sanders: sepol: update sepolicy

-ref: https://github.com/crdroidandroid/android_device_motorola_sanders/tree/10.0-20200126

Signed-off-by: ronaxdevil <pratabidya.007@gmail.com>

sepolicy/vendor/atfwd.te

@@ -0,0 +1 @@
+allow atfwd sysfs:file read;

sepolicy/vendor/cameraserver.te

@@ -25,7 +25,7 @@ allow cameraserver media_rw_data_file:file { create read write open };
 allow cameraserver cameraserver:process { execmem };
 
 ####
-#allow cameraserver debug_prop:file { r_file_perms };
+allow cameraserver debug_prop:file { r_file_perms };
 allow cameraserver debug_prop:property_service set;
 
 #######
@@ -33,7 +33,7 @@ allow cameraserver debug_prop:property_service set;
 #allow cameraserver persist_file:file setattr;
 allow cameraserver shell_exec:file { read open execute };
 allow cameraserver self:socket create;
-#allow cameraserver camera_prop:property_service set;
+allow cameraserver camera_prop:property_service set;
 allow cameraserver init:unix_stream_socket connectto;
 allow cameraserver property_socket:sock_file write;
 #allow cameraserver cameraserver:socket { { getattr read ioctl lock } { append write lock } };
@@ -45,9 +45,13 @@ allow cameraserver debugfs:dir { read open };
 allow cameraserver nfc_data_file:file { open write };
 allow cameraserver socket_device:sock_file write;
 
-#allow cameraserver hal_perf_default:binder call;
+allow cameraserver hal_perf_default:binder call;
 
-#allow cameraserver sysfs_battery_supply:dir search;
+allow cameraserver sysfs_battery_supply:dir search;
-#allow cameraserver sysfs_battery_supply:file { getattr open read };
+allow cameraserver sysfs_battery_supply:file { getattr open read };
 
 allow cameraserver camera_bgproc_service:service_manager { add find };
+allow cameraserver self:netlink_kobject_uevent_socket { read bind create setopt };
+allow cameraserver default_android_service:service_manager find;
+allow cameraserver rootfs:lnk_file getattr;
+allow cameraserver init:unix_dgram_socket { sendto };

sepolicy/vendor/charge_only.te

@@ -1,42 +0,0 @@
-type charge_only, domain;
-type charge_only_exec, exec_type, file_type, vendor_file_type;
-init_daemon_domain(charge_only)
-
-# Write to /dev/kmsg
-allow charge_only kmsg_device:chr_file rw_file_perms;
-
-# Read access to pseudo filesystems.
-r_dir_file(charge_only, sysfs_type)
-r_dir_file(charge_only, rootfs)
-r_dir_file(charge_only, cgroup)
-
-allow charge_only self:capability { net_admin sys_tty_config sys_boot };
-allow charge_only self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
-
-wakelock_use(charge_only)
-
-# Write to /sys/power/state
-# TODO:  Split into a separate type?
-allow charge_only sysfs:dir { read open };
-allow charge_only sysfs:file { read open write };
-
-allow charge_only sysfs_wake_lock:file rw_file_perms;
-
-allow charge_only sysfs_batteryinfo:file r_file_perms;
-
-# Read /sys/fs/pstore/console-ramoops
-# Don't worry about overly broad permissions for now, as there's
-# only one file in /sys/fs/pstore
-allow charge_only pstorefs:dir r_dir_perms;
-allow charge_only pstorefs:file r_file_perms;
-
-allow charge_only graphics_device:dir r_dir_perms;
-allow charge_only graphics_device:chr_file rw_file_perms;
-allow charge_only input_device:dir r_dir_perms;
-allow charge_only input_device:chr_file r_file_perms;
-allow charge_only tty_device:chr_file rw_file_perms;
-allow charge_only proc_sysrq:file rw_file_perms;
-
-# charger needs to tell init to continue the boot
-# process when running in charger mode.
-set_prop(charge_only, system_prop)

sepolicy/vendor/cnd.te

@@ -1,2 +1,3 @@
-#allow cnd diag_device:chr_file { read write };
+allow cnd diag_device:chr_file { read write };
-#allow cnd self:capability { net_raw };
+allow cnd self:capability { chown dac_override fsetid net_raw };
+allow cnd sysfs:file read;

sepolicy/vendor/energyawareness.te

@@ -1,2 +1,2 @@
-#allow energyawareness sysfs_uio:file r_file_perms;
+allow energyawareness sysfs_uio:file r_file_perms;
-#allow energyawareness sysfs_rmt_storage:file r_file_perms;
+allow energyawareness sysfs_rmt_storage:file r_file_perms;

sepolicy/vendor/file.te

@@ -1,9 +1,6 @@
 # ADSP
 type adspd_data_file, file_type, data_file_type, core_data_file_type;
 
-# charge_only_mode
-type chargeonly_data_file, file_type, data_file_type, core_data_file_type;
-
 # FSG
 type fsg_file, fs_type, contextmount_type;
 
@@ -31,11 +28,8 @@ type wapi_supplicant_data_file, file_type, data_file_type, core_data_file_type;
 # RIL
 type netmgr_data_file, file_type, data_file_type, core_data_file_type;
 
-#test firmware
-type firmware_file, file_type;
-
 # sysfs
-#type sysfs_adsp, fs_type, sysfs_type;
+type sysfs_adsp, fs_type, sysfs_type;
 type sysfs_homebutton, fs_type, sysfs_type, mlstrustedobject;
 type sysfs_mmi_fp, fs_type, sysfs_type;
 
@@ -52,7 +46,6 @@ type sysfs_wcnsscore, fs_type, sysfs_type;
 type nv_data_file, file_type, data_file_type, core_data_file_type;
 type sysfs_rmt_storage, fs_type, sysfs_type;
 type debugfs_rmt_storage, debugfs_type, fs_type;
-type debugfs_wlan, debugfs_type, fs_type;
 type perfd_data_file, file_type, data_file_type, core_data_file_type;
 type proc_kernel_sched, fs_type;
 type sysfs_power_management, sysfs_type, fs_type;
@@ -60,3 +53,5 @@ type proc_touchpanel, fs_type;
 
 type camera_socket, file_type, data_file_type, core_data_file_type;
 type sysfs_screen_off_gestures, fs_type, sysfs_type, mlstrustedobject;
+type sysfs_fpc_proximity, sysfs_type, fs_type;
+type theme_data_file, file_type, data_file_type;

sepolicy/vendor/file_contexts

@@ -1,41 +1,36 @@
-#/dev/block/platform/soc/7824900.sdhci/mmcblk0p19         u:object_r:modem_efs_partition_device:s0
-#/dev/block/platform/soc/7824900.sdhci/mmcblk0p27         u:object_r:modem_efs_partition_device:s0
-#/dev/block/platform/soc/7824900.sdhci/mmcblk0p28         u:object_r:modem_efs_partition_device:s0
-
-# FSG
-/fsg                                                     u:object_r:fsg_file:s0
-
 # ADSP
-#/sys/kernel/aov(/.*)?                                    u:object_r:sysfs_adsp:s0
+/sys/kernel/aov(/.*)?                                    u:object_r:sysfs_adsp:s0
 /data/adspd(/.*)?                                        u:object_r:adspd_data_file:s0
 
 # AMPS
 /dev/hidraw[0-9]*                                        u:object_r:amps_raw_device:s0
 
 # Binaries
-/vendor/bin/charge_only_mode                             u:object_r:charge_only_exec:s0
 /vendor/bin/init\.mmi\.boot\.sh                          u:object_r:mmi_boot_exec:s0
 /vendor/bin/wlan_carrier_bin\.sh                         u:object_r:init_wifi_exec:s0
-#/vendor/bin/init\.qti\.fm\.sh		u:object_r:qti_init_shell_exec:s0
+/vendor/bin/init\.qti\.fm\.sh		                 u:object_r:qti_init_shell_exec:s0
+
+#Camera
+/(vendor|system/vendor)/bin/hw/motorola\.hardware\.camera\.provider@2\.4-service        u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/lib/motorola\.hardware\.camera\.device@1\.0.so                  u:object_r:hal_camera_default_exec:s0
+/(vendor|system/vendor)/lib/motorola\.hardware\.camera\.provider@2\.4.so                u:object_r:hal_camera_default_exec:s0
 
 # CMActions
 /sys/homebutton(/.*)?                                    u:object_r:sysfs_homebutton:s0
 
-# Motorola services
-/data/chargeonlymode(/.*)?                               u:object_r:chargeonly_data_file:s0
-
 # Fingerprint
 /data/.fps(/.*)?                                         u:object_r:fingerprintd_data_file:s0
 /data/fpc                                                u:object_r:fingerprintd_data_file:s0
 /data/fpc/socket                                         u:object_r:fpc_socket:s0
 
-/sys/devices/soc/7af8000.spi/spi_master/spi8/spi8.0(/.*)? u:object_r:sysfs_fpc:s0
+/sys/devices/soc/7af8000.spi/spi_master/spi8/spi8.0(/.*)?                u:object_r:sysfs_fpc:s0
+/sys/devices/soc/7af8000.spi/spi_master/spi8/spi8.0/proximity_state      u:object_r:sysfs_fpc_proximity:s0
 
 # Modem
 /persist/mdm(/.*)?                                       u:object_r:persist_modem_file:s0
 
 /persist/prop(/.*)?                                      u:object_r:persist_omadm_file:s0
-#/persist/prov(/.*)?                                      u:object_r:persist_drm_file:s0
+/persist/prov(/.*)?                                      u:object_r:persist_drm_file:s0
 /persist/omadm(/.*)?                                     u:object_r:persist_omadm_file:s0
 /persist/omadm_database(/.*)?                            u:object_r:persist_omadm_file:s0
 /persist/omadm_cust_database(/.*)?                       u:object_r:persist_omadm_file:s0
@@ -62,9 +57,9 @@
 /sys/module/qpnp_bms(/.*)?                               u:object_r:sysfs_batt:s0
 /sys/module/cnss_pci(/.*)?                               u:object_r:sysfs_cnss:s0
 
-#/sys/devices/iio_sysfs_trigger(/.*)?                     u:object_r:sysfs_sensors:s0
+/sys/devices/iio_sysfs_trigger(/.*)?                     u:object_r:sysfs_sensors:s0
-#/sys/devices/virtual/stm401/stm401_ms(/.*)?              u:object_r:sysfs_sensors:s0
+/sys/devices/virtual/stm401/stm401_ms(/.*)?              u:object_r:sysfs_sensors:s0
-#/sys/devices/virtual/stm401/stm401_as(/.*)?              u:object_r:sysfs_sensors:s0
+/sys/devices/virtual/stm401/stm401_as(/.*)?              u:object_r:sysfs_sensors:s0
 
 /sys/devices/platform/msm_ssbi.0/pm8921-core/pm8921-charger(/.*)? u:object_r:sysfs_batt:s0
 
@@ -94,7 +89,7 @@
 /dev/block/bootdevice/by-name/hw                         u:object_r:hw_block_device:s0
 /dev/block/bootdevice/by-name/metadata                   u:object_r:metadata_block_device:s0
 /dev/block/mmcblk0p35                                    u:object_r:metadata_block_device:s0
-#/dev/block/bootdevice/by-name/persist                    u:object_r:persist_block_device:s0
+/dev/block/bootdevice/by-name/persist                    u:object_r:persist_block_device:s0
 /dev/block/bootdevice/by-name/utagsBackup                u:object_r:utags_block_device:s0
 /dev/block/bootdevice/by-name/utags                      u:object_r:utags_block_device:s0
 
@@ -102,7 +97,7 @@
 /data/misc/netmgr(/.*)?                                  u:object_r:netmgr_data_file:s0
 
 # Sensors
-#/dev/mmi_sys_temp                                        u:object_r:thermal_device:s0
+/dev/mmi_sys_temp                                        u:object_r:thermal_device:s0
 /dev/motosh                                              u:object_r:sensors_device:s0
 /dev/motosh_as                                           u:object_r:sensors_device:s0
 /dev/motosh_ms                                           u:object_r:sensors_device:s0
@@ -120,21 +115,25 @@
 /data/system/perfd(/.*)?                                        u:object_r:perfd_data_file:s0
 /data/oemnvitems(/.*)?                                          u:object_r:nv_data_file:s0
 
-/(vendor|system/vendor)/bin/perfd           u:object_r:perfd_exec:s0
+/system/vendor/bin/perfd           u:object_r:perfd_exec:s0
-/(vendor|system/vendor)/bin/hw/android\.hardware\.power@1\.1-service-qti          u:object_r:hal_power_default_exec:s0
+/system/vendor/bin/hw/android\.hardware\.power@1\.1-service-qti          u:object_r:hal_power_default_exec:s0
-#/(vendor|system/vendor)/radio(/.*)? u:object_r:radio_data_file:s0
+/system/vendor/radio(/.*)? u:object_r:radio_data_file:s0
 
-/(vendor|system/vendor)/bin/qmi_motext_hook u:object_r:rild_exec:s0
+/system/vendor/bin/qmi_motext_hook u:object_r:rild_exec:s0
 
 /sys/kernel/debug/rmt_storage(/.*)? u:object_r:debugfs_rmt_storage:s0
 
 # Fingerprint custom hal
 /(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service_32 u:object_r:hal_fingerprint_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-fpcservice  u:object_r:hal_fingerprint_default_exec:s0
 
 # Light HAL
 /(vendor|system/vendor)/bin/hw/android\.hardware\.light@2\.0-service.sanders                                     u:object_r:hal_light_default_exec:s0
 /sys/devices/soc/1a00000.qcom,mdss_mdp/1a00000.qcom,mdss_mdp:qcom,mdss_fb_primary/leds/lcd-backlight/brightness	   u:object_r:sysfs_leds:s0
 /sys/devices/soc/leds-atc-20/leds/charging/brightness	                                                           u:object_r:sysfs_leds:s0
 
-# files in firmware
+# Files in firmware
-/firmware(/.*)?         u:object_r:firmware_file:s0
+/firmware(/.*)?          u:object_r:firmware_file:s0
+
+# Files in fsg
+/fsg(/.*)?               u:object_r:fsg_file:s0

sepolicy/vendor/fingerprintd.te

@@ -1,5 +1,5 @@
-#allow fingerprintd firmware_file:dir search;
+allow fingerprintd firmware_file:dir search;
-#allow fingerprintd firmware_file:file { getattr open read };
+allow fingerprintd firmware_file:file { getattr open read };
 allow fingerprintd fingerprintd_data_file:dir { add_name getattr remove_name write };
 allow fingerprintd fingerprintd_data_file:file { append create getattr open setattr unlink };
 allow fingerprintd fingerprintd_data_file:sock_file { create unlink };
@@ -8,5 +8,5 @@ allow fingerprintd sysfs_mmi_fp:file rw_file_perms;
 allow fingerprintd system_data_file:sock_file unlink;
 allow fingerprintd sysfs_fpc:dir r_dir_perms;
 allow fingerprintd sysfs_fpc:file rw_file_perms;
-#allow fingerprintd tee_device:chr_file { ioctl open read write };
+allow fingerprintd tee_device:chr_file { ioctl open read write };
 allow fingerprintd uhid_device:chr_file rw_file_perms;

sepolicy/vendor/firmware_file.te

@@ -1,2 +1,2 @@
-#allow firmware_file rootfs:filesystem associate;
+allow firmware_file rootfs:filesystem associate;
 

sepolicy/vendor/fsck.te

@@ -1 +1,2 @@
 # allow fsck block_device:blk_file { read write };
+allow fsck fsck:capability { dac_override dac_read_search };

sepolicy/vendor/hal_audio_default.te

@@ -1,2 +1 @@
-get_prop(hal_audio_default, dirac_prop)
+allow hal_audio_default sysfs:dir {open read };
-set_prop(hal_audio_default, dirac_prop)

sepolicy/vendor/hal_camera_default.te

@@ -1,4 +1,10 @@
-#allow hal_camera_default gpu_device:dir r_dir_perms;
+allow hal_camera_default gpu_device:dir r_dir_perms;
-#allow hal_camera_default gpu_device:file r_file_perms;
+allow hal_camera_default gpu_device:file r_file_perms;
-#allow hal_camera_default hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow hal_camera_default hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-#allow hal_camera_default hal_configstore_default:binder call;
+allow hal_camera_default hal_configstore_default:binder call;
+allow hal_camera_default unlabeled:file {open getattr read };
+allow hal_camera_default camera_data_file:sock_file write;
+allow hal_camera_default persist_file:file { rw_file_perms setattr };
+allow hal_camera_default hal_graphics_allocator_hwservice:hwservice_manager { find };
+allow hal_camera_default system_server:unix_stream_socket { read write };
+allow hal_camera_default sysfs:file { read open getattr };

sepolicy/vendor/hal_drm_default.te

@@ -1,2 +1,2 @@
-#allow hal_drm_default firmware_file:lnk_file read;
+allow hal_drm_default firmware_file:lnk_file read;
-#allow hal_drm_default debug_prop:file read;
+allow hal_drm_default debug_prop:file read;

sepolicy/vendor/hal_esepowermanager_qti.te

@@ -0,0 +1 @@
+allow hal_esepowermanager_qti unlabeled:dir search;

sepolicy/vendor/hal_fingerprint_default.te

@@ -2,10 +2,18 @@ allow hal_fingerprint_default sysfs_fpc:file rw_file_perms;
 allow hal_fingerprint_default sysfs_fpc:dir r_dir_perms;
 allow hal_fingerprint_default fpc_data_file:dir rw_dir_perms;
 allow hal_fingerprint_default tee_device:chr_file rw_file_perms;
-#allow hal_fingerprint_default firmware_file:dir search;
+allow hal_fingerprint_default firmware_file:dir search;
-#allow hal_fingerprint_default firmware_file:file r_file_perms;
+allow hal_fingerprint_default firmware_file:file r_file_perms;
-#allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms;
+allow hal_fingerprint_default sysfs_graphics:dir r_dir_perms;
-#allow hal_fingerprint_default sysfs_graphics:file r_file_perms;
+allow hal_fingerprint_default sysfs_graphics:file r_file_perms;
 allow hal_fingerprint_default sysfs_leds:dir r_dir_perms;
 allow hal_fingerprint_default sysfs_leds:file r_file_perms;
 allow hal_fingerprint_default uhid_device:chr_file rw_file_perms;
+
+allow hal_fingerprint_default default_android_hwservice:hwservice_manager { add };
+allow hal_fingerprint_default unlabeled:dir search;
+allow hal_fingerprint_default unlabeled:file { getattr open read };
+allow hal_fingerprint_default fingerprintd_data_file:dir { add_name getattr remove_name search write };
+allow hal_fingerprint_default system_data_file:dir { add_name getattr create write };
+allow hal_fingerprint_default system_data_file:file create;
+allow hal_fingerprint_default fingerprintd_data_file:file { getattr rename unlink };

sepolicy/vendor/hal_gatekeeper_default.te

@@ -0,0 +1 @@
+get_prop(hal_gatekeeper_default, tee_listener_prop)

sepolicy/vendor/hal_gnss_qti.te

@@ -1,6 +1,6 @@
-#get_prop(hal_gnss_qti, diag_prop);
+get_prop(hal_gnss_qti, diag_prop);
-#allow hal_gnss_qti debug_prop:file read;
+allow hal_gnss_qti debug_prop:file read;
-#allow hal_gnss_qti property_socket:sock_file write;
+allow hal_gnss_qti property_socket:sock_file write;
 
 # Most HALs are not allowed to use network sockets. Qcom library
 # libqdi is used across multiple processes which are clients of
@@ -14,4 +14,5 @@
 # libqdi and have all its clients use netlink route
 # sockets.
 # Taken from device/google/wahoo
-#dontaudit hal_gnss_qti self:udp_socket create;
+dontaudit hal_gnss_qti self:udp_socket create;
+allow hal_gnss_qti sysfs:file read;

sepolicy/vendor/hal_health_default.te

@@ -0,0 +1 @@
+allow hal_health_default sysfs:file { open getattr read };

sepolicy/vendor/hal_keymaster_default.te

@@ -0,0 +1 @@
+get_prop(hal_keymaster_default, tee_listener_prop)

sepolicy/vendor/hal_keymaster_qti.te

@@ -0,0 +1 @@
+allow hal_keymaster_qti system_file:file read;

sepolicy/vendor/hal_memtrack_default.te

@@ -0,0 +1 @@
+allow hal_memtrack_default sysfs_kgsl:lnk_file read;

sepolicy/vendor/hal_nfc_default.te

@@ -0,0 +1,5 @@
+#allow hal_nfc_default default_android_hwservice:hwservice_manager { add find };
+add_hwservice(hal_nfc_default, hal_nfc_hwservice);
+add_hwservice(hal_nfc_default, hal_secure_element_hwservice);
+allow hal_nfc_default nfc_vendor_data_file:dir { add_name create search write };
+allow hal_nfc_default nfc_vendor_data_file:file create;

sepolicy/vendor/hal_sensors_default.te

@@ -1,7 +1,7 @@
 binder_call(hal_sensors_default, hwservicemanager)
 # binder_call(hal_sensors_default, servicemanager)
 
-#binder_call(hal_sensors_default, mm-qcamerad)
+binder_call(hal_sensors_default, mm-qcamerad)
 binder_call(hal_sensors_default, system_server)
 
 binder_call(hal_sensors_default, system_app)
@@ -16,4 +16,4 @@ allow hal_sensors_default proc_net:file { getattr open read };
 allow hal_sensors_default sysfs_capsense:dir search;
 allow hal_sensors_default sysfs_capsense:file { open write };
 
-
+allow hal_sensors_default sysfs:dir { open read };

sepolicy/vendor/hal_sensorscalibrate_qti_default.te

@@ -0,0 +1 @@
+allow hal_sensorscalibrate_qti_default sysfs:file read;

sepolicy/vendor/hal_wifi_default.te

@@ -0,0 +1 @@
+allow hal_wifi_default unlabeled:dir search;

sepolicy/vendor/healthd.te

@@ -0,0 +1 @@
+allow healthd sysfs:file { open getattr read };

sepolicy/vendor/hwservice_contexts

@@ -0,0 +1,5 @@
+vendor.nxp.nxpese::INxpEse                                       u:object_r:hal_secure_element_hwservice:s0
+vendor.nxp.nxpnfc::INxpNfc                                       u:object_r:hal_nfc_hwservice:s0
+
+motorola.hardware.camera.provider::ICameraProvider               u:object_r:hal_camera_hwservice:s0
+motorola.hardware.mods_camera.provider::ICameraProvider          u:object_r:hal_camera_hwservice:s0

sepolicy/vendor/ims.te

@@ -1,4 +1,6 @@
-#allow ims debug_prop:property_service set;
+allow ims debug_prop:property_service set;
-#get_prop(ims, debug_prop);
+get_prop(ims, debug_prop);
-#allow ims self:capability net_raw;
+set_prop(ims, debug_prop)
-#allow ims diag_device:chr_file { read write };
+allow ims self:capability net_raw;
+allow ims diag_device:chr_file { read write };
+allow ims sysfs:file read;

sepolicy/vendor/init.te

@@ -2,9 +2,11 @@
 #binder_call(init, hwservicemanager);
 # binder_call(init, servicemanager);
 
-#allow init hwservicemanager:binder call;
+add_hwservice( init, hal_camera_hwservice);
-#allow init mm-qcamerad:binder transfer;
+
-#allow init platform_app:binder transfer;
+allow init hwservicemanager:binder call;
+allow init mm-qcamerad:binder transfer;
+allow init platform_app:binder transfer;
 
 allow init system_app:binder transfer;
 allow init system_data_file:file lock;
@@ -12,7 +14,7 @@ allow init system_data_file:file lock;
 allow init audio_device:chr_file { write ioctl };
 allow init input_device:chr_file rw_file_perms;
 allow init sensors_device:chr_file { write ioctl };
-#allow init tee_device:chr_file { write ioctl };
+allow init tee_device:chr_file { write ioctl };
 
 allow init servicemanager:binder { transfer call };
 allow init system_server:binder { transfer call };
@@ -20,10 +22,10 @@ allow init system_server:binder { transfer call };
 allow init property_socket:sock_file write;
 allow init socket_device:sock_file { create setattr unlink };
 
-#allow init system_data_file:file { rename append };
+allow init system_data_file:file { rename append };
-#allow init firmware_file:dir mounton;
+allow init firmware_file:dir mounton;
 
-#allow init fm_radio_device:chr_file write;
+allow init fm_radio_device:chr_file write;
 
 # ptt_socket_app
 allow init dnsproxyd_socket:sock_file write;
@@ -31,12 +33,12 @@ allow init netd:unix_stream_socket connectto;
 allow init self:netlink_socket { read write getattr connect };
 
 allow init debugfs:file write;
-#allow init persist_file:filesystem { getattr mount relabelfrom relabelto unmount };
+allow init persist_file:filesystem { getattr mount relabelfrom relabelto unmount };
 
 allow init self:capability sys_nice;
 
-#allow init bt_firmware_file:filesystem { associate };
+allow init bt_firmware_file:filesystem { associate };
-#allow init firmware_file:filesystem { associate };
+allow init firmware_file:filesystem { associate };
 
 allow init sensors_device:chr_file { rw_file_perms create };
 
@@ -44,10 +46,21 @@ allow init self:netlink_route_socket { bind create getopt nlmsg_read read setopt
 
 allow init self:capability2 { block_suspend };
 
-#allow init hal_sensors_hwservice:hwservice_manager find;
+allow init hal_sensors_hwservice:hwservice_manager find;
-
+allow init { domain -lmkd -crash_dump }:process noatsecure;
-#allow init { domain -lmkd -crash_dump }:process noatsecure;
+allow init hal_perf_hwservice:hwservice_manager find;
-
-#allow init hal_perf_hwservice:hwservice_manager find;
 allow init hidl_base_hwservice:hwservice_manager add;
+allow init hidl_allocator_hwservice:hwservice_manager { find };
+allow init hal_graphics_mapper_hwservice:hwservice_manager { find };
+allow init hal_bluetooth_hwservice:hwservice_manager { find };
+allow init hidl_base_hwservice:hwservice_manager { add };
+allow init hal_gnss_hwservice:hwservice_manager { find };
+allow init system_net_netd_hwservice:hwservice_manager { find };
+allow init default_android_hwservice:hwservice_manager { add find };
+allow init hal_camera_hwservice:hwservice_manager add;
+allow init hal_fingerprint_hwservice:hwservice_manager add;
 
+allow init sysfs:file setattr;
+allow init system_file:dir relabelfrom;
+allow init shell_exec:file execute_no_trans;
+allow init system_file:file relabelfrom;

sepolicy/vendor/installd.te

@@ -1,4 +1,6 @@
-#allow installd firmware_file:filesystem quotaget;
+allow installd firmware_file:filesystem quotaget;
-#allow installd fsg_file:filesystem quotaget;
+allow installd fsg_file:filesystem quotaget;
-#allow installd persist_file:filesystem quotaget;
+allow installd persist_file:filesystem quotaget;
-
+allow installd adb_data_file:dir search;
+allow installd adb_data_file:file { getattr open read };
+allow installd device:file write;

sepolicy/vendor/isdbt_app.te

@@ -0,0 +1,9 @@
+type isdbt_app, domain, mlstrustedsubject;
+
+app_domain(isdbt_app)
+binder_use(isdbt_app)
+
+allow isdbt_app isdbt_device:chr_file rw_file_perms;
+allow isdbt_app media_rw_data_file:dir { rw_dir_perms create getattr rmdir search };
+allow isdbt_app { accessibility_service activity_service appops_service connectivity_service content_service display_service graphicsstats_service input_method_service input_service location_service mount_service network_management_service radio_service registry_service surfaceflinger_service textservices_service uimode_service vibrator_service wifi_service audio_service audioserver_service media_router_service notification_service autofill_service mediametrics_service mediaserver_service media_session_service mediametrics_service batterystats_service power_service user_service }:service_manager find;
+allow isdbt_app telecom_service:service_manager find;

sepolicy/vendor/kernel.te

@@ -1,3 +1,4 @@
 allow kernel hw_block_device:blk_file rw_file_perms;
 allow kernel vfat:file open;
 allow kernel self:socket create;
+allow kernel unlabeled:file { open read };

sepolicy/vendor/location.te

@@ -0,0 +1,2 @@
+allow location wcnss_prop:file { getattr open read };
+allow location sysfs:file read;

sepolicy/vendor/logd.te

@@ -0,0 +1 @@
+allow logd unlabeled:dir search;

sepolicy/vendor/logpersist.te

@@ -0,0 +1,3 @@
+allow logpersist self:capability { dac_override dac_read_search };
+allow logpersist cache_file:dir { add_name open read search write };
+allow logpersist cache_file:file { append create getattr open };

sepolicy/vendor/mediacodec.te

@@ -1 +1,3 @@
-#allow mediacodec firmware_file:file { open read };
+allow mediacodec firmware_file:file { open read };
+allow mediacodec unlabeled:dir search;
+allow mediacodec unlabeled:file { open read };

sepolicy/vendor/mediadrmserver.te

@@ -1,2 +1,2 @@
-#allow mediadrmserver firmware_file:dir search;
+allow mediadrmserver firmware_file:dir search;
-#allow mediadrmserver firmware_file:file r_file_perms;
+allow mediadrmserver firmware_file:file r_file_perms;

sepolicy/vendor/mm-qcamerad.te

@@ -1,27 +1,38 @@
-#type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket1";
+type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket1";
-#type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket2";
+type_transition mm-qcamerad camera_data_file:sock_file camera_socket "cam_socket2";
+allow mm-qcamerad camera_socket:sock_file { create unlink write };
+allow mm-qcamerad sysfs_graphics:file r_file_perms;
 
 # binder_call(mm-qcamerad, servicemanager);
 # binder_use(mm-qcamerad);
 # binder_call(mm-qcamerad, binderservicedomain);
 # binder_call(mm-qcamerad, appdomain);
 # binder_call(mm-qcamerad, hal_sensors_default);
-#set_prop(mm-qcamerad, camera_prop);
+set_prop(mm-qcamerad, camera_prop);
 
-#allow servicemanager mm-qcamerad:dir { search };
+allow servicemanager mm-qcamerad:dir { search };
-#allow servicemanager mm-qcamerad:file { read open };
+allow servicemanager mm-qcamerad:file { read open };
-#allow servicemanager mm-qcamerad:process { getattr };
+allow servicemanager mm-qcamerad:process { getattr };
 
 # allow mm-qcamerad camera_data_file:sock_file { create unlink write };
 # allow mm-qcamerad system_server:unix_stream_socket rw_socket_perms;
 #allow mm-qcamerad sensorservice_service:service_manager find;
-#allow mm-qcamerad vendor_camera_data_file:file rw_file_perms;
+allow mm-qcamerad vendor_camera_data_file:file rw_file_perms;
 # allow mm-qcamerad permission_service:service_manager find;
-#allow mm-qcamerad debug_prop:property_service set;
+allow mm-qcamerad debug_prop:property_service set;
 
-#allow mm-qcamerad init:unix_stream_socket { read write };
+allow mm-qcamerad init:unix_stream_socket { read write };
 
-#allow mm-qcamerad hal_sensors_default:unix_stream_socket { read write };
+allow mm-qcamerad hal_sensors_default:unix_stream_socket { read write };
 
-#allow mm-qcamerad hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
+allow mm-qcamerad hal_configstore_ISurfaceFlingerConfigs:hwservice_manager find;
-#allow mm-qcamerad hal_configstore_default:binder call;
+allow mm-qcamerad hal_configstore_default:binder call;
+
+allow mm-qcamerad binder_device:chr_file { ioctl open read write };
+allow mm-qcamerad camera_data_file:dir search;
+allow mm-qcamerad sysfs:file { open read };
+allow mm-qcamerad vendor_data_file:dir read;
+allow mm-qcamerad unlabeled:dir search;
+allow mm-qcamerad unlabeled:file { open read };
+allow mm-qcamerad default_prop:property_service set;
+allow mm-qcamerad mnt_vendor_file:file { getattr open read };

sepolicy/vendor/mmi_boot.te

@@ -11,6 +11,6 @@ allow mmi_boot vendor_shell_exec:file rx_file_perms;
 allow mmi_boot vendor_toolbox_exec:file rx_file_perms;
 allow mmi_boot vendor_shell_exec:file entrypoint;
 
-#allow mmi_boot sysfs_socinfo:file write;
+allow mmi_boot sysfs_socinfo:file write;
 
 set_prop(mmi_boot, hw_rev_prop);

sepolicy/vendor/netd.te

@@ -1,2 +1,3 @@
+#============= netd ==============
+allow netd device:file write;
 allow netd untrusted_app_25:unix_stream_socket { read write };
-

sepolicy/vendor/netmgrd.te

@@ -1,5 +1,6 @@
-#allow netmgrd toolbox_exec:file { getattr read open };
+allow netmgrd toolbox_exec:file { getattr read open };
-
+allow netmgrd init:unix_stream_socket connectto;
-#allow netmgrd init:unix_stream_socket connectto;
+allow netmgrd property_socket:sock_file write;
-#allow netmgrd property_socket:sock_file write;
+allow netmgrd system_file:file { execute lock };
-#allow netmgrd system_file:file lock;
+allow netmgrd default_prop:property_service set;
+allow netmgrd sysfs:file read;

sepolicy/vendor/nfc.te

@@ -0,0 +1,2 @@
+allow nfc nfc_vendor_data_file:dir { add_name read search write };
+allow nfc nfc_vendor_data_file:file { create open read write };

sepolicy/vendor/per_mgr.te

@@ -1 +1 @@
-#allow vendor_per_mgr self:capability net_raw;
+allow vendor_per_mgr self:capability net_raw;

sepolicy/vendor/perfd.te

@@ -16,13 +16,13 @@ r_dir_file(perfd, sysfs_type)
 # they are created with the default label "sysfs". For robustness,
 # allow perfd to write to "sysfs" to ensure it can optimally
 # tune the power/cpu settings.
-#allow perfd sysfs:file write;
+allow perfd sysfs:file write;
-#allow perfd sysfs_msm_perf:file write;
+allow perfd sysfs_msm_perf:file write;
-#allow perfd sysfs_ssr:file write;
+allow perfd sysfs_ssr:file write;
 allow perfd sysfs_devices_system_cpu:file write;
-#allow perfd sysfs_power_management:file write;
+allow perfd sysfs_power_management:file write;
-#allow perfd sysfs_devfreq:file write;
+allow perfd sysfs_devfreq:file write;
-#allow perfd sysfs_lib:file write;
+allow perfd sysfs_lib:file write;
 
 allow perfd proc_kernel_sched:file w_file_perms;
 allow perfd gpu_device:chr_file rw_file_perms;
@@ -35,4 +35,4 @@ dontaudit perfd self:capability kill;
 allow perfd surfaceflinger:process signull;
 allow perfd hal_graphics_composer_default:process signull;
 
-#get_prop(perfd, freq_prop);
+get_prop(perfd, freq_prop);

sepolicy/vendor/persist_file.te

@@ -1 +1 @@
-#allow persist_file self:filesystem associate;
+allow persist_file self:filesystem associate;

sepolicy/vendor/platform_app.te

@@ -1,7 +1,7 @@
-#get_prop(platform_app, camera_prop);
 binder_call(platform_app, hal_sensors_default);
 
 allow platform_app rootfs:dir getattr;
 
 allow platform_app init:unix_stream_socket { read write };
 allow platform_app hal_sensors_default:unix_stream_socket { read write };
+allow platform_app vendor_file:file getattr;

sepolicy/vendor/priv_app.te

@@ -1,6 +1,9 @@
+allow priv_app adb_data_file:dir search;
 allow priv_app device:dir r_dir_perms;
-#allow priv_app persist_file:filesystem getattr;
+allow priv_app persist_file:filesystem getattr;
-#allow priv_app proc_interrupts:file { open read getattr };
+allow priv_app proc_interrupts:file { open read getattr };
 allow priv_app proc_modules:file { open read getattr };
 get_prop(priv_app, adspd_prop);
 allow priv_app sysfs:dir open;
+allow priv_app mnt_vendor_file:dir search;
+allow priv_app sysfs:file { getattr open read };

sepolicy/vendor/property.te

@@ -5,7 +5,5 @@ type touch_prop, property_type;
 type diag_prop, property_type;
 type thermal_prop, property_type;
 type qti_telephony_prop, property_type;
-type dirac_prop, property_type;
+type tee_listener_prop, property_type;
-# Spectrum
+type wcnss_prop, property_type;
-type spectrum_prop, property_type;
-

sepolicy/vendor/property_contexts

@@ -3,7 +3,4 @@ hw.aov.hotword_dsp_path            u:object_r:adspd_prop:s0
 hw.motosh.booted                   u:object_r:motosh_prop:s0
 ro.boot.hardware.revision          u:object_r:hw_rev_prop:s0
 hw.touch.status                    u:object_r:touch_prop:s0
-persist.audio.dirac.               u:object_r:dirac_prop:s0
+sys.listeners.registered           u:object_r:tee_listener_prop:s0
-# Spectrum
-persist.spectrum.profile           u:object_r:spectrum_prop:s0
-

sepolicy/vendor/qseeproxy.te

@@ -1,3 +1,7 @@
 # binder_call(qseeproxy, servicemanager);
-#allow qseeproxy self:process getattr;
+allow qseeproxy self:process getattr;
+allow qseeproxy default_android_service:service_manager { add };
 # allow qseeproxy qseeproxy_service_old:service_manager { add find };
+add_service(qseeproxy, qseeproxy_service);
+allow qseeproxy binder_device:chr_file { ioctl open read write };
+allow qseeproxy servicemanager:binder { call transfer };

sepolicy/vendor/qtelephony.te

@@ -1 +1 @@
-#allow qtelephony radio_service:service_manager find;
+allow qtelephony radio_service:service_manager find;

sepolicy/vendor/qti.te

@@ -1,2 +1,3 @@
-#get_prop(qti, diag_prop)
+get_prop(qti, diag_prop)
-#allow qti diag_device:chr_file { read write };
+allow qti diag_device:chr_file { read write };
+allow qti sysfs:file read;

sepolicy/vendor/qti_init_shell.te

@@ -1,7 +1,9 @@
-#set_prop(qti_init_shell, hw_rev_prop);
+set_prop(qti_init_shell, hw_rev_prop);
-#allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl };
+allow qti_init_shell hci_attach_dev:chr_file { read write open ioctl };
 
-#allow qti_init_shell kmsg_device:chr_file write;
+allow qti_init_shell kmsg_device:chr_file write;
-#allow qti_init_shell sysfs_wcnsscore:file write;
+allow qti_init_shell sysfs_wcnsscore:file write;
 
-#allow qti_init_shell kmsg_device:chr_file open;
+allow qti_init_shell kmsg_device:chr_file open;
+allow qti_init_shell self:capability dac_override;
+allow qti_init_shell vendor_file:system module_load;

sepolicy/vendor/radio.te

@@ -1,3 +1,4 @@
 allow radio system_app_data_file:dir getattr;
-#allow radio qmuxd_socket:sock_file write;
+allow radio qmuxd_socket:sock_file write;
-#allow radio vendor_file:file { getattr open read };
+
+allow radio vendor_file:file { execute getattr open read };

sepolicy/vendor/rfs_access.te

@@ -1,4 +1,4 @@
-#allow rfs_access self:capability net_raw;
+allow rfs_access persist_file:file { getattr open read rename setattr unlink write };
-#allow rfs_access persist_file:file { getattr open read rename setattr unlink write };
+allow rfs_access vendor_tombstone_data_file:dir search;
-#allow rfs_access vendor_tombstone_data_file:dir search;
+allow rfs_access self:capability { dac_override dac_read_search net_raw };
-
+allow rfs_access unlabeled:file { getattr setattr };

sepolicy/vendor/rfs_file.te

@@ -1 +1 @@
-#allow rfs_file persist_file:filesystem associate;
+allow rfs_file persist_file:filesystem associate;

sepolicy/vendor/rild.te

@@ -1,10 +1,26 @@
 binder_call(rild, audioserver_service);
 binder_call(rild, system_server);
 set_prop(rild, diag_prop);
+set_prop(rild, system_radio_prop)
 allow rild fsg_file:file { getattr open read };
 allow rild fsg_file:dir { search open read };
 allow rild fsg_file:lnk_file read;
 
 allow rild rild_exec:file execute_no_trans;
-
 allow rild fwk_sensor_hwservice:hwservice_manager find;
+
+allow rild cutback_data_file:sock_file { create setattr unlink write };
+allow rild cutback_data_file:dir { add_name open read remove_name search write };
+allow rild unlabeled:dir { getattr search };
+allow rild vendor_file:file execute_no_trans;
+allow rild proc:file { open read };
+allow rild unlabeled:file { getattr open read };
+allow rild unlabeled:dir { getattr open read };
+allow rild mnt_vendor_file:dir search;
+allow rild vendor_toolbox_exec:file execute_no_trans;
+allow rild mnt_vendor_file:file { open read write };
+allow rild unlabeled:lnk_file read;
+allow rild qcom_ims_prop:property_service { set };
+
+dontaudit rild tombstone_data_file:dir { search };
+dontaudit rild vendor_file:file { ioctl };

sepolicy/vendor/rmt_storage.te

@@ -1,24 +1,15 @@
-#allow rmt_storage {
+allow rmt_storage sysfs_rmt_storage:file rw_file_perms;
-#    modem_efs_partition_device
+allow rmt_storage sysfs_rmt_storage:dir { search open };
-#}:blk_file rw_file_perms;
+allow rmt_storage sysfs_uio:file r_file_perms;
+allow rmt_storage sysfs_uio:dir { read open search };
+allow rmt_storage sysfs_uio:lnk_file { read };
+allow rmt_storage debugfs_rmt_storage:dir search;
+allow rmt_storage debugfs_rmt_storage:file w_file_perms;
 
-#r_dir_file(rmt_storage fsg_file)
+allow rmt_storage fsg_file:file { open read };
-#r_dir_file(rmt_storage, persist_file)
+allow rmt_storage fsg_file:dir search;
+allow rmt_storage fsg_file:lnk_file read;
 
-#allow rmt_storage sysfs_rmt_storage:file rw_file_perms;
+allow rmt_storage self:capability dac_override;
-#allow rmt_storage sysfs_rmt_storage:dir { search open };
+allow rmt_storage unlabeled:dir search;
-#allow rmt_storage sysfs_uio:file r_file_perms;
+allow rmt_storage unlabeled:file { open read };
-#allow rmt_storage sysfs_uio:dir { read open search };
-#allow rmt_storage sysfs_uio:lnk_file { read };
-
-#allow rmt_storage debugfs_rmt_storage:dir r_dir_perms;
-#allow rmt_storage debugfs_rmt_storage:file rw_file_perms;
-
-#allow rmt_storage fsg_file:file { open read };
-#allow rmt_storage fsg_file:dir search;
-#allow rmt_storage fsg_file:lnk_file read;
-
-#allow rmt_storage persist_file:dir r_dir_perms;
-
-#allow rmt_storage vendor_radio_prop:file { getattr open read };
-#allow rmt_storage vendor_file:dir search;

sepolicy/vendor/seapp_contexts

@@ -0,0 +1,2 @@
+user=_app seinfo=platform name=com.motorola.dtv domain=isdbt_app type=app_data_file levelFrom=user
+user=_app seinfo=platform name=com.motorola.dtvservice domain=isdbt_app type=app_data_file levelFrom=user

sepolicy/vendor/sensors.te

@@ -0,0 +1 @@
+allow sensors sysfs:file { read };

sepolicy/vendor/service_contexts

@@ -1,4 +1,4 @@
-com.qualcomm.qti.qseeproxy                     u:object_r:qseeproxy_service_old:s0
+com.qualcomm.qti.qseeproxy                                       u:object_r:qseeproxy_service:s0
-vendor.qcom.PeripheralManager                  u:object_r:per_mgr_service_old:s0
+vendor.qcom.PeripheralManager                                    u:object_r:per_mgr_service_old:s0
-media.camera_bgproc                            u:object_r:camera_bgproc_service:s0
+media.camera_bgproc                                              u:object_r:camera_bgproc_service:s0
-
+com.fingerprints.extension::IFingerprintSensorTest               u:object_r:hal_fingerprint_hwservice:s0

sepolicy/vendor/servicemanager.te

@@ -1,45 +1,45 @@
 allow servicemanager init:dir search;
 allow servicemanager init:file { open read };
 allow servicemanager init:process getattr;
-#allow servicemanager qseeproxy:dir search;
+allow servicemanager qseeproxy:dir search;
-#allow servicemanager qseeproxy:file { open read };
+allow servicemanager qseeproxy:file { open read };
 allow servicemanager rild:dir search;
 allow servicemanager rild:file { open read };
 allow servicemanager rild:process getattr;
 
 allow servicemanager hal_fingerprint_default:dir search;
 allow servicemanager hal_fingerprint_default:file read;
-#allow servicemanager qseeproxy:process getattr;
+allow servicemanager qseeproxy:process getattr;
 
 
 allow servicemanager hal_camera_default:dir search;
-allow servicemanager hal_camera_default:file { open read };
+allow servicemanager hal_camera_default:file { open read r_file_perms };
 allow servicemanager hal_camera_default:process getattr;
 
 allow servicemanager hal_fingerprint_default:file open;
 allow servicemanager hal_fingerprint_default:process getattr;
 
-#allow servicemanager wcnss_service:dir search;
+allow servicemanager wcnss_service:dir search;
-#allow servicemanager wcnss_service:file { open read };
+allow servicemanager wcnss_service:file { open read };
 
-#allow servicemanager esepmdaemon:dir search;
+allow servicemanager esepmdaemon:dir search;
-#allow servicemanager esepmdaemon:file { open read };
+allow servicemanager esepmdaemon:file { open read };
-#allow servicemanager esepmdaemon:process getattr;
+allow servicemanager esepmdaemon:process getattr;
 
-#allow servicemanager vendor_per_mgr:dir search;
+allow servicemanager vendor_per_mgr:dir search;
-#allow servicemanager vendor_per_mgr:file { open read };
+allow servicemanager vendor_per_mgr:file { open read };
-#allow servicemanager vendor_per_mgr:process getattr;
+allow servicemanager vendor_per_mgr:process getattr;
-#allow servicemanager wcnss_service:process getattr;
+allow servicemanager wcnss_service:process getattr;
 
-#allow servicemanager hal_gnss_qti:dir search;
+allow servicemanager hal_gnss_qti:dir search;
-#allow servicemanager hal_gnss_qti:file { open read };
+allow servicemanager hal_gnss_qti:file { open read };
-#allow servicemanager hal_gnss_qti:process getattr;
+allow servicemanager hal_gnss_qti:process getattr;
 
 allow servicemanager hal_sensors_default:dir search;
 allow servicemanager hal_sensors_default:file { open read };
 allow servicemanager hal_sensors_default:process getattr;
 
-#allow servicemanager sensors:dir search;
+allow servicemanager sensors:dir search;
-#allow servicemanager sensors:file { open read };
+allow servicemanager sensors:file { open read };
-#allow servicemanager sensors:process getattr;
+allow servicemanager sensors:process getattr;
 

sepolicy/vendor/surfaceflinger.te

@@ -1,6 +1,8 @@
 get_prop(surfaceflinger, diag_prop);
-#allow surfaceflinger perfd_data_file:sock_file write;
+allow surfaceflinger perfd_data_file:sock_file write;
-#allow surfaceflinger diag_device:chr_file { read write };
+allow surfaceflinger diag_device:chr_file { read write };
+allow surfaceflinger hal_perf_hwservice:hwservice_manager find;
+allow surfaceflinger hal_perf_default:binder { call };
 
 binder_call(surfaceflinger, hwservicemanager)
 

sepolicy/vendor/system_app.te

@@ -1,23 +1,22 @@
 allow system_app proc_touchpanel:dir search;
 allow system_app sysfs_vibrator:file rw_file_perms;
-#allow system_app sysfs_vibrator:dir search;
+allow system_app sysfs_vibrator:dir search;
-#allow system_app sysfs_graphics:file rw_file_perms;
+allow system_app sysfs_graphics:file rw_file_perms;
-#allow system_app sysfs_graphics:dir search;
+allow system_app sysfs_graphics:dir search;
 allow system_app proc_touchpanel:file rw_file_perms;
 allow system_app sysfs_fpc:file rw_file_perms;
 allow system_app fuse_device:filesystem getattr;
-allow system_app spectrum_prop:property_service set;
 
 allow system_app init:unix_stream_socket { read write };
 allow system_app sysfs_homebutton:file write;
+allow system_app sysfs_screen_off_gestures:file write;
+allow system_app sysfs_fpc_proximity:file { rw_file_perms }; 
 
 get_prop(system_app, diag_prop);
-#binder_call(system_app, qtitetherservice_service);
+binder_call(system_app, qtitetherservice_service);
 binder_call(system_app, wificond);
 
-get_prop(system_app, spectrum_prop);
-
 allow system_app hidl_base_hwservice:hwservice_manager add;
 allow system_app sysfs_homebutton:dir search;
 allow system_app sysfs_homebutton:file { getattr open };
-
+allow system_app hal_atfwd_hwservice:hwservice_manager add;

sepolicy/vendor/system_server.te

@@ -7,12 +7,18 @@ allow system_server sysfs_capsense:dir search;
 allow system_server sysfs_capsense:file rw_file_perms;
 allow system_server init:unix_stream_socket { read };
 
-#allow system_server qti_debugfs:file { getattr open read };
+allow system_server qti_debugfs:file { getattr open read };
 allow system_server init:unix_stream_socket write;
 
 allow system_server sensors_device:chr_file { ioctl open read };
 
-#allow system_server vendor_file:file { getattr read };
+allow system_server vendor_file:file { execute getattr read };
-
 allow system_server sysfs:file getattr;
 allow system_server thermal_service:service_manager find;
+allow system_server adb_data_file:dir { getattr open read search };
+allow system_server sysfs:file{ open read };
+allow system_server vendor_file:file open;
+allow system_server adb_data_file:file { getattr open read };
+allow system_server dalvikcache_data_file:file { execute write };
+
+allow system_server persist_camera_prop:file read;

sepolicy/vendor/tee.te

@@ -1 +1,8 @@
-#allow tee persist_file:file r_file_perms;
+allow tee persist_file:file r_file_perms;
+
+set_prop(tee, tee_listener_prop)
+
+allow tee persist_file:dir r_dir_perms;
+allow tee fingerprintd_data_file:dir create_dir_perms;
+allow tee fingerprintd_data_file:file create_file_perms;
+allow tee system_data_file:dir { r_dir_perms read };

sepolicy/vendor/thermal-engine.te

@@ -1,8 +1,13 @@
-#get_prop(thermal-engine, diag_prop)
+get_prop(thermal-engine, diag_prop)
-#allow thermal-engine socket_device:sock_file { create setattr };
+allow thermal-engine socket_device:sock_file { create setattr };
-#allow thermal-engine sysfs_rmt_storage:dir search;
+allow thermal-engine sysfs_rmt_storage:dir search;
-#allow thermal-engine sysfs_rmt_storage:file r_file_perms;
+allow thermal-engine sysfs_rmt_storage:file r_file_perms;
-#allow thermal-engine sysfs_uio:file r_file_perms;
+allow thermal-engine sysfs_uio:file r_file_perms;
-#allow thermal-engine sysfs_uio:dir { read open search };
+allow thermal-engine sysfs_uio:dir { read open search };
-#allow thermal-engine sysfs_uio:lnk_file { read };
+allow thermal-engine sysfs_uio:lnk_file { read };
-#allow thermal-engine sysfs_vadc_dev:lnk_file { read open };
+allow thermal-engine sysfs_vadc_dev:lnk_file { read open };
+
+allow thermal-engine self:capability { dac_override dac_read_search };
+allow thermal-engine sysfs_vadc_dev:dir search;
+allow thermal-engine sysfs:file { read write getattr };
+allow thermal-engine sysfs:dir read;

sepolicy/vendor/time_daemon.te

@@ -1,3 +1,7 @@
-#get_prop(time_daemon, diag_prop);
+get_prop(time_daemon, diag_prop);
 
-#allow time_daemon persist_file:file { open read write };
+allow time_daemon persist_file:file { open read write };
+
+allow time_daemon sysfs:file { open read };
+
+allow time_daemon time_daemon:capability { dac_override dac_read_search };

sepolicy/vendor/toolbox.te

@@ -4,4 +4,4 @@ set_prop(toolbox, touch_prop);
 allow toolbox init:fifo_file { write getattr read ioctl };
 
 allow toolbox radio_data_file:file rw_file_perms;
-#allow toolbox firmware_file:file getattr;
+allow toolbox firmware_file:file getattr;

sepolicy/vendor/ueventd.te

@@ -2,4 +2,6 @@ allow ueventd sysfs_mmi_fp:file w_file_perms;
 
 allow ueventd synaptics_rmi_device:chr_file { rw_file_perms relabelfrom relabelto};
 allow ueventd sysfs_fpc:file rw_file_perms;
-#allow ueventd sysfs_sensors:file rw_file_perms;
+allow ueventd sysfs_sensors:file rw_file_perms;
+allow ueventd unlabeled:dir search;
+allow ueventd unlabeled:file { getattr open read };

sepolicy/vendor/untrusted_app.te

@@ -1,7 +1,19 @@
 #get_prop(untrusted_app, camera_prop);
 #get_prop(untrusted_app_25, camera_prop);
-allow untrusted_app sysfs_zram:dir { search read };
+#allow untrusted_app sysfs_zram:dir { search read };
-allow untrusted_app sysfs_zram:file { open read getattr };
+#allow untrusted_app sysfs_zram:file { open read getattr };
 
 #allow untrusted_app firmware_file:dir read;
 #allow untrusted_app fsg_file:dir read;
+
+allow untrusted_app proc_zoneinfo:file { getattr open read };
+allow untrusted_app proc_qtaguid_stat:file { getattr open read };
+allow untrusted_app hal_memtrack_hwservice:hwservice_manager find;
+allow untrusted_app bluetooth_prop:file read;
+allow untrusted_app debugfs_trace_marker:file getattr;
+allow untrusted_app proc:file read;
+allow untrusted_app proc_version:file read;
+allow untrusted_app serialno_prop:file read;
+allow untrusted_app sysfs_net:dir search;
+allow untrusted_app hal_memtrack_default:binder call;
+allow untrusted_app sysfs_switch:dir search;

sepolicy/vendor/vendor_init.te

@@ -0,0 +1,26 @@
+allow vendor_init camera_data_file:dir { create setattr };
+allow vendor_init media_rw_data_file:file { getattr relabelfrom };
+allow vendor_init media_rw_data_file:dir setattr;
+allow vendor_init rootfs:dir { add_name write };
+allow vendor_init system_data_file:dir { add_name create setattr write };
+allow vendor_init time_data_file:dir setattr;
+allow vendor_init adsprpcd_file:lnk_file create;
+allow vendor_init firmware_file:lnk_file create;
+allow vendor_init tombstone_data_file:dir { add_name create search setattr write };
+allow vendor_init cutback_data_file:dir { create setattr };
+allow vendor_init dbvc_data_file:dir { create setattr };
+allow vendor_init moodle_data_file:dir { create setattr };
+allow vendor_init sds_data_file:dir { create setattr };
+allow vendor_init wapi_supplicant_data_file:dir { create setattr };
+allow vendor_init fingerprintd_data_file:dir { create setattr };
+allow vendor_init adspd_data_file:dir setattr;
+allow vendor_init usermodehelper:file write;
+allow vendor_init netmgr_data_file:dir { create setattr };
+allow vendor_init time_data_file:dir create;
+allow vendor_init adspd_data_file:dir create;
+
+allow vendor_init persist_camera_file:dir { setattr search };
+allow vendor_init persist_modem_file:dir setattr;
+allow vendor_init persist_audio_file:dir setattr;
+allow vendor_init pds_public_file:dir { setattr search };
+allow vendor_init unlabeled:file write;

sepolicy/vendor/vendor_per_mgr.te

@@ -0,0 +1,2 @@
+allow vendor_per_mgr unlabeled:dir search;
+allow vendor_per_mgr unlabeled:file { open read };

sepolicy/vendor/vendor_ssr_setup.te

@@ -0,0 +1 @@
+allow vendor_ssr_setup sysfs:file read;

sepolicy/vendor/vold.te

@@ -1,2 +1,4 @@
-#allow vold persist_file:dir { ioctl open read };
+allow vold persist_file:dir { ioctl open read };
 allow vold metadata_block_device:blk_file { rw_file_perms };
+
+get_prop(vold, tee_listener_prop)

sepolicy/vendor/wcnss_filter.te

@@ -1 +1,2 @@
-#get_prop(wcnss_filter, diag_prop);
+type wcnss_filter, domain;
+get_prop(wcnss_filter, diag_prop);

sepolicy/vendor/wcnss_service.te

@@ -1,8 +1,11 @@
 # binder_call(wcnss_service, servicemanager);
-#set_prop(wcnss_service, wifi_prop);
+set_prop(wcnss_service, wifi_prop);
-#get_prop(wcnss_service, diag_prop);
+get_prop(wcnss_service, diag_prop);
 # allow wcnss_service toolbox_exec:file { execute getattr execute_no_trans read open };
 # allow wcnss_service shell_exec:file { execute getattr execute_no_trans read open };
-#allowxperm wcnss_service self:udp_socket ioctl priv_sock_ioctls;
+allowxperm wcnss_service self:udp_socket ioctl priv_sock_ioctls;
 
 # allow wcnss_service per_mgr_service_old:service_manager find;
+
+allow wcnss_service unlabeled:dir search;
+allow wcnss_service unlabeled:file { open read };

sepolicy/vendor/webview_zygote.te

@@ -0,0 +1 @@
+allow webview_zygote theme_data_file:dir search;

sepolicy/vendor/zygote.te

@@ -1 +1,2 @@
 allow zygote self:capability sys_nice;
+allow zygote proc_cmdline:file { getattr open read };