0-9]
 get_prop(rild, exported_radio_prop)
 # vendor.cbd.
 # set_prop(rild, vendor_cbd_prop)
--- a/sepolicy/service_contexts
+++ b/sepolicy/service_contexts
@ -0,0 +1,2 @@
 # HWC
 Exynos.HWCService                           u:object_r:surfaceflinger_service:s0
--- a/sepolicy/sswap.te
+++ b/sepolicy/sswap.te
@ -0,0 +1,18 @@
 type sswap, domain;
 type sswap_exec, exec_type, file_type, vendor_file_type;
 type sswap_device, dev_type;
 init_daemon_domain(sswap);
 allow sswap sswap_device:blk_file rw_file_perms;
 allow sswap sysfs_sswap:file rw_file_perms;
 allow sswap sysfs_sswap:dir search;
 allow sswap block_device:dir search;
 allow sswap self:capability sys_admin;
 allow sswap proc_meminfo:file r_file_perms;
 allow sswap properties_device:dir r_dir_perms;
 r_dir_file(sswap, proc_stat);
 set_prop(sswap, sswap_prop)
--- a/sepolicy/surfaceflinger.te
+++ b/sepolicy/surfaceflinger.te
@ -0,0 +1,4 @@
 # HWC
 allow surfaceflinger secmem_device:chr_file rw_file_perms;
 allow surfaceflinger sysfs_graphics:file rw_file_perms;
 r_dir_file(surfaceflinger, sysfs_graphics)
--- a/sepolicy/system_app.te
+++ b/sepolicy/system_app.te
@ -0,0 +1,4 @@
 allow system_app sysfs_mdnie:{ file lnk_file } rw_file_perms;
 allow system_app sysfs_mdnie:dir search;
 allow system_app sysfs_graphics:dir search;
 allow system_app wificond:binder call;
--- a/sepolicy/system_server.te
+++ b/sepolicy/system_server.te
@ -1,2 +1,57 @@
-type boot_prop, property_type;
+# /efs
-set_prop(system_server, boot_prop);
+allow system_server efs_file:dir r_dir_perms;
 # /efs/gyro_cal_data
 allow system_server sensor_efs_file:file r_file_perms;
 # /data/system/gps/.gps.interface.pipe.*
 type_transition system_server system_data_file:fifo_file gps_data_file ".flp.interface.pipe.to_gpsd";
 type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_gpsd";
 type_transition system_server system_data_file:fifo_file gps_data_file ".gps.interface.pipe.to_jni";
 allow system_server gps_data_file:fifo_file create_file_perms;
 allow system_server gps_data_file:dir rw_dir_perms;
 # /data/system/gps/chip.info
 allow system_server gps_data_file:file r_file_perms;
 # /efs/prox_cal
 allow system_server efs_file:file r_file_perms;
 # /efs/FactoryApp
 allow system_server app_efs_file:dir r_dir_perms;
 allow system_server app_efs_file:file r_file_perms;
 # WifiMachine
 allow system_server self:capability sys_module;
 allow system_server wifi_efs_file:dir r_dir_perms;
 allow system_server wifi_efs_file:file r_file_perms;
 # mDNIE
 allow system_server sysfs_mdnie:lnk_file rw_file_perms;
 #allow system_server sysfs_mdnie:dir rw_dir_perms;
 allow system_server sysfs_mdnie:file rw_file_perms;
 # memtrack HAL
 allow system_server debugfs:dir r_dir_perms;
 # sensor HAL
 allow system_server sensor_device:chr_file rw_file_perms;
 allow system_server baro_delta_factoryapp_efs_file:file r_file_perms;
 allow system_server sensor_factoryapp_efs_file:file r_file_perms;
 allow system_server sysfs_sensors:file rw_file_perms;
 # /data/system/gps/xtraee.bin
 allow system_server gps_data_file:file create_file_perms;
 # Bluetooth buildprop
 get_prop(system_server, bluetooth_prop)
 # Grpahics sysfs
 allow system_server sysfs_graphics:file rw_file_perms;
 # Input sysfs
 allow system_server sysfs_input:file rw_file_perms;
 allow system_server proc_input_devices:file r_file_perms;
 # unix_socket_connect(system_server, property, gpsd)
--- a/sepolicy/tee.te
+++ b/sepolicy/tee.te
@ -0,0 +1,9 @@
 # /efs
 allow tee { efs_file prov_efs_file }:dir r_dir_perms;
 allow tee { efs_file prov_efs_file }:file r_file_perms;
 # Allow mobicore to search apk data
 # allow tee apk_data_file:dir search;
 # sys.mobicore.enable
 set_prop(tee, tee_prop)
--- a/sepolicy/ueventd.te
+++ b/sepolicy/ueventd.te
@ -0,0 +1,14 @@
 # /dev/block/mmcblk0p[0-9]
 allow ueventd emmcblk_device:blk_file { relabelfrom relabelto create setattr unlink rw_file_perms };
 # /sys/devices/virtual/misc/multipdp/uevent
 allow ueventd sysfs_multipdp:file rw_file_perms;
 # read/chown camera firmware
 allow ueventd sysfs_camera:file { relabelto rw_file_perms };
 allow ueventd sysfs_camera:filesystem associate;
 allow ueventd sysfs_usb_supply:file w_file_perms;
 # Allow access to /proc/device-tree nodes
 r_dir_file(ueventd, proc_dt_firmware)
--- a/sepolicy/uncrypt.te
+++ b/sepolicy/uncrypt.te
@ -0,0 +1,2 @@
 allow uncrypt emmcblk_device:blk_file w_file_perms;
 allow uncrypt emmcblk_device:dir r_dir_perms;
--- a/sepolicy/vold.te
+++ b/sepolicy/vold.te
@ -0,0 +1,8 @@
 # /efs
 allow vold efs_file:dir r_dir_perms;
 # /dev/block/mmcblk0p[0-9]
 allow vold emmcblk_device:dir create_dir_perms;
 allow vold emmcblk_device:blk_file { setattr unlink rw_file_perms };
 allow vold sysfs_mmc:file w_file_perms;
 r_dir_file(vold, proc_dt_firmware)
--- a/sepolicy/wifiloader.te
+++ b/sepolicy/wifiloader.te
@ -0,0 +1,22 @@
 #### wifiloader
 #
 type wifiloader, domain;
 type wifiloader_exec, exec_type, file_type, vendor_file_type;
 init_daemon_domain(wifiloader)
 unix_socket_connect(wifiloader, property, init)
 allow wifiloader proc:file r_file_perms;
 allow wifiloader sysfs_wlan_fwpath:file setattr;
 # allow wifiloader wifi_data_file:file rw_file_perms;
 set_prop(wifiloader, wifi_prop);
 # /efs
 allow wifiloader efs_file:dir search;
 # /efs/wifi
 allow wifiloader wifi_efs_file:dir search;
 allow wifiloader wifi_efs_file:file r_file_perms;
 # load .ko modules
 allow wifiloader self:capability { chown sys_module };
--- a/sepolicy/zygote.te
+++ b/sepolicy/zygote.te
@ -0,0 +1 @@
 dontaudit zygote proc_cmdline:file r_file_perms;
		`@ -0,0 +1 @@`
							`allow charger sysfs_usb_supply:file rw_file_perms;`
		`@ -0,0 +1,2 @@`
							`allow hal_fingerprint_default sysfs_input:dir search;`
							`allow hal_fingerprint_default sysfs_input:file rw_file_perms;`
		`@ -0,0 +1,2 @@`
							`r_dir_file(hal_health_default, sysfs_usb_supply)`
							`allow hal_health_default sysfs_usb_supply:file rw_file_perms;`
		`@ -0,0 +1,2 @@`
							`allow hal_lineage_touch_default sysfs_input:dir search;`
							`allow hal_lineage_touch_default sysfs_input:file rw_file_perms;`
		`@ -0,0 +1,3 @@`
							`allow healthd rtc_device:chr_file rw_file_perms;`

							`allow healthd sysfs_usb_supply:file rw_file_perms;`
		`@ -0,0 +1,2 @@`
							`# HWC`
							`Exynos.HWCService u:object_r:surfaceflinger_service:s0`
		`@ -0,0 +1,2 @@`
							`allow uncrypt emmcblk_device:blk_file w_file_perms;`
							`allow uncrypt emmcblk_device:dir r_dir_perms;`
		`@ -0,0 +1 @@`
							`dontaudit zygote proc_cmdline:file r_file_perms;`