From 2f0b5602a6283d93498ccbc3ab6db7987313f300 Mon Sep 17 00:00:00 2001
From: Michael Bestas <mkbestas@lineageos.org>
Date: Wed, 3 Dec 2025 04:59:49 +0200
Subject: [PATCH] gs-common: sepolicy: Add some rules to be ignored

This will be used by the sepolicy dump scripts to exclude them from the
final output.

Change-Id: Ia6628a7a0fede6205586eaacf4b980a9f78ff27b
---
 sepolicy/ignored/product/better_bug_app.te    | 25 ++++++++++++++++
 sepolicy/ignored/product/debug_camera_app.te  |  1 +
 sepolicy/ignored/product/gmscore_app.te       |  2 ++
 sepolicy/ignored/product/google_camera_app.te | 17 +++++++++++
 .../ignored/product/google_recorder_app.te    | 17 +++++++++++
 sepolicy/ignored/product/hal_dumpstate.te     |  1 +
 sepolicy/ignored/product/incidentd.te         |  7 +++++
 sepolicy/ignored/product/lpdumpd.te           |  2 ++
 sepolicy/ignored/product/mediashell_app.te    | 29 +++++++++++++++++++
 sepolicy/ignored/product/pixelsupport_app.te  | 10 +++++++
 sepolicy/ignored/product/priv_app.te          | 10 +++++++
 sepolicy/ignored/product/property.te          |  1 +
 sepolicy/ignored/product/property_contexts    |  1 +
 sepolicy/ignored/product/seapp_contexts       | 10 +++++++
 sepolicy/ignored/product/untrusted_app_25.te  |  1 +
 .../ignored/product/wait_for_keymaster.te     |  1 +
 .../system_ext/brownout_detection_app.te      |  2 ++
 .../ignored/system_ext/factory_ota_app.te     | 20 +++++++++++++
 sepolicy/ignored/system_ext/file.te           |  1 +
 sepolicy/ignored/system_ext/file_contexts     |  1 +
 .../ignored/system_ext/flag_flipper_app.te    |  7 +++++
 sepolicy/ignored/system_ext/gmscore_app.te    |  1 +
 sepolicy/ignored/system_ext/init.te           |  1 +
 .../system_ext/pixelsystemservice_app.te      |  9 ++++++
 sepolicy/ignored/system_ext/platform_app.te   |  1 +
 sepolicy/ignored/system_ext/priv_app.te       |  1 +
 sepolicy/ignored/system_ext/property.te       |  4 +++
 sepolicy/ignored/system_ext/property_contexts |  9 ++++++
 sepolicy/ignored/system_ext/seapp_contexts    |  8 +++++
 sepolicy/ignored/system_ext/systemui_app.te   | 28 ++++++++++++++++++
 sepolicy/ignored/system_ext/turbo_adapter.te  | 16 ++++++++++
 sepolicy/ignored/system_ext/update_engine.te  |  1 +
 sepolicy/ignored/vendor/edgetpu_tachyon.te    |  1 +
 sepolicy/ignored/vendor/file_contexts         |  2 ++
 sepolicy/ignored/vendor/gia.te                |  1 +
 sepolicy/ignored/vendor/google_camera_app.te  |  7 +++++
 .../ignored/vendor/google_recorder_app.te     |  1 +
 .../ignored/vendor/hal_wireless_charger.te    |  2 ++
 sepolicy/ignored/vendor/hal_wlcservice.te     |  1 +
 sepolicy/ignored/vendor/init.te               |  1 +
 sepolicy/ignored/vendor/pixelsupport_app.te   |  1 +
 .../ignored/vendor/pixelsystemservice_app.te  | 26 +++++++++++++++++
 sepolicy/ignored/vendor/rild.te               |  1 +
 sepolicy/ignored/vendor/systemui_app.te       | 12 ++++++++
 sepolicy/ignored/vendor/twoshay.te            |  1 +
 45 files changed, 302 insertions(+)
 create mode 100644 sepolicy/ignored/product/better_bug_app.te
 create mode 100644 sepolicy/ignored/product/debug_camera_app.te
 create mode 100644 sepolicy/ignored/product/gmscore_app.te
 create mode 100644 sepolicy/ignored/product/google_camera_app.te
 create mode 100644 sepolicy/ignored/product/google_recorder_app.te
 create mode 100644 sepolicy/ignored/product/hal_dumpstate.te
 create mode 100644 sepolicy/ignored/product/incidentd.te
 create mode 100644 sepolicy/ignored/product/lpdumpd.te
 create mode 100644 sepolicy/ignored/product/mediashell_app.te
 create mode 100644 sepolicy/ignored/product/pixelsupport_app.te
 create mode 100644 sepolicy/ignored/product/priv_app.te
 create mode 100644 sepolicy/ignored/product/property.te
 create mode 100644 sepolicy/ignored/product/property_contexts
 create mode 100644 sepolicy/ignored/product/seapp_contexts
 create mode 100644 sepolicy/ignored/product/untrusted_app_25.te
 create mode 100644 sepolicy/ignored/product/wait_for_keymaster.te
 create mode 100644 sepolicy/ignored/system_ext/brownout_detection_app.te
 create mode 100644 sepolicy/ignored/system_ext/factory_ota_app.te
 create mode 100644 sepolicy/ignored/system_ext/file.te
 create mode 100644 sepolicy/ignored/system_ext/file_contexts
 create mode 100644 sepolicy/ignored/system_ext/flag_flipper_app.te
 create mode 100644 sepolicy/ignored/system_ext/gmscore_app.te
 create mode 100644 sepolicy/ignored/system_ext/init.te
 create mode 100644 sepolicy/ignored/system_ext/pixelsystemservice_app.te
 create mode 100644 sepolicy/ignored/system_ext/platform_app.te
 create mode 100644 sepolicy/ignored/system_ext/priv_app.te
 create mode 100644 sepolicy/ignored/system_ext/property.te
 create mode 100644 sepolicy/ignored/system_ext/property_contexts
 create mode 100644 sepolicy/ignored/system_ext/seapp_contexts
 create mode 100644 sepolicy/ignored/system_ext/systemui_app.te
 create mode 100644 sepolicy/ignored/system_ext/turbo_adapter.te
 create mode 100644 sepolicy/ignored/system_ext/update_engine.te
 create mode 100644 sepolicy/ignored/vendor/edgetpu_tachyon.te
 create mode 100644 sepolicy/ignored/vendor/file_contexts
 create mode 100644 sepolicy/ignored/vendor/gia.te
 create mode 100644 sepolicy/ignored/vendor/google_camera_app.te
 create mode 100644 sepolicy/ignored/vendor/google_recorder_app.te
 create mode 100644 sepolicy/ignored/vendor/hal_wireless_charger.te
 create mode 100644 sepolicy/ignored/vendor/hal_wlcservice.te
 create mode 100644 sepolicy/ignored/vendor/init.te
 create mode 100644 sepolicy/ignored/vendor/pixelsupport_app.te
 create mode 100644 sepolicy/ignored/vendor/pixelsystemservice_app.te
 create mode 100644 sepolicy/ignored/vendor/rild.te
 create mode 100644 sepolicy/ignored/vendor/systemui_app.te
 create mode 100644 sepolicy/ignored/vendor/twoshay.te

diff --git a/sepolicy/ignored/product/better_bug_app.te b/sepolicy/ignored/product/better_bug_app.te
new file mode 100644
index 0000000..33ee915
--- /dev/null
+++ b/sepolicy/ignored/product/better_bug_app.te
@@ -0,0 +1,25 @@
+type better_bug_app, coredomain, domain;
+
+app_domain(better_bug_app)
+
+get_prop(better_bug_app, system_boot_reason_prop)
+
+net_domain(better_bug_app)
+
+set_prop(better_bug_app, ctl_start_prop)
+
+allow better_bug_app app_api_service:service_manager find;
+allow better_bug_app mediaserver_service:service_manager find;
+allow better_bug_app perfetto:fd use;
+allow better_bug_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
+allow better_bug_app perfetto_traces_bugreport_data_file:file getattr;
+allow better_bug_app perfetto_traces_data_file:file { getattr read };
+allow better_bug_app privapp_data_file:file execute;
+allow better_bug_app privapp_data_file:lnk_file r_file_perms;
+allow better_bug_app radio_service:service_manager find;
+allow better_bug_app shell_data_file:dir r_dir_perms;
+allow better_bug_app shell_data_file:file r_file_perms;
+allow better_bug_app system_api_service:service_manager find;
+allow better_bug_app trace_data_file:file { getattr read };
+allow better_bug_app wm_trace_data_file:dir r_dir_perms;
+allow better_bug_app wm_trace_data_file:file getattr;
diff --git a/sepolicy/ignored/product/debug_camera_app.te b/sepolicy/ignored/product/debug_camera_app.te
new file mode 100644
index 0000000..512d24d
--- /dev/null
+++ b/sepolicy/ignored/product/debug_camera_app.te
@@ -0,0 +1 @@
+type debug_camera_app, coredomain, domain;
diff --git a/sepolicy/ignored/product/gmscore_app.te b/sepolicy/ignored/product/gmscore_app.te
new file mode 100644
index 0000000..0d1c122
--- /dev/null
+++ b/sepolicy/ignored/product/gmscore_app.te
@@ -0,0 +1,2 @@
+dontaudit gmscore_app adbd_prop:file *;
+dontaudit gmscore_app proc_vendor_sched:file write;
diff --git a/sepolicy/ignored/product/google_camera_app.te b/sepolicy/ignored/product/google_camera_app.te
new file mode 100644
index 0000000..d3188d4
--- /dev/null
+++ b/sepolicy/ignored/product/google_camera_app.te
@@ -0,0 +1,17 @@
+type google_camera_app, coredomain, domain;
+
+app_domain(google_camera_app)
+
+hal_client_domain(google_camera_app, hal_power)
+
+net_domain(google_camera_app)
+
+allow google_camera_app app_api_service:service_manager find;
+allow google_camera_app audioserver_service:service_manager find;
+allow google_camera_app cameraserver_service:service_manager find;
+allow google_camera_app mediaextractor_service:service_manager find;
+allow google_camera_app mediametrics_service:service_manager find;
+allow google_camera_app mediaserver_service:service_manager find;
+allow google_camera_app privapp_data_file:lnk_file r_file_perms;
+
+dontaudit google_camera_app vendor_default_prop:file { getattr map open };
diff --git a/sepolicy/ignored/product/google_recorder_app.te b/sepolicy/ignored/product/google_recorder_app.te
new file mode 100644
index 0000000..d26dd0a
--- /dev/null
+++ b/sepolicy/ignored/product/google_recorder_app.te
@@ -0,0 +1,17 @@
+type google_recorder_app, domain;
+
+app_domain(google_recorder_app)
+
+get_prop(google_recorder_app, graphics_config_writable_prop)
+
+net_domain(google_recorder_app)
+
+allow google_recorder_app app_api_service:service_manager find;
+allow google_recorder_app audioserver_service:service_manager find;
+allow google_recorder_app mediaextractor_service:service_manager find;
+allow google_recorder_app mediametrics_service:service_manager find;
+allow google_recorder_app mediaserver_service:service_manager find;
+allow google_recorder_app privapp_data_file:file execute;
+allow google_recorder_app privapp_data_file:lnk_file r_file_perms;
+
+dontaudit google_recorder_app default_prop:file read;
diff --git a/sepolicy/ignored/product/hal_dumpstate.te b/sepolicy/ignored/product/hal_dumpstate.te
new file mode 100644
index 0000000..e06fc21
--- /dev/null
+++ b/sepolicy/ignored/product/hal_dumpstate.te
@@ -0,0 +1 @@
+dontaudit hal_dumpstate adbd_prop:file *;
diff --git a/sepolicy/ignored/product/incidentd.te b/sepolicy/ignored/product/incidentd.te
new file mode 100644
index 0000000..4d61355
--- /dev/null
+++ b/sepolicy/ignored/product/incidentd.te
@@ -0,0 +1,7 @@
+dontaudit incidentd adbd_config_prop:file getattr;
+dontaudit incidentd adbd_config_prop:file map;
+dontaudit incidentd adbd_config_prop:file open;
+dontaudit incidentd adbd_prop:file getattr;
+dontaudit incidentd adbd_prop:file map;
+dontaudit incidentd adbd_prop:file open;
+dontaudit incidentd apexd_prop:file open;
diff --git a/sepolicy/ignored/product/lpdumpd.te b/sepolicy/ignored/product/lpdumpd.te
new file mode 100644
index 0000000..538ed92
--- /dev/null
+++ b/sepolicy/ignored/product/lpdumpd.te
@@ -0,0 +1,2 @@
+dontaudit lpdumpd block_device:blk_file getattr;
+dontaudit lpdumpd block_device:blk_file read;
diff --git a/sepolicy/ignored/product/mediashell_app.te b/sepolicy/ignored/product/mediashell_app.te
new file mode 100644
index 0000000..717ae9a
--- /dev/null
+++ b/sepolicy/ignored/product/mediashell_app.te
@@ -0,0 +1,29 @@
+type mediashell_app, coredomain, domain;
+
+app_domain(mediashell_app)
+
+bluetooth_domain(mediashell_app)
+
+get_prop(mediashell_app, odm_cast_prop)
+
+net_domain(mediashell_app)
+
+allow mediashell_app app_api_service:service_manager find;
+allow mediashell_app audioserver:fifo_file write;
+allow mediashell_app audioserver_service:service_manager find;
+allow mediashell_app cameraserver_service:service_manager find;
+allow mediashell_app drmserver_service:service_manager find;
+allow mediashell_app mediadrmserver_service:service_manager find;
+allow mediashell_app mediaextractor_service:service_manager find;
+allow mediashell_app mediametrics_service:service_manager find;
+allow mediashell_app mediaserver_service:service_manager find;
+allow mediashell_app network_watchlist_service:service_manager find;
+allow mediashell_app nfc_service:service_manager find;
+allow mediashell_app proc_vendor_sched:dir search;
+allow mediashell_app radio_service:service_manager find;
+allow mediashell_app self:process ptrace;
+allow mediashell_app system_api_service:service_manager find;
+allow mediashell_app system_linker_exec:file execute_no_trans;
+
+dontaudit mediashell_app proc:file read;
+dontaudit mediashell_app wifi_config_prop:file r_file_perms;
diff --git a/sepolicy/ignored/product/pixelsupport_app.te b/sepolicy/ignored/product/pixelsupport_app.te
new file mode 100644
index 0000000..7aaf9f5
--- /dev/null
+++ b/sepolicy/ignored/product/pixelsupport_app.te
@@ -0,0 +1,10 @@
+type pixelsupport_app, coredomain, domain;
+
+app_domain(pixelsupport_app)
+
+bluetooth_domain(pixelsupport_app)
+
+net_domain(pixelsupport_app)
+
+allow pixelsupport_app app_api_service:service_manager find;
+allow pixelsupport_app radio_service:service_manager find;
diff --git a/sepolicy/ignored/product/priv_app.te b/sepolicy/ignored/product/priv_app.te
new file mode 100644
index 0000000..ddf3bda
--- /dev/null
+++ b/sepolicy/ignored/product/priv_app.te
@@ -0,0 +1,10 @@
+dontaudit priv_app aac_drc_prop:file getattr;
+dontaudit priv_app aac_drc_prop:file map;
+dontaudit priv_app aac_drc_prop:file open;
+dontaudit priv_app ab_update_gki_prop:file getattr;
+dontaudit priv_app ab_update_gki_prop:file map;
+dontaudit priv_app ab_update_gki_prop:file open;
+dontaudit priv_app adbd_prop:file getattr;
+dontaudit priv_app adbd_prop:file map;
+dontaudit priv_app adbd_prop:file open;
+dontaudit priv_app proc_vendor_sched:file write;
diff --git a/sepolicy/ignored/product/property.te b/sepolicy/ignored/product/property.te
new file mode 100644
index 0000000..81e46b0
--- /dev/null
+++ b/sepolicy/ignored/product/property.te
@@ -0,0 +1 @@
+system_internal_prop(odm_cast_prop)
diff --git a/sepolicy/ignored/product/property_contexts b/sepolicy/ignored/product/property_contexts
new file mode 100644
index 0000000..42f275f
--- /dev/null
+++ b/sepolicy/ignored/product/property_contexts
@@ -0,0 +1 @@
+ro.odm.cast.ssid_suffix u:object_r:odm_cast_prop:s0
diff --git a/sepolicy/ignored/product/seapp_contexts b/sepolicy/ignored/product/seapp_contexts
new file mode 100644
index 0000000..88690ed
--- /dev/null
+++ b/sepolicy/ignored/product/seapp_contexts
@@ -0,0 +1,10 @@
+user=_app isPrivApp=true name=com.google.android.apps.internal.betterbug domain=better_bug_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true seinfo=GoogleRecorder name=com.google.android.apps.recorder domain=google_recorder_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true seinfo=GoogleRecorder name=com.google.android.apps.recorder:* domain=google_recorder_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true seinfo=google name=com.google.android.GoogleCamera domain=google_camera_app type=app_data_file levelFrom=all
+user=_app isPrivApp=true seinfo=mediashell domain=mediashell_app name=com.google.android.apps.mediashell type=privapp_data_file levelFrom=all
+user=_app isPrivApp=true seinfo=mediashell domain=mediashell_app name=com.google.android.apps.mediashell:* type=privapp_data_file levelFrom=all
+user=_app seinfo=CameraEng name=com.google.android.GoogleCameraEng domain=debug_camera_app type=app_data_file levelFrom=all
+user=_app seinfo=CameraEng name=com.google.android.apps.googlecamera.fishfood domain=debug_camera_app type=app_data_file levelFrom=all
+user=_app seinfo=CameraFishfood name=com.google.android.apps.googlecamera.fishfood domain=google_camera_app type=app_data_file levelFrom=all
+user=_app seinfo=PixelSupport name=com.google.android.apps.pixel.support domain=pixelsupport_app type=app_data_file isPrivApp=true levelFrom=user
diff --git a/sepolicy/ignored/product/untrusted_app_25.te b/sepolicy/ignored/product/untrusted_app_25.te
new file mode 100644
index 0000000..76a0a2c
--- /dev/null
+++ b/sepolicy/ignored/product/untrusted_app_25.te
@@ -0,0 +1 @@
+dontaudit untrusted_app_25 adbd_prop:file *;
diff --git a/sepolicy/ignored/product/wait_for_keymaster.te b/sepolicy/ignored/product/wait_for_keymaster.te
new file mode 100644
index 0000000..d93f27f
--- /dev/null
+++ b/sepolicy/ignored/product/wait_for_keymaster.te
@@ -0,0 +1 @@
+dontaudit wait_for_keymaster servicemanager:binder transfer;
diff --git a/sepolicy/ignored/system_ext/brownout_detection_app.te b/sepolicy/ignored/system_ext/brownout_detection_app.te
new file mode 100644
index 0000000..93acff5
--- /dev/null
+++ b/sepolicy/ignored/system_ext/brownout_detection_app.te
@@ -0,0 +1,2 @@
+type brownout_detection_app, coredomain, domain;
+
diff --git a/sepolicy/ignored/system_ext/factory_ota_app.te b/sepolicy/ignored/system_ext/factory_ota_app.te
new file mode 100644
index 0000000..42929d9
--- /dev/null
+++ b/sepolicy/ignored/system_ext/factory_ota_app.te
@@ -0,0 +1,20 @@
+type factory_ota_app, coredomain, domain;
+
+app_domain(factory_ota_app)
+
+binder_call(factory_ota_app, update_engine)
+
+get_prop(factory_ota_app, system_boot_reason_prop)
+
+net_domain(factory_ota_app)
+
+set_prop(factory_ota_app, sota_prop)
+
+allow factory_ota_app app_api_service:service_manager find;
+allow factory_ota_app nfc_service:service_manager find;
+allow factory_ota_app ota_package_file:dir rw_dir_perms;
+allow factory_ota_app ota_package_file:file create_file_perms;
+allow factory_ota_app radio_service:service_manager find;
+allow factory_ota_app update_engine_service:service_manager find;
+
+dontaudit factory_ota_app gpuservice:binder call;
diff --git a/sepolicy/ignored/system_ext/file.te b/sepolicy/ignored/system_ext/file.te
new file mode 100644
index 0000000..540ec11
--- /dev/null
+++ b/sepolicy/ignored/system_ext/file.te
@@ -0,0 +1 @@
+type convert-to-ext4-sh_exec, exec_type, file_type, system_file_type;
diff --git a/sepolicy/ignored/system_ext/file_contexts b/sepolicy/ignored/system_ext/file_contexts
new file mode 100644
index 0000000..c38e2c7
--- /dev/null
+++ b/sepolicy/ignored/system_ext/file_contexts
@@ -0,0 +1 @@
+/system_ext/bin/convert_to_ext4\.sh u:object_r:convert-to-ext4-sh_exec:s0
diff --git a/sepolicy/ignored/system_ext/flag_flipper_app.te b/sepolicy/ignored/system_ext/flag_flipper_app.te
new file mode 100644
index 0000000..9cbdf29
--- /dev/null
+++ b/sepolicy/ignored/system_ext/flag_flipper_app.te
@@ -0,0 +1,7 @@
+type flag_flipper_app, coredomain, domain;
+
+app_domain(flag_flipper_app)
+
+unix_socket_connect(flag_flipper_app, aconfigd, aconfigd)
+
+allow flag_flipper_app app_api_service:service_manager find;
diff --git a/sepolicy/ignored/system_ext/gmscore_app.te b/sepolicy/ignored/system_ext/gmscore_app.te
new file mode 100644
index 0000000..1068a57
--- /dev/null
+++ b/sepolicy/ignored/system_ext/gmscore_app.te
@@ -0,0 +1 @@
+get_prop(gmscore_app, setupwizard_feature_prop)
diff --git a/sepolicy/ignored/system_ext/init.te b/sepolicy/ignored/system_ext/init.te
new file mode 100644
index 0000000..11191e3
--- /dev/null
+++ b/sepolicy/ignored/system_ext/init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, sota_prop)
diff --git a/sepolicy/ignored/system_ext/pixelsystemservice_app.te b/sepolicy/ignored/system_ext/pixelsystemservice_app.te
new file mode 100644
index 0000000..beac493
--- /dev/null
+++ b/sepolicy/ignored/system_ext/pixelsystemservice_app.te
@@ -0,0 +1,9 @@
+type pixelsystemservice_app, coredomain, domain;
+
+app_domain(pixelsystemservice_app)
+
+set_prop(pixelsystemservice_app, pixelsystemservice_contextualawareness_prop)
+
+allow pixelsystemservice_app app_api_service:service_manager find;
+allow pixelsystemservice_app radio_service:service_manager find;
+allow pixelsystemservice_app statsmanager_service:service_manager find;
diff --git a/sepolicy/ignored/system_ext/platform_app.te b/sepolicy/ignored/system_ext/platform_app.te
new file mode 100644
index 0000000..08032f5
--- /dev/null
+++ b/sepolicy/ignored/system_ext/platform_app.te
@@ -0,0 +1 @@
+set_prop(platform_app, vendor_sysuig_prop)
diff --git a/sepolicy/ignored/system_ext/priv_app.te b/sepolicy/ignored/system_ext/priv_app.te
new file mode 100644
index 0000000..0320b41
--- /dev/null
+++ b/sepolicy/ignored/system_ext/priv_app.te
@@ -0,0 +1 @@
+get_prop(priv_app, setupwizard_feature_prop)
diff --git a/sepolicy/ignored/system_ext/property.te b/sepolicy/ignored/system_ext/property.te
new file mode 100644
index 0000000..7d5ed42
--- /dev/null
+++ b/sepolicy/ignored/system_ext/property.te
@@ -0,0 +1,4 @@
+system_internal_prop(pixelsystemservice_contextualawareness_prop)
+system_internal_prop(vendor_sysuig_prop)
+
+system_public_prop(setupwizard_feature_prop)
diff --git a/sepolicy/ignored/system_ext/property_contexts b/sepolicy/ignored/system_ext/property_contexts
new file mode 100644
index 0000000..eae94da
--- /dev/null
+++ b/sepolicy/ignored/system_ext/property_contexts
@@ -0,0 +1,9 @@
+persist.vendor.factoryota. u:object_r:sota_prop:s0
+persist.vendor.nfc.factoryota. u:object_r:sota_prop:s0
+persist.vendor.pulsar u:object_r:vendor_sysuig_prop:s0
+persist.vendor.radio.bootwithlpm u:object_r:sota_prop:s0
+pixelsystemservice.device.contextualawarenessbool u:object_r:pixelsystemservice_contextualawareness_prop:s0 exact bool
+ro.boot.sota u:object_r:sota_prop:s0
+ro.boot.sota. u:object_r:sota_prop:s0
+setupwizard.feature.provisioning_profile_mode u:object_r:setupwizard_feature_prop:s0
+sota.charge.stop.level u:object_r:sota_prop:s0
diff --git a/sepolicy/ignored/system_ext/seapp_contexts b/sepolicy/ignored/system_ext/seapp_contexts
new file mode 100644
index 0000000..1296696
--- /dev/null
+++ b/sepolicy/ignored/system_ext/seapp_contexts
@@ -0,0 +1,8 @@
+user=_app isPrivApp=true name=com.android.theflippinapp domain=flag_flipper_app type=app_data_file levelFrom=all seinfo=platform
+user=_app isPrivApp=true name=com.google.android.brownoutdetection domain=brownout_detection_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.android.systemui domain=systemui_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.android.systemui:* domain=systemui_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.google.android.factoryota domain=factory_ota_app levelFrom=all
+user=_app seinfo=platform name=com.google.android.pixelsystemservice domain=pixelsystemservice_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.google.android.pixelsystemservice:ephemeral domain=pixelsystemservice_app type=app_data_file levelFrom=all
+user=_app seinfo=platform name=com.google.android.turboadapter domain=turbo_adapter type=app_data_file levelFrom=all
diff --git a/sepolicy/ignored/system_ext/systemui_app.te b/sepolicy/ignored/system_ext/systemui_app.te
new file mode 100644
index 0000000..58a082b
--- /dev/null
+++ b/sepolicy/ignored/system_ext/systemui_app.te
@@ -0,0 +1,28 @@
+type systemui_app, coredomain, domain;
+
+app_domain(systemui_app)
+
+get_prop(systemui_app, bluetooth_lea_prop)
+get_prop(systemui_app, keyguard_config_prop)
+get_prop(systemui_app, qemu_hw_prop)
+get_prop(systemui_app, radio_cdma_ecm_prop)
+
+set_prop(systemui_app, bootanim_system_prop)
+set_prop(systemui_app, debug_prop)
+set_prop(systemui_app, debug_tracing_desktop_mode_visible_tasks_prop)
+set_prop(systemui_app, vendor_sysuig_prop)
+
+allow systemui_app adb_service:service_manager find;
+allow systemui_app app_api_service:service_manager find;
+allow systemui_app audioserver_service:service_manager find;
+allow systemui_app cameraserver_service:service_manager find;
+allow systemui_app color_display_service:service_manager find;
+allow systemui_app mediaextractor_service:service_manager find;
+allow systemui_app mediametrics_service:service_manager find;
+allow systemui_app mediaserver_service:service_manager find;
+allow systemui_app network_score_service:service_manager find;
+allow systemui_app nfc_service:service_manager find;
+allow systemui_app overlay_service:service_manager find;
+allow systemui_app radio_service:service_manager find;
+allow systemui_app statsmanager_service:service_manager find;
+allow systemui_app vr_manager_service:service_manager find;
diff --git a/sepolicy/ignored/system_ext/turbo_adapter.te b/sepolicy/ignored/system_ext/turbo_adapter.te
new file mode 100644
index 0000000..3e3efee
--- /dev/null
+++ b/sepolicy/ignored/system_ext/turbo_adapter.te
@@ -0,0 +1,16 @@
+type turbo_adapter, coredomain, domain, system_suspend_internal_server;
+
+app_domain(turbo_adapter)
+
+binder_call(turbo_adapter, system_suspend_internal_server)
+
+get_prop(turbo_adapter, suspend_prop)
+
+hal_client_domain(turbo_adapter, hal_power)
+hal_client_domain(turbo_adapter, hal_power_stats)
+
+r_dir_file(turbo_adapter, proc_uid_cputime_showstat)
+
+set_prop(turbo_adapter, debug_prop)
+
+allow turbo_adapter app_api_service:service_manager find;
diff --git a/sepolicy/ignored/system_ext/update_engine.te b/sepolicy/ignored/system_ext/update_engine.te
new file mode 100644
index 0000000..a4adb2b
--- /dev/null
+++ b/sepolicy/ignored/system_ext/update_engine.te
@@ -0,0 +1 @@
+binder_call(update_engine, factory_ota_app)
diff --git a/sepolicy/ignored/vendor/edgetpu_tachyon.te b/sepolicy/ignored/vendor/edgetpu_tachyon.te
new file mode 100644
index 0000000..f64f4b4
--- /dev/null
+++ b/sepolicy/ignored/vendor/edgetpu_tachyon.te
@@ -0,0 +1 @@
+binder_call(edgetpu_tachyon_server, google_camera_app)
diff --git a/sepolicy/ignored/vendor/file_contexts b/sepolicy/ignored/vendor/file_contexts
new file mode 100644
index 0000000..616cbfe
--- /dev/null
+++ b/sepolicy/ignored/vendor/file_contexts
@@ -0,0 +1,2 @@
+/data/vendor/wifi/wlan_logs(/.*)? u:object_r:wifi_logging_data_file:s0
+/vendor/bin/init\.qfp\.sh u:object_r:init_qfp_exec:s0
diff --git a/sepolicy/ignored/vendor/gia.te b/sepolicy/ignored/vendor/gia.te
new file mode 100644
index 0000000..a7d3bfe
--- /dev/null
+++ b/sepolicy/ignored/vendor/gia.te
@@ -0,0 +1 @@
+binder_call(gia, pixelsystemservice_app)
diff --git a/sepolicy/ignored/vendor/google_camera_app.te b/sepolicy/ignored/vendor/google_camera_app.te
new file mode 100644
index 0000000..ffe1f98
--- /dev/null
+++ b/sepolicy/ignored/vendor/google_camera_app.te
@@ -0,0 +1,7 @@
+get_prop(google_camera_app, vendor_gxp_prop)
+
+allow google_camera_app edgetpu_app_service:service_manager find;
+allow google_camera_app edgetpu_device:chr_file { getattr ioctl map read write };
+allow google_camera_app gxp_device:chr_file rw_file_perms;
+allow google_camera_app hw_jpg_device:chr_file rw_file_perms;
+allow google_camera_app vendor_fw_file:dir search;
diff --git a/sepolicy/ignored/vendor/google_recorder_app.te b/sepolicy/ignored/vendor/google_recorder_app.te
new file mode 100644
index 0000000..e140678
--- /dev/null
+++ b/sepolicy/ignored/vendor/google_recorder_app.te
@@ -0,0 +1 @@
+get_prop(google_recorder_app, vendor_audio_prop_restricted)
diff --git a/sepolicy/ignored/vendor/hal_wireless_charger.te b/sepolicy/ignored/vendor/hal_wireless_charger.te
new file mode 100644
index 0000000..dbff145
--- /dev/null
+++ b/sepolicy/ignored/vendor/hal_wireless_charger.te
@@ -0,0 +1,2 @@
+binder_call(hal_wireless_charger, pixelsystemservice_app)
+binder_call(hal_wireless_charger, systemui_app)
diff --git a/sepolicy/ignored/vendor/hal_wlcservice.te b/sepolicy/ignored/vendor/hal_wlcservice.te
new file mode 100644
index 0000000..3954c8a
--- /dev/null
+++ b/sepolicy/ignored/vendor/hal_wlcservice.te
@@ -0,0 +1 @@
+binder_call(hal_wlcservice, pixelsystemservice_app)
diff --git a/sepolicy/ignored/vendor/init.te b/sepolicy/ignored/vendor/init.te
new file mode 100644
index 0000000..b8daabe
--- /dev/null
+++ b/sepolicy/ignored/vendor/init.te
@@ -0,0 +1 @@
+set_prop(vendor_init, setupwizard_feature_prop)
diff --git a/sepolicy/ignored/vendor/pixelsupport_app.te b/sepolicy/ignored/vendor/pixelsupport_app.te
new file mode 100644
index 0000000..6ae22d2
--- /dev/null
+++ b/sepolicy/ignored/vendor/pixelsupport_app.te
@@ -0,0 +1 @@
+set_prop(pixelsupport_app, vendor_gti_prop)
diff --git a/sepolicy/ignored/vendor/pixelsystemservice_app.te b/sepolicy/ignored/vendor/pixelsystemservice_app.te
new file mode 100644
index 0000000..1238884
--- /dev/null
+++ b/sepolicy/ignored/vendor/pixelsystemservice_app.te
@@ -0,0 +1,26 @@
+binder_call(pixelsystemservice_app, hal_audio_default)
+binder_call(pixelsystemservice_app, hal_bluetooth_btlinux)
+binder_call(pixelsystemservice_app, hal_wireless_charger)
+binder_call(pixelsystemservice_app, hal_wlcservice)
+binder_call(pixelsystemservice_app, statsd)
+
+binder_use(pixelsystemservice_app)
+
+get_prop(pixelsystemservice_app, vendor_audio_prop_restricted)
+get_prop(pixelsystemservice_app, vendor_fingerprint_prop)
+
+hal_client_domain(pixelsystemservice_app, hal_fingerprint)
+hal_client_domain(pixelsystemservice_app, hal_gia)
+hal_client_domain(pixelsystemservice_app, hal_power_stats)
+
+set_prop(pixelsystemservice_app, touch_property_type)
+set_prop(pixelsystemservice_app, vendor_intelligence_prop)
+set_prop(pixelsystemservice_app, vendor_pss_systemphenotype_prop)
+
+allow pixelsystemservice_app cameraserver_service:service_manager find;
+allow pixelsystemservice_app fwk_vibrator_control_service:service_manager find;
+allow pixelsystemservice_app hal_audio_ext_service:service_manager find;
+allow pixelsystemservice_app hal_wireless_charger_service:service_manager find;
+allow pixelsystemservice_app hal_wlcservice_service:service_manager find;
+allow pixelsystemservice_app pixel_bluetooth_service_type:service_manager find;
+allow pixelsystemservice_app touch_context_service:service_manager find;
diff --git a/sepolicy/ignored/vendor/rild.te b/sepolicy/ignored/vendor/rild.te
new file mode 100644
index 0000000..515483c
--- /dev/null
+++ b/sepolicy/ignored/vendor/rild.te
@@ -0,0 +1 @@
+binder_call(rild, logger_app)
diff --git a/sepolicy/ignored/vendor/systemui_app.te b/sepolicy/ignored/vendor/systemui_app.te
new file mode 100644
index 0000000..54a7f5d
--- /dev/null
+++ b/sepolicy/ignored/vendor/systemui_app.te
@@ -0,0 +1,12 @@
+binder_call(systemui_app, hal_graphics_composer_default)
+binder_call(systemui_app, hal_wireless_charger)
+binder_call(systemui_app, pixel_battery_domain)
+binder_call(systemui_app, twoshay)
+
+hal_client_domain(systemui_app, hal_fingerprint)
+
+allow systemui_app hal_pixel_display_service:service_manager find;
+allow systemui_app hal_wireless_charger_service:service_manager find;
+allow systemui_app pixel_battery_service_type:service_manager find;
+allow systemui_app screen_protector_detector_service:service_manager find;
+allow systemui_app touch_context_service:service_manager find;
diff --git a/sepolicy/ignored/vendor/twoshay.te b/sepolicy/ignored/vendor/twoshay.te
new file mode 100644
index 0000000..96ec310
--- /dev/null
+++ b/sepolicy/ignored/vendor/twoshay.te
@@ -0,0 +1 @@
+binder_call(twoshay, systemui_app)