msm8953-common: Import sepolicy from sdm660 tree

sepolicy/private/app.te

@@ -0,0 +1,2 @@
+# Allow appdomain to get persist_camera_prop
+get_prop(appdomain, persist_camera_prop)

sepolicy/private/hwservice_contexts

@@ -0,0 +1,2 @@
+vendor.nxp.nxpese::INxpEse u:object_r:nxpese_hwservice:s0
+vendor.nxp.nxpnfc::INxpNfc u:object_r:nxpnfc_hwservice:s0

sepolicy/private/system_app.te

@@ -0,0 +1 @@
+get_prop(system_app, persist_camera_prop);

sepolicy/private/system_server.te

@@ -0,0 +1 @@
+get_prop(system_server, persist_camera_prop) 

sepolicy/private/untrusted_app.te

@@ -0,0 +1 @@
+get_prop(untrusted_app, persist_camera_prop)

sepolicy/vendor/bootanim.te

@@ -0,0 +1 @@
+allow bootanim sysfs_kgsl:dir search;

sepolicy/vendor/charge_only.te

@@ -0,0 +1,98 @@
+type charge_only, domain;
+type charge_only_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(charge_only)
+
+# Read chargeonly_data_file
+allow charge_only chargeonly_data_file:dir rw_dir_perms;
+allow charge_only chargeonly_data_file:file create_file_perms;
+
+# Write to /dev/kmsg
+allow charge_only kmsg_device:chr_file rw_file_perms;
+
+# Read access to pseudo filesystems.
+r_dir_file(charge_only, sysfs_type)
+r_dir_file(charge_only, rootfs)
+r_dir_file(charge_only, cgroup)
+
+# Self permissions
+allow charge_only self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+# Wakelock
+wakelock_use(charge_only)
+
+# Allow access to sysfs
+allow charge_only sysfs:dir { read open };
+allow charge_only sysfs:file rw_file_perms;
+
+# Allow access to wakelock sysfs
+allow charge_only sysfs_wake_lock:file rw_file_perms;
+
+# Allow access to battery info sysfs
+allow charge_only sysfs_batteryinfo:file r_file_perms;
+
+# Allow access to battery supply sysfs
+allow charge_only sysfs_battery_supply:dir r_dir_perms;
+allow charge_only sysfs_battery_supply:file r_file_perms;
+allow charge_only sysfs_battery_supply:lnk_file r_file_perms;
+
+# Allow access to usb supply sysfs
+allow charge_only sysfs_usb_supply:dir r_dir_perms;
+allow charge_only sysfs_usb_supply:file r_file_perms;
+
+# Allow access to thermal sysfs
+allow charge_only sysfs_thermal:dir r_dir_perms;
+allow charge_only sysfs_thermal:file r_file_perms;
+allow charge_only sysfs_thermal:lnk_file r_file_perms;
+
+# Allow access to power sysfs
+allow charge_only sysfs_power:file rw_file_perms;
+
+# Allow access to led sysfs
+allow charge_only sysfs_leds:file rw_file_perms;
+
+# Allow access to graphics sysfs
+allow charge_only sysfs_graphics:dir r_dir_perms;
+allow charge_only sysfs_graphics:file rw_file_perms;
+
+# Read /sys/fs/pstore/console-ramoops
+# Don't worry about overly broad permissions for now, as there's
+# only one file in /sys/fs/pstore
+allow charge_only pstorefs:dir r_dir_perms;
+allow charge_only pstorefs:file r_file_perms;
+
+# Allow access to graphics dev
+allow charge_only graphics_device:dir r_dir_perms;
+allow charge_only graphics_device:chr_file rw_file_perms;
+
+# Allow access to input dev
+allow charge_only input_device:dir r_dir_perms;
+allow charge_only input_device:chr_file r_file_perms;
+
+# Allow access to tty dev
+allow charge_only tty_device:chr_file rw_file_perms;
+
+# Allow access to rtc dev
+allow charge_only rtc_device:chr_file rw_file_perms;
+
+# Allow access to proc_sysrq
+allow charge_only proc_sysrq:file rw_file_perms;
+
+# Allow access to persist dir
+allow charge_only persist_chargeonly_file:dir r_dir_perms;
+allow charge_only persist_chargeonly_file:file r_file_perms;
+
+# Allow access to vendor dir
+allow charge_only mnt_vendor_file:dir r_dir_perms;
+
+# Exec shell scripts
+allow charge_only vendor_shell_exec:file rx_file_perms;
+
+# Socks
+allow charge_only property_socket:sock_file write;
+allow charge_only init:unix_stream_socket connectto;
+
+# Props
+get_prop(charge_only, powerctl_prop)
+set_prop(charge_only, powerctl_prop)
+get_prop(charge_only, vendor_display_prop)
+get_prop(charge_only, moto_boot_prop)

sepolicy/vendor/file.te

@@ -1,4 +1,21 @@
-type adsprpcd_file, file_type;
-type firmware_file, file_type;
-type fsg_firmware_file, file_type;
-type persist_file, file_type;
+type debugfs_rmts, debugfs_type, fs_type;
+type debugfs_wlan, debugfs_type, fs_type;
+type fsg_firmware_file, file_type, contextmount_type, vendor_file_type;
+type perfd_socket, file_type;
+type persist_camera_file, file_type;
+type persist_battery_file, file_type;
+type persist_mdm_file, file_type, vendor_persist_type;
+type sysfs_fingerprint, sysfs_type, fs_type;
+type fingerprint_data_file, data_file_type, file_type;
+type fingerprint_socket, data_file_type, file_type;
+type sysfs_hwmon, sysfs_type, fs_type;
+type sysfs_sensor, sysfs_type, fs_type;
+type sysfs_wifi, sysfs_type, fs_type;
+type system_fps_data_file, file_type, data_file_type, core_data_file_type;
+
+# charge_only_mode
+type chargeonly_data_file, file_type, data_file_type;
+type persist_chargeonly_file, file_type, data_file_type;
+
+# Healthd
+type sysfs_healthd, fs_type, sysfs_type, mlstrustedobject;

sepolicy/vendor/file_contexts

@@ -1,5 +1,73 @@
-/dsp(/.*)?               u:object_r:adsprpcd_file:s0
-/firmware(/.*)?          u:object_r:firmware_file:s0
-/fsg(/.*)?               u:object_r:fsg_firmware_file:s0
-/persist(/.*)?           u:object_r:persist_file:s0
+# Dev block nodes for eMMC
+/dev/block/platform/soc/7824900\.sdhci/by-name/persist2          u:object_r:persist_block_device:s0
+# EMMC A/B partitions
+/dev/block/platform/soc/7824900\.sdhci/by-name/dto_[ab]          u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7824900\.sdhci/by-name/fsg_[ab]          u:object_r:modem_efs_partition_device:s0
+/dev/block/platform/soc/7824900\.sdhci/by-name/logo_[ab]         u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7824900\.sdhci/by-name/oem_[ab]          u:object_r:system_block_device:s0
+/dev/block/platform/soc/7824900\.sdhci/by-name/prov_[ab]         u:object_r:custom_ab_block_device:s0
+/dev/block/platform/soc/7824900\.sdhci/by-name/storsec_[ab]      u:object_r:custom_ab_block_device:s0
 
+/firmware/image(/.*)?                                               u:object_r:firmware_file:s0
+
+/dev/mmi_sys_temp            u:object_r:thermal_device:s0
+/dev/socket/perfd            u:object_r:perfd_socket:s0
+
+/(vendor|system/vendor)/fsg  u:object_r:fsg_firmware_file:s0
+
+/dev/v4l2-hal-ctrl           u:object_r:video_device:s0
+/sys/devices/soc/8c0000\.qcom,msm-cam/video4linux/video0(/.*)? u:object_r:sysfs_graphics:s0
+/sys/devices/soc/caa0000\.qcom,jpeg/video4linux/video1(/.*)?   u:object_r:sysfs_graphics:s0
+/sys/devices/soc/caa4000\.qcom,fd/video4linux/video2(/.*)?     u:object_r:sysfs_graphics:s0
+/sys/devices/soc/ca0c000\.qcom,cci/ca0c000.qcom,cci:qcom,camera@0/video4linux/video4(/.*)?     u:object_r:sysfs_graphics:s0
+/(mnt/vendor)/persist/camera(/.*)?                            u:object_r:persist_camera_file:s0
+/sys/devices/virtual/laser(/.*)?                              u:object_r:sysfs_sensor:s0
+/sys/devices/virtual/input/input4(/.*)?                       u:object_r:sysfs_sensor:s0
+
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-fpcservice    u:object_r:hal_fingerprint_fpc_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service-ets   u:object_r:hal_fingerprint_fpc_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service\.msm8953    u:object_r:hal_light_default_exec:s0
+/(vendor|system/vendor)/bin/init\.mmi\.(laser|usb)\.sh                          u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/init\.qcom\.power\.sh                               u:object_r:qti_init_shell_exec:s0
+/(vendor|system/vendor)/bin/perfd                                               u:object_r:perfd_exec:s0
+
+/sys/devices/soc/c900000\.qcom,mdss_mdp/c900000\.qcom,mdss_mdp:qcom,mdss_fb_primary/leds/lcd-backlight(/.*)?                  u:object_r:sysfs_leds:s0
+/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-03/800f000\.qcom,spmi:qcom,pm660l@3:qcom,leds@d000/leds/charging(/.*)?        u:object_r:sysfs_leds:s0
+
+/sys/kernel/debug/rmt_storage(/.*)?                           u:object_r:debugfs_rmts:s0
+/sys/kernel/boot_wlan(/.*)?                                   u:object_r:sysfs_wifi:s0
+
+/sys/devices/soc/soc:fpc_fpc1020(/.*)?                        u:object_r:sysfs_fingerprint:s0
+/sys/devices/platform/egis_input(/.*)?                        u:object_r:sysfs_fingerprint:s0
+/sys/devices/soc/0.et320(/.*)?                                u:object_r:sysfs_fingerprint:s0
+/(mnt/vendor)/persist/egis(/.*)?                              u:object_r:fingerprint_data_file:s0
+/dev/esfp0                                                    u:object_r:tee_device:s0
+/data/\.fps(/.*)?                                             u:object_r:system_fps_data_file:s0
+/data/vendor/misc/cutback(/.*)?                               u:object_r:vendor_radio_data_file:s0
+/data/vendor/fpc(/.*)?                                        u:object_r:fingerprint_data_file:s0
+/data/vendor/fpc/socket                                       u:object_r:fingerprint_socket:s0
+/data/vendor/.fps(/.*)?                                       u:object_r:fingerprint_data_file:s0
+
+# Input devices
+/(vendor|system/vendor)/usr/idc(/.*)?                         u:object_r:vendor_idc_file:s0
+/(vendor|system/vendor)/usr/keylayout(/.*)?                   u:object_r:vendor_keylayout_file:s0
+
+/(vendor|system/vendor)/bin/wlan_carrier_bin\.sh            u:object_r:init_wifi_exec:s0
+
+# Charger
+/data/vendor/chargeonly(/.*)?                            u:object_r:chargeonly_data_file:s0
+/(mnt/vendor/persist|persist)/chargeonly(/.*)?           u:object_r:persist_chargeonly_file:s0
+/(vendor|system/vendor)/bin/charge_only_mode             u:object_r:charge_only_exec:s0
+
+# Persist mdm
+/(mnt/vendor)/persist/mdm(/.*)?                                         u:object_r:persist_mdm_file:s0
+
+# Battery and healthd
+/(mnt/vendor)/persist/battery(/.*)?                               u:object_r:persist_battery_file:s0
+/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-00/800f000\.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/battery(/.*)?      u:object_r:sysfs_healthd:s0
+/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-00/800f000\.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/dc(/.*)?           u:object_r:sysfs_healthd:s0
+/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-00/800f000\.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/main(/.*)?         u:object_r:sysfs_healthd:s0
+/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-00/800f000\.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/pc_port(/.*)?      u:object_r:sysfs_healthd:s0
+/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-00/800f000\.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/usb(/.*)?          u:object_r:sysfs_healthd:s0
+/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-00/800f000\.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/usbeb(/.*)?        u:object_r:sysfs_healthd:s0
+/sys/devices/soc/800f000\.qcom,spmi/spmi-0/spmi0-00/800f000\.qcom,spmi:qcom,pm660@0:qcom,qpnp-smb2/power_supply/wireless(/.*)?     u:object_r:sysfs_healthd:s0

sepolicy/vendor/fsck.te

@@ -0,0 +1 @@
+allow fsck modem_block_device:blk_file rw_file_perms;

sepolicy/vendor/genfs_contexts

@@ -0,0 +1,22 @@
+genfscon debugfs /wlan0   u:object_r:debugfs_wlan:s0
+
+genfscon sysfs /devices/virtual/hwmon                                         u:object_r:sysfs_hwmon:s0
+genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-00/800f000.qcom,spmi:qcom,pm660@0:vadc@3100/hwmon  u:object_r:sysfs_hwmon:s0
+
+genfscon sysfs /devices/soc/soc:qcom,cpubw                                    u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/soc/soc:qcom,mincpubw                                 u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/soc/soc:qcom,memlat-cpu0                              u:object_r:sysfs_devfreq:s0
+genfscon sysfs /devices/soc/soc:qcom,memlat-cpu4                              u:object_r:sysfs_devfreq:s0
+
+genfscon sysfs /devices/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@0/video4linux/video4/name u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@1/video4linux/video5/name u:object_r:sysfs_graphics:s0
+genfscon sysfs /devices/soc/ca0c000.qcom,cci/ca0c000.qcom,cci:qcom,camera@2/video4linux/video6/name u:object_r:sysfs_graphics:s0
+
+genfscon sysfs /devices/bt_wcn3990/rfkill/rfkill0/state                       u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /devices/bt_wcn3990/rfkill/rfkill0/type                        u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /devices/bt_wcn3990/extldo                                     u:object_r:sysfs_bluetooth_writable:s0
+
+genfscon sysfs /devices/soc/c176000.i2c/i2c-2/2-005b/leds/vibrator            u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/soc/soc:mmi_pl_chg_manager/power_supply/mmi_pl_chg_manager          u:object_r:sysfs_battery_supply:s0
+
+genfscon sysfs /devices/soc/800f000.qcom,spmi/spmi-0/spmi0-03/800f000.qcom,spmi:qcom,pm660l@3:qcom,leds@d800/leds u:object_r:sysfs_leds:s0

sepolicy/vendor/hal_audio_default.te

@@ -0,0 +1,3 @@
+unix_socket_connect(hal_audio_default, perfd, perfd)
+
+allow hal_audio_default sysfs:dir { open read };

sepolicy/vendor/hal_bootctl_default.te

@@ -0,0 +1,2 @@
+allow hal_bootctl_default modem_efs_partition_device:blk_file getattr;
+

sepolicy/vendor/hal_camera_default.te

@@ -0,0 +1,10 @@
+r_dir_file(hal_camera_default, persist_camera_file)
+allow hal_camera_default sysfs_battery_supply:dir search;
+allow hal_camera_default sysfs_battery_supply:file { getattr open read };
+allow hal_camera_default mnt_vendor_file:file rw_file_perms;
+allow hal_camera_default vendor_data_file:dir read;
+allow hal_camera_default camera_prop:property_service set;
+allow hal_camera_default sysfs_healthd:dir search;
+
+get_prop(hal_camera_default, moto_boot_prop)
+set_prop(hal_camera_default, camera_prop)

sepolicy/vendor/hal_cas_default.te

@@ -0,0 +1 @@
+vndbinder_use(hal_cas_default)

sepolicy/vendor/hal_fingerprint_fpc.te

@@ -0,0 +1,40 @@
+type hal_fingerprint_fpc, domain;
+typeattribute hal_fingerprint_fpc data_between_core_and_vendor_violators;
+
+hal_server_domain(hal_fingerprint_fpc, hal_fingerprint)
+
+type hal_fingerprint_fpc_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_fingerprint_fpc)
+
+hwbinder_use(hal_fingerprint_fpc)
+vndbinder_use(hal_fingerprint_fpc)
+
+# Check if hwservicemanager is ready
+get_prop(hal_fingerprint_fpc, hwservicemanager_prop)
+
+# Add com.fingerprints.extension::IFingerprint* service to hwservicemanager
+add_hwservice(hal_fingerprint_fpc, fpc_extension_service)
+
+r_dir_file(hal_fingerprint_fpc, firmware_file)
+r_dir_file(hal_fingerprint_fpc, sysfs_devfreq)
+
+allow hal_fingerprint_fpc tee_device:chr_file { open read write ioctl };
+allow hal_fingerprint_fpc uhid_device:chr_file rw_file_perms;
+allow hal_fingerprint_fpc sysfs_fingerprint:dir r_dir_perms;
+allow hal_fingerprint_fpc sysfs_fingerprint:file rw_file_perms;
+
+# Allow hal_fingerprint_fpc to add and find fpc_extension_service
+allow hal_fingerprint_fpc fpc_extension_service:hwservice_manager { add find };
+
+allow hal_fingerprint_fpc fingerprint_data_file:dir rw_dir_perms;
+allow hal_fingerprint_fpc fingerprint_data_file:file create_file_perms;
+
+allow hal_fingerprint_fpc self:netlink_socket create_socket_perms_no_ioctl;
+
+allow hal_fingerprint_fpc system_fps_data_file:dir { create_dir_perms };
+allow hal_fingerprint_fpc system_fps_data_file:file { create_file_perms };
+
+allow hal_fingerprint_fpc fingerprintd_data_file:dir rw_dir_perms;
+allow hal_fingerprint_fpc fingerprintd_data_file:file create_file_perms;
+
+allow hal_fingerprint_fpc tee_device:chr_file getattr;

sepolicy/vendor/hal_graphics_composer_default.te

@@ -0,0 +1 @@
+allow hal_graphics_composer_default sysfs_graphics:file r_file_perms;

sepolicy/vendor/hal_health_default.te

@@ -0,0 +1,10 @@
+allow hal_health_default persist_battery_file:file create_file_perms;
+allow hal_health_default persist_battery_file:dir rw_dir_perms;
+allow hal_health_default persist_file:dir search;
+allow hal_health_default sysfs_batteryinfo:file rw_file_perms;
+
+allow hal_health_default mnt_vendor_file:file { getattr open read };
+allow hal_health_default mnt_vendor_file:dir { search write };
+allow hal_health_default sysfs:file { getattr open read };
+allow hal_health_default sysfs_healthd:dir r_dir_perms;
+allow hal_health_default sysfs_healthd:file rw_file_perms;

sepolicy/vendor/hal_light_default.te

@@ -0,0 +1 @@
+allow hal_light_default sysfs_leds:file rw_file_perms;

sepolicy/vendor/hal_nfc_default.te

@@ -0,0 +1,5 @@
+allow hal_nfc_default nfc_vendor_data_file:dir rw_dir_perms;
+allow hal_nfc_default nfc_vendor_data_file:file create_file_perms;
+
+allow hal_nfc_default nxpese_hwservice:hwservice_manager { add find };
+allow hal_nfc_default nxpnfc_hwservice:hwservice_manager { add find };

sepolicy/vendor/hal_power_default.te

@@ -0,0 +1,4 @@
+r_dir_file(hal_power_default, debugfs_wlan)
+r_dir_file(hal_power_default, sysfs_graphics)
+unix_socket_connect(hal_power_default, perfd, perfd)
+allow hal_sensors_default sysfs_sensor:lnk_file read;

sepolicy/vendor/hal_sensors_default.te

@@ -0,0 +1,7 @@
+allow hal_sensors_default sysfs_sensor:dir r_dir_perms;
+allow hal_sensors_default sysfs_sensor:file rw_file_perms;
+allow hal_sensors_default self:netlink_kobject_uevent_socket { setopt bind };
+allow hal_sensors_default debugfs:dir { open read };
+allow hal_sensors_default self:netlink_kobject_uevent_socket { create read };
+allow hal_sensors_default sysfs:dir { open read };
+allow hal_sensors_default sysfs:file { getattr open read write };

sepolicy/vendor/hal_vibrator_default.te

@@ -0,0 +1,2 @@
+r_dir_file(hal_vibrator_default, sysfs_leds)
+allow hal_vibrator_default sysfs_leds:file rw_file_perms;

sepolicy/vendor/hal_wifi_default.te

@@ -0,0 +1,2 @@
+allow hal_wifi_default sysfs_wifi:file w_file_perms;
+allow hal_wifi_default proc_net:file w_file_perms;

sepolicy/vendor/healthd.te

@@ -0,0 +1,2 @@
+allow healthd sysfs_healthd:dir r_dir_perms;
+allow healthd sysfs_healthd:file rw_file_perms;

sepolicy/vendor/hvdcp.te

@@ -0,0 +1,4 @@
+allow hvdcp sysfs_batteryinfo:dir r_dir_perms;
+allow hvdcp sysfs_batteryinfo:file r_file_perms;
+allow hvdcp sysfs_healthd:dir r_dir_perms;
+allow hvdcp sysfs_healthd:file r_file_perms;

sepolicy/vendor/hwservice.te

@@ -0,0 +1,4 @@
+type fpc_extension_service, hwservice_manager_type;
+
+type nxpese_hwservice, hwservice_manager_type;
+type nxpnfc_hwservice, hwservice_manager_type;

sepolicy/vendor/hwservice_contexts

@@ -0,0 +1,6 @@
+com.fingerprints.extension::IFingerprintAuthenticator                             u:object_r:fpc_extension_service:s0
+com.fingerprints.extension::IFingerprintCalibration                               u:object_r:fpc_extension_service:s0
+com.fingerprints.extension::IFingerprintEngineering                               u:object_r:fpc_extension_service:s0
+com.fingerprints.extension::IFingerprintNavigation                                u:object_r:fpc_extension_service:s0
+com.fingerprints.extension::IFingerprintSensorTest                                u:object_r:fpc_extension_service:s0
+vendor.egistec.hardware.fingerprint::IBiometricsFingerprintEts                    u:object_r:fpc_extension_service:s0

sepolicy/vendor/init.te

@@ -0,0 +1,11 @@
+allow init fsg_firmware_file:dir { mounton };
+allow init socket_device:sock_file { create setattr unlink };
+allow init fsg_firmware_file:filesystem  { relabelfrom  mount };
+allow init vendor_file:file execute;
+#TODO: This should not be needed and needs to be cleaned.
+allow fsg_firmware_file self:filesystem associate;
+allow init mnt_product_file:dir mounton;
+
+allow init bt_firmware_file:filesystem getattr;
+allow init firmware_file:filesystem getattr;
+allow init fsg_firmware_file:filesystem getattr;

sepolicy/vendor/init_wifi.te

@@ -0,0 +1,6 @@
+type init_wifi, domain;
+type init_wifi_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(init_wifi)
+
+allow init_wifi sysfs:file { open write };
+allow init_wifi vendor_toolbox_exec:file execute_no_trans;

sepolicy/vendor/installd.te

@@ -0,0 +1,4 @@
+allow installd bt_firmware_file:filesystem quotaget;
+allow installd firmware_file:filesystem quotaget;
+allow installd fsg_firmware_file:filesystem quotaget;
+

sepolicy/vendor/kernel.te

@@ -0,0 +1 @@
+r_dir_file(kernel, debugfs_wlan)

sepolicy/vendor/mediacodec.te

@@ -0,0 +1 @@
+unix_socket_connect(mediacodec, perfd, perfd)

sepolicy/vendor/nfc.te

@@ -0,0 +1,3 @@
+allow nfc nfc_vendor_data_file:dir rw_dir_perms;
+allow nfc nfc_vendor_data_file:file create_file_perms;
+get_prop(nfc, moto_boot_prop)

sepolicy/vendor/per_mgr.te

@@ -0,0 +1 @@
+allow vendor_per_mgr self:capability { net_raw };

sepolicy/vendor/perfd.te

@@ -0,0 +1,37 @@
+type perfd, domain;
+type perfd_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(perfd)
+
+# perfd uses kill(pid, 0) to determine if a process exists.
+# Determining if a process exists does not require the kill capability
+# since a permission denied indicates the process exists.
+dontaudit perfd self:capability kill;
+
+allow perfd mediacodec:process signull;
+allow perfd hal_power_default:process signull;
+
+allow perfd cgroup:file rw_file_perms;
+
+allow perfd proc:file rw_file_perms;
+allow perfd sysfs_scsi_host:file r_file_perms;
+r_dir_file(perfd, sysfs_graphics)
+r_dir_file(perfd, sysfs_socinfo)
+
+allow perfd sysfs_devices_system_cpu:file w_file_perms;
+
+allow perfd perfd_socket:sock_file write;
+
+allow perfd device_latency:chr_file w_file_perms;
+
+# wahoo sysfs_msm_subsys is sysfs_devfreq + sysfs_kgsl
+r_dir_file(perfd, sysfs_devfreq)
+allow perfd sysfs_devfreq:file w_file_perms;
+
+r_dir_file(perfd, sysfs_kgsl)
+allow perfd sysfs_kgsl:file w_file_perms;
+
+allow perfd sysfs_msm_perf:dir r_dir_perms;
+allow perfd sysfs_msm_perf:file rw_file_perms;
+
+get_prop(perfd, freq_prop)

sepolicy/vendor/platform_app.te

@@ -0,0 +1,5 @@
+allow platform_app sysfs_kgsl:dir search;
+allow platform_app sysfs_kgsl:file { getattr open read };
+allow platform_app sysfs_healthd:dir r_dir_perms;
+allow platform_app sysfs_healthd:file rw_file_perms;
+get_prop(platform_app, moto_boot_prop)

sepolicy/vendor/property.te

@@ -0,0 +1,3 @@
+type power_prop, property_type;
+type moto_boot_prop, property_type;
+type vendor_fm_prop, property_type;

sepolicy/vendor/property_contexts

@@ -0,0 +1,36 @@
+vendor.ril.                u:object_r:vendor_radio_prop:s0
+vendor.rmnet_vnd.rps_mask  u:object_r:vendor_usb_prop:s0
+
+ro.boot.adb_early          u:object_r:moto_boot_prop:s0
+ro.boot.secure_hardware    u:object_r:moto_boot_prop:s0
+ro.boot.radio              u:object_r:moto_boot_prop:s0
+ro.boot.device             u:object_r:moto_boot_prop:s0
+ro.boot.dualsim            u:object_r:moto_boot_prop:s0
+ro.boot.hardware.sku       u:object_r:moto_boot_prop:s0
+ro.boot.carrier            u:object_r:moto_boot_prop:s0
+ro.boot.cid                u:object_r:moto_boot_prop:s0
+ro.boot.fsg-id             u:object_r:moto_boot_prop:s0
+ro.boot.hwrev              u:object_r:moto_boot_prop:s0
+ro.boot.powerup_reason     u:object_r:moto_boot_prop:s0
+ro.boot.bl_state           u:object_r:moto_boot_prop:s0
+ro.boot.revision           u:object_r:moto_boot_prop:s0
+ro.vendor.hw.dualsim       u:object_r:moto_boot_prop:s0
+ro.vendor.hw.device        u:object_r:moto_boot_prop:s0
+ro.vendor.hw.radio         u:object_r:moto_boot_prop:s0
+ro.vendor.hw.hwrev         u:object_r:moto_boot_prop:s0
+ro.vendor.hw.revision      u:object_r:moto_boot_prop:s0
+ro.vendor.boot.radio       u:object_r:moto_boot_prop:s0
+ro.vendor.bootreason    u:object_r:moto_boot_prop:s0
+ro.vendor.boot.hwrev       u:object_r:moto_boot_prop:s0
+ro.vendor.boot.powerup_reason   u:object_r:moto_boot_prop:s0
+ro.vendor.boot.bl_state    u:object_r:moto_boot_prop:s0
+ro.vendor.boot.serialno    u:object_r:moto_boot_prop:s0
+ro.vendor.carrier          u:object_r:moto_boot_prop:s0
+ro.vendor.boot.cid         u:object_r:moto_boot_prop:s0
+ro.vendor.fsg-id           u:object_r:moto_boot_prop:s0
+ro.vendor.zygote           u:object_r:moto_boot_prop:s0
+vendor.boot_completed      u:object_r:moto_boot_prop:s0
+
+ro.vendor.fm.              u:object_r:vendor_fm_prop:s0
+
+persist.vendor.camera.     u:object_r:camera_prop:s0

sepolicy/vendor/qti_init_shell.te

@@ -0,0 +1,16 @@
+allow qti_init_shell sysfs_sensor:file { rw_file_perms setattr };
+allow qti_init_shell persist_camera_file:file r_file_perms;
+allow qti_init_shell kmsg_device:chr_file { open write };
+allow qti_init_shell sysfs:file { rw_file_perms setattr };
+allow qti_init_shell vendor_radio_data_file:dir rw_dir_perms;
+allow qti_init_shell vendor_radio_data_file:file create_file_perms;
+
+get_prop(qti_init_shell, moto_boot_prop)
+get_prop(qti_init_shell, vendor_radio_prop)
+set_prop(qti_init_shell, exported2_default_prop)
+
+# Silence qemu.hw.mainkeys denial that we don't need
+dontaudit qti_init_shell default_prop:property_service set;
+
+# Silence DAC denials
+dontaudit qti_init_shell self:capability { dac_override dac_read_search };

sepolicy/vendor/radio.te

@@ -0,0 +1 @@
+get_prop(radio, qcom_ims_prop)

sepolicy/vendor/rild.te

@@ -0,0 +1,15 @@
+allow rild vendor_file:file rx_file_perms;
+allow rild persist_mdm_file:dir search;
+allow rild persist_mdm_file:file rw_file_perms;
+allow rild fwk_sensor_hwservice:hwservice_manager find;
+allow rild system_server:binder { call transfer };
+allow rild mnt_vendor_file:dir search;
+allow rild mnt_vendor_file:file rw_file_perms;
+allow rild proc:file r_file_perms;
+allow rild input_device:dir { open read };
+allow rild vendor_radio_data_file:dir rw_dir_perms;
+allow rild vendor_radio_data_file:file rw_file_perms;
+allow rild vendor_radio_data_file:sock_file create_file_perms;
+get_prop(rild, moto_boot_prop)
+get_prop(rild, vendor_radio_prop)
+get_prop(rild, wifi_prop)

sepolicy/vendor/rmt_storage.te

@@ -0,0 +1,18 @@
+allow rmt_storage {
+    modem_efs_partition_device
+    ssd_device
+}:blk_file rw_file_perms;
+
+r_dir_file(rmt_storage fsg_firmware_file)
+r_dir_file(rmt_storage, persist_file)
+
+allow rmt_storage debugfs_rmts:dir r_dir_perms;
+allow rmt_storage debugfs_rmts:file rw_file_perms;
+
+allow rmt_storage persist_rfs_file:dir search;
+allow rmt_storage persist_rfs_file:file rw_file_perms;
+allow rmt_storage mnt_vendor_file:dir search;
+get_prop(rmt_storage, vendor_radio_prop)
+
+get_prop(rmt_storage, moto_boot_prop)
+allow rmt_storage sysfs_data:file r_file_perms;

sepolicy/vendor/system_app.te

@@ -0,0 +1 @@
+get_prop(system_app, vendor_fm_prop)

sepolicy/vendor/system_server.te

@@ -0,0 +1,8 @@
+binder_call(system_server,rild);
+
+allow system_server sysfs_vibrator:file read;
+allow system_server fpc_extension_service:hwservice_manager find;
+allow system_server vendor_keylayout_file:dir r_dir_perms;
+allow system_server vendor_keylayout_file:file r_file_perms;
+allow system_server vendor_idc_file:dir r_dir_perms;
+allow system_server vendor_idc_file:file r_file_perms;

sepolicy/vendor/tee.te

@@ -0,0 +1,4 @@
+typeattribute tee data_between_core_and_vendor_violators;
+
+allow tee fingerprintd_data_file:dir rw_dir_perms;
+allow tee fingerprintd_data_file:file create_file_perms;

sepolicy/vendor/thermal-engine.te

@@ -0,0 +1,18 @@
+typeattribute thermal-engine data_between_core_and_vendor_violators;
+
+# Allow thermal-engine to read files in /sys
+r_dir_file(thermal-engine, sysfs)
+
+allow thermal-engine sysfs_healthd:dir search;
+allow thermal-engine sysfs_healthd:file rw_file_perms;
+
+allow thermal-engine self:capability { chown fowner };
+
+get_prop(thermal-engine, moto_boot_prop)
+allow thermal-engine { proc_stat proc_loadavg }:file r_file_perms;
+
+allow thermal-engine sysfs_hwmon:dir r_dir_perms;
+allow thermal-engine sysfs_hwmon:file rw_file_perms;
+allow thermal-engine sysfs_devfreq:dir r_dir_perms;
+allow thermal-engine sysfs_devfreq:file rw_file_perms;
+r_dir_file(thermal-engine sysfs_socinfo)

sepolicy/vendor/vendor_init.te

@@ -0,0 +1,22 @@
+typeattribute vendor_init data_between_core_and_vendor_violators;
+
+allow vendor_init {
+  dhcp_data_file
+  media_rw_data_file
+  system_data_file
+  tombstone_data_file
+  wifi_data_file
+  camera_data_file
+  fingerprint_data_file
+}:dir { create search getattr open read setattr ioctl write add_name remove_name rmdir relabelfrom };
+
+allow vendor_init proc_uid_cpupower:file write;
+
+# Allow vendor_init to relabel unlabeled files and directories
+allow vendor_init unlabeled:{ dir file } { getattr relabelfrom };
+
+get_prop(vendor_init, moto_boot_prop)
+set_prop(vendor_init, moto_boot_prop)
+set_prop(vendor_init, vendor_fm_prop)
+
+allow vendor_init system_fps_data_file:dir create_dir_perms;

sepolicy/vendor/vendor_toolbox.te

@@ -0,0 +1,54 @@
+type vendor_toolbox, domain;
+
+init_daemon_domain(vendor_toolbox)
+
+# Allow vendor_toolbox to use sys_admin capability
+allow vendor_toolbox self:capability sys_admin;
+
+# Allow vendor_toolbox to execute /vendor/bin/toybox_vendor
+allow vendor_toolbox vendor_toolbox_exec:file execute_no_trans;
+
+# Allow vendor_toolbox to read directories in rootfs
+allow vendor_toolbox rootfs:dir r_dir_perms;
+
+# Allow vendor_toolbox to remove "security.*" xattrs from /mnt/vendor/persist
+allow vendor_toolbox {
+    fingerprint_data_file
+    mnt_vendor_file
+    persist_alarm_file
+    persist_audio_file
+    persist_block_device
+    persist_bluetooth_file
+    persist_bms_file
+    persist_camera_file
+    persist_display_file
+    persist_drm_file
+    persist_file
+    persist_hvdcp_file
+    persist_mdm_file
+    persist_misc_file
+    persist_qti_fp_file
+    persist_rfs_file
+    persist_rfs_shared_hlos_file
+    persist_secnvm_file
+    persist_time_file
+    persist_vpp_file
+    regionalization_file
+    rfs_file
+    rfs_shared_hlos_file
+    sensors_persist_file
+    unlabeled
+    vendor_persist_mmi_file
+}:dir { r_dir_perms setattr };
+
+allow vendor_toolbox {
+    fingerprint_data_file
+    mnt_vendor_file
+    persist_bluetooth_file
+    persist_camera_file
+    persist_drm_file
+    persist_mdm_file
+    persist_rfs_file
+    persist_time_file
+    sensors_persist_file
+}:file { r_file_perms setattr };

sepolicy/vendor/vold.te

@@ -0,0 +1,2 @@
+#============= vold ==============
+allow vold system_data_file:file { ioctl open };

sepolicy/vendor/wcnss_service.te

@@ -0,0 +1 @@
+get_prop(wcnss_service, moto_boot_prop)