diff --git a/OWNERS b/OWNERS
index 33a29255..a24d5fb4 100644
--- a/OWNERS
+++ b/OWNERS
@@ -1,3 +1,11 @@
-aaronding@google.com
-robinpeng@google.com
-lucaswei@google.com
+adamshih@google.com
+alanstokes@google.com
+bowgotsai@google.com
+jbires@google.com
+jeffv@google.com
+jgalenson@google.com
+jiyong@google.com
+rurumihong@google.com
+sspatil@google.com
+smoreland@google.com
+trong@google.com
diff --git a/ambient/exo_app.te b/ambient/exo_app.te
new file mode 100644
index 00000000..a66e9413
--- /dev/null
+++ b/ambient/exo_app.te
@@ -0,0 +1,11 @@
+type exo_app, domain;
+
+app_domain(exo_app)
+
+allow exo_app app_api_service:service_manager find;
+allow exo_app audioserver_service:service_manager find;
+allow exo_app cameraserver_service:service_manager find;
+allow exo_app mediaserver_service:service_manager find;
+allow exo_app radio_service:service_manager find;
+allow exo_app fwk_stats_hwservice:hwservice_manager find;
+binder_call(exo_app, statsd)
diff --git a/ambient/exo_wirecutter_app.te b/ambient/exo_wirecutter_app.te
new file mode 100644
index 00000000..c8b63b8f
--- /dev/null
+++ b/ambient/exo_wirecutter_app.te
@@ -0,0 +1,7 @@
+type exo_wirecutter_app, domain;
+
+app_domain(exo_wirecutter_app)
+
+allow exo_wirecutter_app app_api_service:service_manager find;
+allow exo_wirecutter_app fwk_stats_hwservice:hwservice_manager find;
+binder_call(exo_wirecutter_app, statsd)
diff --git a/ambient/keys.conf b/ambient/keys.conf
new file mode 100644
index 00000000..9be4f7f5
--- /dev/null
+++ b/ambient/keys.conf
@@ -0,0 +1,2 @@
+[@EXO_WIRECUTTER]
+ALL : vendor/google/dev-keystore/certs/com_google_pixel_wirecutter/com_google_pixel_wirecutter.x509.pem
diff --git a/ambient/mac_permissions.xml b/ambient/mac_permissions.xml
new file mode 100644
index 00000000..d1ba106a
--- /dev/null
+++ b/ambient/mac_permissions.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <signer signature="@EXO_WIRECUTTER" >
+        <seinfo value="wirecutter" />
+    </signer>
+</policy>
diff --git a/ambient/seapp_contexts b/ambient/seapp_contexts
new file mode 100644
index 00000000..2bfdde8e
--- /dev/null
+++ b/ambient/seapp_contexts
@@ -0,0 +1,5 @@
+# Domain for Exo app
+user=_app isPrivApp=true seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
+
+# Domain for Exo Wirecutter app
+user=_app seinfo=wirecutter name=com.google.pixel.wirecutter domain=exo_wirecutter_app type=app_data_file levelFrom=all
diff --git a/display/common/file.te b/display/common/file.te
new file mode 100644
index 00000000..3734e33c
--- /dev/null
+++ b/display/common/file.te
@@ -0,0 +1 @@
+type persist_display_file, file_type, vendor_persist_type;
diff --git a/display/common/file_contexts b/display/common/file_contexts
new file mode 100644
index 00000000..bca77466
--- /dev/null
+++ b/display/common/file_contexts
@@ -0,0 +1 @@
+/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0
diff --git a/display/gs101/genfs_contexts b/display/gs101/genfs_contexts
new file mode 100644
index 00000000..1bc6f30a
--- /dev/null
+++ b/display/gs101/genfs_contexts
@@ -0,0 +1,11 @@
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight                 u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name                u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number             u:object_r:sysfs_display:s0
+genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2C0000/panel@0/compatible                 u:object_r:sysfs_display:s0
+
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight                 u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name                u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number             u:object_r:sysfs_display:s0
+genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible                 u:object_r:sysfs_display:s0
+
+genfscon sysfs /module/drm/parameters/vblankoffdelay                                           u:object_r:sysfs_display:s0
diff --git a/display/gs101/hal_graphics_composer_default.te b/display/gs101/hal_graphics_composer_default.te
new file mode 100644
index 00000000..5a607815
--- /dev/null
+++ b/display/gs101/hal_graphics_composer_default.te
@@ -0,0 +1,34 @@
+allow hal_graphics_composer_default video_device:chr_file rw_file_perms;
+add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice)
+hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator)
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+vndbinder_use(hal_graphics_composer_default)
+
+userdebug_or_eng(`
+    allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms;
+
+    # For HWC/libdisplaycolor to generate calibration file.
+    allow hal_graphics_composer_default persist_display_file:file create_file_perms;
+    allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms;
+')
+
+# allow HWC/libdisplaycolor to read calibration data
+allow hal_graphics_composer_default mnt_vendor_file:dir search;
+allow hal_graphics_composer_default persist_file:dir search;
+allow hal_graphics_composer_default persist_display_file:file r_file_perms;
+
+# allow HWC to r/w backlight
+allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms;
+allow hal_graphics_composer_default sysfs_leds:file rw_file_perms;
+
+# allow HWC to get vendor_persist_sys_default_prop
+get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop)
+
+# allow HWC to get vendor_display_prop
+get_prop(hal_graphics_composer_default, vendor_display_prop)
+
+# allow HWC to access vendor_displaycolor_service
+add_service(hal_graphics_composer_default, vendor_displaycolor_service)
+
+add_service(hal_graphics_composer_default, hal_pixel_display_service)
+binder_use(hal_graphics_composer_default)
diff --git a/gs101-sepolicy.mk b/gs101-sepolicy.mk
new file mode 100644
index 00000000..c08b8023
--- /dev/null
+++ b/gs101-sepolicy.mk
@@ -0,0 +1,23 @@
+# sepolicy that are shared among devices using whitechapel
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/whitechapel/vendor/google
+
+# unresolved SELinux error log with bug tracking
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/tracking_denials
+
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/private
+
+#
+# Pixel-wide
+#
+#   Dauntless (uses Citadel policy currently)
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel
+
+#   Wifi
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_ext
+
+#   PowerStats HAL
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
+
+# Display
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/common
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/gs101
diff --git a/private/gmscore_app.te b/private/gmscore_app.te
new file mode 100644
index 00000000..fa20f247
--- /dev/null
+++ b/private/gmscore_app.te
@@ -0,0 +1,2 @@
+# b/177389198
+dontaudit gmscore_app adbd_prop:file *;
diff --git a/private/hal_dumpstate_default.te b/private/hal_dumpstate_default.te
new file mode 100644
index 00000000..83c75689
--- /dev/null
+++ b/private/hal_dumpstate_default.te
@@ -0,0 +1,2 @@
+# b/176868217
+dontaudit hal_dumpstate adbd_prop:file *;
diff --git a/private/hal_vibrator_default.te b/private/hal_vibrator_default.te
new file mode 100644
index 00000000..f565173c
--- /dev/null
+++ b/private/hal_vibrator_default.te
@@ -0,0 +1,2 @@
+# b/177176811
+dontaudit hal_vibrator adbd_prop:file *;
diff --git a/private/incidentd.te b/private/incidentd.te
new file mode 100644
index 00000000..1557f065
--- /dev/null
+++ b/private/incidentd.te
@@ -0,0 +1,14 @@
+# b/174961589
+dontaudit incidentd adbd_config_prop:file open ;
+dontaudit incidentd adbd_prop:file getattr ;
+dontaudit incidentd adbd_prop:file open ;
+dontaudit incidentd adbd_config_prop:file open ;
+dontaudit incidentd adbd_config_prop:file getattr ;
+dontaudit incidentd adbd_config_prop:file map ;
+dontaudit incidentd adbd_prop:file open ;
+dontaudit incidentd adbd_prop:file getattr ;
+dontaudit incidentd adbd_prop:file map ;
+dontaudit incidentd apexd_prop:file open ;
+dontaudit incidentd adbd_config_prop:file getattr ;
+dontaudit incidentd adbd_config_prop:file map ;
+dontaudit incidentd adbd_prop:file map ;
diff --git a/private/lpdumpd.te b/private/lpdumpd.te
new file mode 100644
index 00000000..86a101c5
--- /dev/null
+++ b/private/lpdumpd.te
@@ -0,0 +1,7 @@
+# b/177176997
+dontaudit lpdumpd block_device:blk_file getattr ;
+dontaudit lpdumpd block_device:blk_file getattr ;
+dontaudit lpdumpd block_device:blk_file read ;
+dontaudit lpdumpd block_device:blk_file getattr ;
+dontaudit lpdumpd block_device:blk_file read ;
+dontaudit lpdumpd block_device:blk_file read ;
diff --git a/private/priv_app.te b/private/priv_app.te
new file mode 100644
index 00000000..2ef1f969
--- /dev/null
+++ b/private/priv_app.te
@@ -0,0 +1,19 @@
+# b/178433525
+dontaudit priv_app adbd_prop:file { map };
+dontaudit priv_app adbd_prop:file { getattr };
+dontaudit priv_app adbd_prop:file { open };
+dontaudit priv_app ab_update_gki_prop:file { map };
+dontaudit priv_app ab_update_gki_prop:file { getattr };
+dontaudit priv_app ab_update_gki_prop:file { open };
+dontaudit priv_app aac_drc_prop:file { map };
+dontaudit priv_app aac_drc_prop:file { getattr };
+dontaudit priv_app aac_drc_prop:file { open };
+dontaudit priv_app adbd_prop:file { map };
+dontaudit priv_app aac_drc_prop:file { open };
+dontaudit priv_app aac_drc_prop:file { getattr };
+dontaudit priv_app aac_drc_prop:file { map };
+dontaudit priv_app ab_update_gki_prop:file { open };
+dontaudit priv_app ab_update_gki_prop:file { getattr };
+dontaudit priv_app ab_update_gki_prop:file { map };
+dontaudit priv_app adbd_prop:file { open };
+dontaudit priv_app adbd_prop:file { getattr };
diff --git a/private/radio.te b/private/radio.te
new file mode 100644
index 00000000..a569b9c5
--- /dev/null
+++ b/private/radio.te
@@ -0,0 +1 @@
+add_service(radio, uce_service)
diff --git a/private/service_contexts b/private/service_contexts
new file mode 100644
index 00000000..8877518a
--- /dev/null
+++ b/private/service_contexts
@@ -0,0 +1 @@
+telephony.oem.oemrilhook        u:object_r:radio_service:s0
diff --git a/private/untrusted_app_25.te b/private/untrusted_app_25.te
new file mode 100644
index 00000000..f26e0815
--- /dev/null
+++ b/private/untrusted_app_25.te
@@ -0,0 +1,2 @@
+# b/177389321
+dontaudit untrusted_app_25 adbd_prop:file *;
diff --git a/tracking_denials/aocd.te b/tracking_denials/aocd.te
new file mode 100644
index 00000000..35c47c50
--- /dev/null
+++ b/tracking_denials/aocd.te
@@ -0,0 +1,2 @@
+# b/171267323
+dontaudit aocd device:dir r_dir_perms;
diff --git a/tracking_denials/bootanim.te b/tracking_denials/bootanim.te
new file mode 100644
index 00000000..2be251e3
--- /dev/null
+++ b/tracking_denials/bootanim.te
@@ -0,0 +1,5 @@
+# b/180567480
+dontaudit bootanim traced_producer_socket:sock_file { write };
+dontaudit bootanim traced:unix_stream_socket { connectto };
+dontaudit bootanim traced:unix_stream_socket { connectto };
+dontaudit bootanim traced_producer_socket:sock_file { write };
diff --git a/tracking_denials/cbd.te b/tracking_denials/cbd.te
new file mode 100644
index 00000000..7cd0342d
--- /dev/null
+++ b/tracking_denials/cbd.te
@@ -0,0 +1,51 @@
+# b/171267363
+dontaudit cbd cbd:capability {setuid };
+dontaudit cbd proc_cmdline:file {open };
+dontaudit cbd persist_file:dir {search };
+dontaudit cbd init:unix_stream_socket {connectto };
+dontaudit cbd proc_cmdline:file {read };
+dontaudit cbd kernel:system {syslog_read };
+# b/173971138
+dontaudit cbd radio_prop:file { map };
+dontaudit cbd radio_prop:file { open };
+dontaudit cbd radio_prop:file { read };
+dontaudit cbd radio_prop:file { open };
+dontaudit cbd radio_prop:file { map };
+dontaudit cbd radio_prop:file { read };
+dontaudit cbd radio_prop:file { getattr };
+dontaudit cbd radio_prop:file { getattr };
+# b/178331928
+dontaudit cbd mnt_vendor_file:dir { search };
+dontaudit cbd mnt_vendor_file:dir { search };
+# b/178979986
+dontaudit cbd unlabeled:dir { getattr };
+dontaudit cbd unlabeled:file { open };
+dontaudit cbd unlabeled:file { read };
+dontaudit cbd unlabeled:file { getattr };
+dontaudit cbd unlabeled:lnk_file { read };
+dontaudit cbd unlabeled:dir { search };
+dontaudit cbd unlabeled:file { getattr };
+dontaudit cbd unlabeled:dir { getattr };
+dontaudit cbd unlabeled:lnk_file { read };
+dontaudit cbd unlabeled:dir { search };
+dontaudit cbd unlabeled:file { read };
+dontaudit cbd unlabeled:file { open };
+# b/179198083
+dontaudit cbd radio_vendor_data_file:dir { search };
+dontaudit cbd radio_vendor_data_file:dir { write };
+dontaudit cbd radio_vendor_data_file:dir { add_name };
+dontaudit cbd radio_vendor_data_file:file { create };
+dontaudit cbd radio_vendor_data_file:file { write };
+dontaudit cbd radio_vendor_data_file:file { open };
+dontaudit cbd unlabeled:file { ioctl };
+dontaudit cbd radio_vendor_data_file:file { open };
+dontaudit cbd radio_vendor_data_file:file { read };
+dontaudit cbd radio_vendor_data_file:dir { search };
+dontaudit cbd unlabeled:file { ioctl };
+dontaudit cbd radio_vendor_data_file:file { open };
+dontaudit cbd radio_vendor_data_file:file { read };
+dontaudit cbd radio_vendor_data_file:file { write };
+dontaudit cbd radio_vendor_data_file:file { create };
+dontaudit cbd radio_vendor_data_file:dir { add_name };
+dontaudit cbd radio_vendor_data_file:dir { search };
+dontaudit cbd radio_vendor_data_file:dir { write };
diff --git a/tracking_denials/dumpstate.te b/tracking_denials/dumpstate.te
new file mode 100644
index 00000000..6c6d8ec7
--- /dev/null
+++ b/tracking_denials/dumpstate.te
@@ -0,0 +1,35 @@
+# ag/13067824
+dontaudit dumpstate fuse:dir r_dir_perms;
+# b/174618507
+dontaudit dumpstate default_android_service:service_manager { find };
+dontaudit dumpstate vold:binder { call };
+dontaudit dumpstate modem_userdata_file:dir { getattr };
+dontaudit dumpstate modem_efs_file:dir { getattr };
+dontaudit dumpstate vold:binder { call };
+dontaudit dumpstate modem_userdata_file:dir { getattr };
+dontaudit dumpstate hal_drm_clearkey:process { signal };
+dontaudit dumpstate hal_drm_clearkey:process { signal };
+dontaudit dumpstate modem_efs_file:dir { getattr };
+# b/177778645
+dontaudit dumpstate ramdump_vendor_mnt_file:filesystem { getattr };
+dontaudit dumpstate ramdump_vendor_mnt_file:filesystem { getattr };
+dontaudit dumpstate ramdump_vendor_mnt_file:dir { getattr };
+dontaudit dumpstate ramdump_vendor_mnt_file:dir { getattr };
+# b/177860804
+dontaudit dumpstate incident:process { sigkill };
+dontaudit dumpstate incident:process { signal };
+dontaudit dumpstate incident:process { sigkill };
+dontaudit dumpstate incident:process { signal };
+# b/179310854
+dontaudit dumpstate unlabeled:dir { getattr };
+dontaudit dumpstate unlabeled:dir { getattr };
+# b/180963249
+dontaudit dumpstate hal_neuralnetworks_armnn:process { signal };
+dontaudit dumpstate hal_neuralnetworks_armnn:process { signal };
+# b/181915316
+dontaudit dumpstate vendor_dmabuf_debugfs:file { read };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { open };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { getattr };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { getattr };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { read };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { open };
diff --git a/tracking_denials/gmscore_app.te b/tracking_denials/gmscore_app.te
new file mode 100644
index 00000000..2ace5b71
--- /dev/null
+++ b/tracking_denials/gmscore_app.te
@@ -0,0 +1,67 @@
+# b/177389198
+dontaudit gmscore_app aac_drc_prop:file { open };
+dontaudit gmscore_app ab_update_gki_prop:file { map };
+dontaudit gmscore_app ab_update_gki_prop:file { getattr };
+dontaudit gmscore_app aac_drc_prop:file { map };
+dontaudit gmscore_app ab_update_gki_prop:file { open };
+dontaudit gmscore_app aac_drc_prop:file { getattr };
+# b/177860960
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+# b/178752576
+dontaudit gmscore_app apexd_prop:file { open };
+dontaudit gmscore_app ramdump_vendor_mnt_file:filesystem { getattr };
+dontaudit gmscore_app apexd_prop:file { getattr };
+dontaudit gmscore_app apexd_prop:file { map };
+dontaudit gmscore_app ramdump_vendor_mnt_file:filesystem { getattr };
+dontaudit gmscore_app ramdump_vendor_mnt_file:filesystem { getattr };
+# b/178753472
+dontaudit gmscore_app audio_config_prop:file { getattr };
+dontaudit gmscore_app apk_verity_prop:file { map };
+dontaudit gmscore_app apk_verity_prop:file { getattr };
+dontaudit gmscore_app apk_verity_prop:file { open };
+dontaudit gmscore_app audio_config_prop:file { open };
+# b/179310892
+dontaudit gmscore_app bluetooth_a2dp_offload_prop:file { map };
+dontaudit gmscore_app bluetooth_a2dp_offload_prop:file { open };
+dontaudit gmscore_app bluetooth_prop:file { getattr };
+dontaudit gmscore_app audio_config_prop:file { map };
+dontaudit gmscore_app bluetooth_audio_hal_prop:file { open };
+dontaudit gmscore_app bluetooth_audio_hal_prop:file { getattr };
+dontaudit gmscore_app bluetooth_audio_hal_prop:file { map };
+dontaudit gmscore_app bluetooth_prop:file { open };
+dontaudit gmscore_app bluetooth_a2dp_offload_prop:file { getattr };
+# b/179437292
+dontaudit gmscore_app bootloader_boot_reason_prop:file { getattr };
+dontaudit gmscore_app bluetooth_prop:file { map };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { open };
+dontaudit gmscore_app boottime_prop:file { open };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { map };
+# b/179437988
+dontaudit gmscore_app bluetooth_prop:file { map };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { open };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { getattr };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { map };
+dontaudit gmscore_app boottime_prop:file { open };
+dontaudit gmscore_app boottime_prop:file { getattr };
+dontaudit gmscore_app boottime_prop:file { map };
+dontaudit gmscore_app boottime_public_prop:file { open };
+dontaudit gmscore_app boottime_public_prop:file { getattr };
+# b/180656125
+dontaudit gmscore_app boottime_public_prop:file { map };
+dontaudit gmscore_app build_bootimage_prop:file { open };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { map };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { getattr };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { open };
+dontaudit gmscore_app build_bootimage_prop:file { open };
+dontaudit gmscore_app boottime_public_prop:file { map };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { map };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { getattr };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { open };
+# b/180960879
+dontaudit gmscore_app property_type:file *;
diff --git a/tracking_denials/gpsd.te b/tracking_denials/gpsd.te
new file mode 100644
index 00000000..fe554396
--- /dev/null
+++ b/tracking_denials/gpsd.te
@@ -0,0 +1,11 @@
+# b/173969091
+dontaudit gpsd radio_prop:file { read };
+dontaudit gpsd radio_prop:file { open };
+dontaudit gpsd radio_prop:file { map };
+dontaudit gpsd radio_prop:file { map };
+dontaudit gpsd system_data_file:dir { search };
+dontaudit gpsd radio_prop:file { read };
+dontaudit gpsd radio_prop:file { open };
+dontaudit gpsd radio_prop:file { getattr };
+dontaudit gpsd system_data_file:dir { search };
+dontaudit gpsd radio_prop:file { getattr };
diff --git a/tracking_denials/hal_camera_default.te b/tracking_denials/hal_camera_default.te
new file mode 100644
index 00000000..18ae1337
--- /dev/null
+++ b/tracking_denials/hal_camera_default.te
@@ -0,0 +1,15 @@
+# b/178980085
+dontaudit hal_camera_default system_data_file:dir { search };
+dontaudit hal_camera_default system_data_file:dir { search };
+# b/180567725
+dontaudit hal_camera_default traced:unix_stream_socket { connectto };
+dontaudit hal_camera_default traced:unix_stream_socket { connectto };
+dontaudit hal_camera_default traced_producer_socket:sock_file { write };
+dontaudit hal_camera_default traced_producer_socket:sock_file { write };
+# b/181913550
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { read };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { read };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { open };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { ioctl };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { open };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { ioctl };
diff --git a/tracking_denials/hal_dumpstate_default.te b/tracking_denials/hal_dumpstate_default.te
new file mode 100644
index 00000000..66e10a91
--- /dev/null
+++ b/tracking_denials/hal_dumpstate_default.te
@@ -0,0 +1,16 @@
+# b/181915591
+dontaudit hal_dumpstate_default aac_drc_prop:file { open };
+dontaudit hal_dumpstate_default sysfs:dir { read };
+dontaudit hal_dumpstate_default sysfs:dir { open };
+dontaudit hal_dumpstate_default vendor_displaycolor_service:service_manager { find };
+dontaudit hal_dumpstate_default hal_graphics_composer_default:binder { call };
+dontaudit hal_dumpstate_default aac_drc_prop:file { getattr };
+dontaudit hal_dumpstate_default aac_drc_prop:file { map };
+dontaudit hal_dumpstate_default aac_drc_prop:file { open };
+dontaudit hal_dumpstate_default aac_drc_prop:file { getattr };
+dontaudit hal_dumpstate_default aac_drc_prop:file { map };
+dontaudit hal_dumpstate_default ab_update_gki_prop:file { open };
+dontaudit hal_dumpstate_default ab_update_gki_prop:file { open };
+dontaudit hal_dumpstate_default sysfs:dir { read };
+dontaudit hal_dumpstate_default sysfs:dir { open };
+dontaudit hal_dumpstate_default hal_graphics_composer_default:binder { call };
diff --git a/tracking_denials/hal_fingerprint_default.te b/tracking_denials/hal_fingerprint_default.te
new file mode 100644
index 00000000..0fced323
--- /dev/null
+++ b/tracking_denials/hal_fingerprint_default.te
@@ -0,0 +1,52 @@
+# b/174438167
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
+dontaudit hal_fingerprint_default tee_device:chr_file { ioctl };
+dontaudit hal_fingerprint_default system_data_root_file:file { read };
+dontaudit hal_fingerprint_default system_data_root_file:file { open };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
+dontaudit hal_fingerprint_default tee_device:chr_file { open };
+dontaudit hal_fingerprint_default tee_device:chr_file { ioctl };
+dontaudit hal_fingerprint_default tee_device:chr_file { open };
+dontaudit hal_fingerprint_default tee_device:chr_file { read write };
+dontaudit hal_fingerprint_default device:chr_file { open };
+dontaudit hal_fingerprint_default device:chr_file { read write };
+dontaudit hal_fingerprint_default tee_device:chr_file { read write };
+dontaudit hal_fingerprint_default device:chr_file { ioctl };
+dontaudit hal_fingerprint_default device:chr_file { open };
+dontaudit hal_fingerprint_default system_data_root_file:file { read };
+dontaudit hal_fingerprint_default system_data_root_file:file { open };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
+dontaudit hal_fingerprint_default device:chr_file { ioctl };
+dontaudit hal_fingerprint_default device:chr_file { read write };
+# b/174714991
+dontaudit hal_fingerprint_default system_data_file:file { read };
+dontaudit hal_fingerprint_default system_data_file:file { open };
+dontaudit hal_fingerprint_default system_data_file:file { read };
+dontaudit hal_fingerprint_default system_data_file:file { open };
+# b/177966377
+dontaudit hal_fingerprint_default default_prop:file { getattr };
+dontaudit hal_fingerprint_default default_prop:file { map };
+dontaudit hal_fingerprint_default default_prop:file { open };
+dontaudit hal_fingerprint_default default_prop:file { read };
+dontaudit hal_fingerprint_default default_prop:file { map };
+dontaudit hal_fingerprint_default default_prop:file { getattr };
+dontaudit hal_fingerprint_default default_android_hwservice:hwservice_manager { add };
+dontaudit hal_fingerprint_default default_prop:file { open };
+dontaudit hal_fingerprint_default default_prop:file { read };
+# b/180655836
+dontaudit hal_fingerprint_default system_data_root_file:dir { write };
+dontaudit hal_fingerprint_default system_data_root_file:file { write };
+dontaudit hal_fingerprint_default system_data_root_file:file { create };
+dontaudit hal_fingerprint_default system_data_root_file:dir { create };
+dontaudit hal_fingerprint_default system_data_root_file:dir { write };
+dontaudit hal_fingerprint_default system_data_root_file:file { write };
+dontaudit hal_fingerprint_default system_data_root_file:file { create };
+dontaudit hal_fingerprint_default system_data_root_file:dir { create };
+dontaudit hal_fingerprint_default system_data_root_file:dir { add_name };
+dontaudit hal_fingerprint_default system_data_root_file:dir { add_name };
diff --git a/tracking_denials/hal_graphics_composer_default.te b/tracking_denials/hal_graphics_composer_default.te
new file mode 100644
index 00000000..3bc97c42
--- /dev/null
+++ b/tracking_denials/hal_graphics_composer_default.te
@@ -0,0 +1,23 @@
+# b/181712799
+dontaudit hal_graphics_composer_default hal_power_default:binder { call };
+dontaudit hal_graphics_composer_default boot_status_prop:file { read };
+dontaudit hal_graphics_composer_default boot_status_prop:file { open };
+dontaudit hal_graphics_composer_default boot_status_prop:file { getattr };
+dontaudit hal_graphics_composer_default boot_status_prop:file { map };
+dontaudit hal_graphics_composer_default hal_power_default:binder { call };
+dontaudit hal_graphics_composer_default boot_status_prop:file { map };
+dontaudit hal_graphics_composer_default vendor_log_file:file { create };
+dontaudit hal_graphics_composer_default vendor_log_file:file { append open };
+dontaudit hal_graphics_composer_default vendor_log_file:file { getattr };
+dontaudit hal_graphics_composer_default vendor_log_file:file { getattr };
+dontaudit hal_graphics_composer_default vendor_log_file:file { append open };
+dontaudit hal_graphics_composer_default vendor_log_file:file { create };
+dontaudit hal_graphics_composer_default hal_power_service:service_manager { find };
+dontaudit hal_graphics_composer_default boot_status_prop:file { read };
+dontaudit hal_graphics_composer_default boot_status_prop:file { open };
+dontaudit hal_graphics_composer_default boot_status_prop:file { getattr };
+# b/181915065
+dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };
+dontaudit hal_graphics_composer_default hal_dumpstate_default:fifo_file { write };
+dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };
+dontaudit hal_graphics_composer_default hal_dumpstate_default:fifo_file { write };
diff --git a/tracking_denials/hal_health_default.te b/tracking_denials/hal_health_default.te
new file mode 100644
index 00000000..2ffd7634
--- /dev/null
+++ b/tracking_denials/hal_health_default.te
@@ -0,0 +1,15 @@
+# b/177966434
+dontaudit hal_health_default sysfs_wlc:dir { search };
+# b/181177925
+dontaudit hal_health_default thermal_link_device:dir { search };
+dontaudit hal_health_default sysfs_thermal:file { open };
+dontaudit hal_health_default sysfs_thermal:file { write };
+dontaudit hal_health_default sysfs_thermal:lnk_file { read };
+dontaudit hal_health_default sysfs_thermal:dir { search };
+dontaudit hal_health_default sysfs_thermal:file { write };
+dontaudit hal_health_default sysfs_thermal:file { open };
+dontaudit hal_health_default sysfs_batteryinfo:file { write };
+dontaudit hal_health_default sysfs_thermal:dir { search };
+dontaudit hal_health_default thermal_link_device:dir { search };
+dontaudit hal_health_default sysfs_batteryinfo:file { write };
+dontaudit hal_health_default sysfs_thermal:lnk_file { read };
diff --git a/tracking_denials/hal_memtrack_default.te b/tracking_denials/hal_memtrack_default.te
new file mode 100644
index 00000000..8bb56ce2
--- /dev/null
+++ b/tracking_denials/hal_memtrack_default.te
@@ -0,0 +1,3 @@
+# b/181913683
+dontaudit hal_memtrack_default vendor_ion_debugfs:dir { search };
+dontaudit hal_memtrack_default vendor_ion_debugfs:dir { search };
diff --git a/tracking_denials/hal_neuralnetworks_armnn.te b/tracking_denials/hal_neuralnetworks_armnn.te
new file mode 100644
index 00000000..9ebda637
--- /dev/null
+++ b/tracking_denials/hal_neuralnetworks_armnn.te
@@ -0,0 +1,33 @@
+# b/171160755
+dontaudit hal_neuralnetworks_armnn traced:unix_stream_socket connectto ;
+dontaudit hal_neuralnetworks_armnn hal_neuralnetworks_hwservice:hwservice_manager add ;
+dontaudit hal_neuralnetworks_armnn hal_neuralnetworks_hwservice:hwservice_manager find ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager:binder transfer ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager:binder call ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file map ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file getattr ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file open ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file read ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file {read write} ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file open ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file getattr ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file ioctl ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file map ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file {read write} ;
+dontaudit hal_neuralnetworks_armnn traced_producer_socket:sock_file write ;
+dontaudit hal_neuralnetworks_armnn hidl_base_hwservice:hwservice_manager add ;
+# b/171670122
+dontaudit hal_neuralnetworks_armnn debugfs_tracing:file { read };
+dontaudit hal_neuralnetworks_armnn debugfs_tracing:file { open };
+# b/180550063
+dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
+dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
+# b/180858476
+dontaudit hal_neuralnetworks_armnn default_prop:file { read };
+dontaudit hal_neuralnetworks_armnn default_prop:file { read };
+dontaudit hal_neuralnetworks_armnn default_prop:file { open };
+dontaudit hal_neuralnetworks_armnn default_prop:file { getattr };
+dontaudit hal_neuralnetworks_armnn default_prop:file { map };
+dontaudit hal_neuralnetworks_armnn default_prop:file { open };
+dontaudit hal_neuralnetworks_armnn default_prop:file { getattr };
+dontaudit hal_neuralnetworks_armnn default_prop:file { map };
diff --git a/tracking_denials/hal_power_default.te b/tracking_denials/hal_power_default.te
new file mode 100644
index 00000000..ba08e0ad
--- /dev/null
+++ b/tracking_denials/hal_power_default.te
@@ -0,0 +1,15 @@
+# b/171760921
+dontaudit hal_power_default hal_power_default:capability { dac_override };
+# b/178331773
+dontaudit hal_power_default sysfs:file { write };
+dontaudit hal_power_default sysfs:file { open };
+dontaudit hal_power_default sysfs:file { write };
+dontaudit hal_power_default sysfs:file { open };
+# b/178752616
+dontaudit hal_power_default sysfs:file { read };
+dontaudit hal_power_default sysfs:file { getattr };
+dontaudit hal_power_default sysfs:file { read };
+dontaudit hal_power_default sysfs:file { getattr };
+# b/181713002
+dontaudit hal_power_default hal_graphics_composer_default:binder { transfer };
+dontaudit hal_power_default hal_graphics_composer_default:binder { transfer };
diff --git a/tracking_denials/hal_power_stats_default.te b/tracking_denials/hal_power_stats_default.te
new file mode 100644
index 00000000..20c95e4b
--- /dev/null
+++ b/tracking_denials/hal_power_stats_default.te
@@ -0,0 +1,68 @@
+# b/171760721
+dontaudit hal_power_stats_default sysfs:file { read };
+dontaudit hal_power_stats_default sysfs:file { getattr };
+dontaudit hal_power_stats_default citadeld:binder { call };
+dontaudit hal_power_stats_default sysfs:file { read };
+dontaudit hal_power_stats_default sysfs:file { getattr };
+dontaudit hal_power_stats_default sysfs:file { open };
+dontaudit hal_power_stats_default sysfs:file { getattr };
+dontaudit hal_power_stats_default sysfs:dir { read };
+dontaudit hal_power_stats_default sysfs:dir { open };
+dontaudit hal_power_stats_default sysfs:file { read };
+dontaudit hal_power_stats_default sysfs:file { open };
+dontaudit hal_power_stats_default sysfs:file { open };
+# b/176777337
+dontaudit hal_power_stats_default sysfs_leds:dir search ;
+dontaudit hal_power_stats_default sysfs_leds:file open ;
+dontaudit hal_power_stats_default sysfs_leds:dir search ;
+dontaudit hal_power_stats_default sysfs_leds:file read ;
+dontaudit hal_power_stats_default sysfs_leds:file open ;
+# b/176868314
+dontaudit hal_power_stats_default sysfs_leds:file read ;
+dontaudit hal_power_stats_default sysfs_leds:file open ;
+dontaudit hal_power_stats_default sysfs_leds:dir search ;
+# b/179093124
+dontaudit hal_power_stats_default sysfs_backlight:file { open };
+dontaudit hal_power_stats_default sysfs_backlight:file { read };
+dontaudit hal_power_stats_default sysfs_backlight:file { open };
+dontaudit hal_power_stats_default sysfs_backlight:dir { search };
+dontaudit hal_power_stats_default sysfs_backlight:dir { search };
+dontaudit hal_power_stats_default sysfs_backlight:file { read };
+# b/180963514
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
+dontaudit hal_power_stats_default sysfs_aoc:dir { search };
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
+dontaudit hal_power_stats_default sysfs_aoc:dir { search };
+dontaudit hal_power_stats_default sysfs_aoc:dir { search };
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+# b/181915165
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
+dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search };
+dontaudit hal_power_stats_default sysfs_wifi:file { getattr };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
+dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search };
+dontaudit hal_power_stats_default sysfs_wifi:file { open };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { open };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { getattr };
+dontaudit hal_power_stats_default sysfs_wifi:file { getattr };
+dontaudit hal_power_stats_default sysfs_wifi:file { open };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
+dontaudit hal_power_stats_default sysfs_wifi:file { read };
+dontaudit hal_power_stats_default sysfs_wifi:dir { search };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { getattr };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { open };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
+dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search };
+dontaudit hal_power_stats_default sysfs_wifi:dir { search };
+dontaudit hal_power_stats_default sysfs_wifi:file { read };
diff --git a/tracking_denials/hal_vibrator_default.te b/tracking_denials/hal_vibrator_default.te
new file mode 100644
index 00000000..eea73ffc
--- /dev/null
+++ b/tracking_denials/hal_vibrator_default.te
@@ -0,0 +1,2 @@
+# b/174961422
+dontaudit hal_vibrator_default property_type:file * ;
diff --git a/tracking_denials/hal_wifi_ext.te b/tracking_denials/hal_wifi_ext.te
new file mode 100644
index 00000000..c43741be
--- /dev/null
+++ b/tracking_denials/hal_wifi_ext.te
@@ -0,0 +1,4 @@
+# b/177966433
+dontaudit hal_wifi_ext vendor_default_prop:property_service { set };
+dontaudit hal_wifi_ext grilservice_app:binder { call };
+dontaudit hal_wifi_ext grilservice_app:binder { call };
diff --git a/tracking_denials/hardware_info_app.te b/tracking_denials/hardware_info_app.te
new file mode 100644
index 00000000..810cb701
--- /dev/null
+++ b/tracking_denials/hardware_info_app.te
@@ -0,0 +1,18 @@
+# b/181177926
+dontaudit hardware_info_app sysfs_scsi_devices_0000:file { getattr };
+dontaudit hardware_info_app sysfs_scsi_devices_0000:file { open };
+dontaudit hardware_info_app sysfs_batteryinfo:file { read };
+dontaudit hardware_info_app sysfs:file { read };
+dontaudit hardware_info_app sysfs:file { open };
+dontaudit hardware_info_app sysfs:file { getattr };
+dontaudit hardware_info_app sysfs_scsi_devices_0000:dir { search };
+dontaudit hardware_info_app sysfs_scsi_devices_0000:file { read };
+dontaudit hardware_info_app sysfs_batteryinfo:dir { search };
+# b/181914888
+dontaudit hardware_info_app sysfs_batteryinfo:file { open };
+dontaudit hardware_info_app sysfs_batteryinfo:file { getattr };
+dontaudit hardware_info_app vendor_regmap_debugfs:dir { search };
+# b/181915166
+dontaudit hardware_info_app sysfs_batteryinfo:file { getattr };
+dontaudit hardware_info_app sysfs_batteryinfo:file { open };
+dontaudit hardware_info_app vendor_regmap_debugfs:dir { search };
diff --git a/tracking_denials/incidentd.te b/tracking_denials/incidentd.te
new file mode 100644
index 00000000..61223df0
--- /dev/null
+++ b/tracking_denials/incidentd.te
@@ -0,0 +1,139 @@
+# b/176868159
+dontaudit incidentd apk_verity_prop:file getattr ;
+dontaudit incidentd apk_verity_prop:file map ;
+dontaudit incidentd apk_verity_prop:file getattr ;
+dontaudit incidentd apk_verity_prop:file open ;
+dontaudit incidentd apexd_prop:file map ;
+dontaudit incidentd apexd_prop:file getattr ;
+dontaudit incidentd apexd_prop:file getattr ;
+dontaudit incidentd apexd_prop:file map ;
+dontaudit incidentd apk_verity_prop:file open ;
+dontaudit incidentd apk_verity_prop:file map ;
+# b/177176812
+dontaudit incidentd audio_config_prop:file open ;
+dontaudit incidentd ab_update_gki_prop:file open ;
+dontaudit incidentd ab_update_gki_prop:file map ;
+dontaudit incidentd ab_update_gki_prop:file getattr ;
+dontaudit incidentd audio_config_prop:file open ;
+dontaudit incidentd aac_drc_prop:file map ;
+dontaudit incidentd aac_drc_prop:file getattr ;
+dontaudit incidentd aac_drc_prop:file open ;
+dontaudit incidentd aac_drc_prop:file open ;
+dontaudit incidentd ab_update_gki_prop:file map ;
+dontaudit incidentd aac_drc_prop:file map ;
+dontaudit incidentd ab_update_gki_prop:file getattr ;
+dontaudit incidentd aac_drc_prop:file getattr ;
+dontaudit incidentd ab_update_gki_prop:file open ;
+# b/177389412
+dontaudit incidentd audio_config_prop:file { getattr };
+dontaudit incidentd audio_config_prop:file { getattr };
+dontaudit incidentd audio_config_prop:file { map };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { open };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { map };
+dontaudit incidentd nfc_service:service_manager { find };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { map };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { getattr };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { open };
+dontaudit incidentd audio_config_prop:file { map };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { getattr };
+# b/177614642
+dontaudit incidentd bluetooth_audio_hal_prop:file { map };
+dontaudit incidentd bluetooth_audio_hal_prop:file { open };
+dontaudit incidentd bluetooth_prop:file { map };
+dontaudit incidentd bluetooth_prop:file { getattr };
+dontaudit incidentd bluetooth_prop:file { open };
+dontaudit incidentd bluetooth_audio_hal_prop:file { map };
+dontaudit incidentd bluetooth_audio_hal_prop:file { getattr };
+dontaudit incidentd boottime_prop:file { open };
+dontaudit incidentd bluetooth_prop:file { map };
+dontaudit incidentd bluetooth_prop:file { getattr };
+dontaudit incidentd bluetooth_prop:file { open };
+dontaudit incidentd bluetooth_audio_hal_prop:file { open };
+dontaudit incidentd bluetooth_audio_hal_prop:file { getattr };
+dontaudit incidentd boottime_prop:file { open };
+# b/177778217
+dontaudit incidentd boottime_public_prop:file { getattr };
+dontaudit incidentd boottime_prop:file { getattr };
+dontaudit incidentd bpf_progs_loaded_prop:file { open };
+dontaudit incidentd boottime_public_prop:file { map };
+dontaudit incidentd boottime_public_prop:file { getattr };
+dontaudit incidentd boottime_public_prop:file { open };
+dontaudit incidentd boottime_prop:file { map };
+dontaudit incidentd bpf_progs_loaded_prop:file { getattr };
+dontaudit incidentd bpf_progs_loaded_prop:file { open };
+dontaudit incidentd boottime_public_prop:file { map };
+dontaudit incidentd boottime_prop:file { getattr };
+dontaudit incidentd boottime_prop:file { map };
+dontaudit incidentd boottime_public_prop:file { open };
+dontaudit incidentd bpf_progs_loaded_prop:file { getattr };
+# b/177860841
+dontaudit incidentd build_bootimage_prop:file { map };
+dontaudit incidentd build_config_prop:file { getattr };
+dontaudit incidentd build_config_prop:file { open };
+dontaudit incidentd bpf_progs_loaded_prop:file { map };
+dontaudit incidentd build_bootimage_prop:file { open };
+dontaudit incidentd build_bootimage_prop:file { getattr };
+dontaudit incidentd build_bootimage_prop:file { map };
+dontaudit incidentd build_bootimage_prop:file { getattr };
+dontaudit incidentd build_config_prop:file { getattr };
+dontaudit incidentd build_config_prop:file { map };
+dontaudit incidentd bpf_progs_loaded_prop:file { map };
+dontaudit incidentd build_bootimage_prop:file { open };
+dontaudit incidentd build_config_prop:file { open };
+dontaudit incidentd build_config_prop:file { map };
+# b/178752460
+dontaudit incidentd camera_calibration_prop:file { open };
+dontaudit incidentd charger_config_prop:file { getattr };
+dontaudit incidentd charger_config_prop:file { open };
+dontaudit incidentd camera_calibration_prop:file { map };
+dontaudit incidentd camera_calibration_prop:file { getattr };
+dontaudit incidentd charger_config_prop:file { getattr };
+dontaudit incidentd camera_calibration_prop:file { open };
+dontaudit incidentd camera_calibration_prop:file { getattr };
+dontaudit incidentd camera_calibration_prop:file { map };
+dontaudit incidentd charger_config_prop:file { open };
+# b/179310909
+dontaudit incidentd charger_status_prop:file { open };
+dontaudit incidentd charger_prop:file { open };
+dontaudit incidentd charger_prop:file { getattr };
+dontaudit incidentd charger_prop:file { map };
+dontaudit incidentd charger_status_prop:file { open };
+dontaudit incidentd charger_status_prop:file { getattr };
+dontaudit incidentd charger_status_prop:file { map };
+dontaudit incidentd charger_config_prop:file { map };
+dontaudit incidentd charger_status_prop:file { map };
+dontaudit incidentd charger_status_prop:file { getattr };
+dontaudit incidentd charger_config_prop:file { map };
+dontaudit incidentd charger_prop:file { open };
+dontaudit incidentd charger_prop:file { getattr };
+dontaudit incidentd charger_prop:file { map };
+# b/179437463
+dontaudit incidentd cold_boot_done_prop:file { map };
+dontaudit incidentd cold_boot_done_prop:file { getattr };
+dontaudit incidentd cpu_variant_prop:file { map };
+dontaudit incidentd cpu_variant_prop:file { getattr };
+dontaudit incidentd cold_boot_done_prop:file { map };
+dontaudit incidentd cpu_variant_prop:file { map };
+dontaudit incidentd cpu_variant_prop:file { open };
+dontaudit incidentd cold_boot_done_prop:file { getattr };
+dontaudit incidentd cold_boot_done_prop:file { open };
+dontaudit incidentd cold_boot_done_prop:file { open };
+dontaudit incidentd cpu_variant_prop:file { open };
+dontaudit incidentd cpu_variant_prop:file { getattr };
+# b/180963481
+dontaudit incidentd ctl_bootanim_prop:file { open };
+dontaudit incidentd ctl_adbd_prop:file { open };
+dontaudit incidentd ctl_adbd_prop:file { getattr };
+dontaudit incidentd ctl_adbd_prop:file { map };
+dontaudit incidentd ctl_apexd_prop:file { getattr };
+dontaudit incidentd ctl_apexd_prop:file { map };
+dontaudit incidentd ctl_adbd_prop:file { open };
+dontaudit incidentd ctl_adbd_prop:file { getattr };
+dontaudit incidentd ctl_adbd_prop:file { map };
+dontaudit incidentd ctl_apexd_prop:file { open };
+dontaudit incidentd ctl_apexd_prop:file { getattr };
+dontaudit incidentd ctl_apexd_prop:file { map };
+dontaudit incidentd ctl_bootanim_prop:file { open };
+dontaudit incidentd ctl_apexd_prop:file { open };
+# b/181177909
+dontaudit incidentd property_type:file *;
diff --git a/tracking_denials/init-thermal-symlinks-sh.te b/tracking_denials/init-thermal-symlinks-sh.te
new file mode 100644
index 00000000..bfb04c06
--- /dev/null
+++ b/tracking_denials/init-thermal-symlinks-sh.te
@@ -0,0 +1,9 @@
+# b/177862403
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
diff --git a/tracking_denials/init.te b/tracking_denials/init.te
new file mode 100644
index 00000000..48fddf60
--- /dev/null
+++ b/tracking_denials/init.te
@@ -0,0 +1,20 @@
+# b/177966144
+dontaudit init sysfs:file { open };
+dontaudit init sysfs:file { setattr };
+dontaudit init sysfs:file { open };
+dontaudit init sysfs:file { write };
+dontaudit init sysfs:file { setattr };
+dontaudit init sysfs:file { write };
+# b/178979985
+dontaudit init device:chr_file { ioctl };
+dontaudit init modem_img_file:dir { mounton };
+dontaudit init device:chr_file { open };
+dontaudit init device:chr_file { read write };
+dontaudit init modem_img_file:dir { mounton };
+dontaudit init device:chr_file { ioctl };
+dontaudit init device:chr_file { open };
+dontaudit init device:chr_file { read write };
+# b/180963348
+dontaudit init overlayfs_file:chr_file { unlink };
+dontaudit init unlabeled:dir { mounton };
+dontaudit init overlayfs_file:file { rename };
diff --git a/tracking_denials/mediacodec.te b/tracking_denials/mediacodec.te
new file mode 100644
index 00000000..2d3f4475
--- /dev/null
+++ b/tracking_denials/mediacodec.te
@@ -0,0 +1,6 @@
+# b/172173484
+dontaudit mediacodec sysfs:file { getattr };
+dontaudit mediacodec sysfs:file { open };
+dontaudit mediacodec sysfs:file { read };
+# b/176777184
+dontaudit mediacodec default_android_vndservice:service_manager add ;
diff --git a/tracking_denials/modem_logging_control.te b/tracking_denials/modem_logging_control.te
new file mode 100644
index 00000000..e7b77922
--- /dev/null
+++ b/tracking_denials/modem_logging_control.te
@@ -0,0 +1,13 @@
+# b/176777145
+dontaudit modem_logging_control vendor_sys_default_prop:property_service set ;
+# b/176851633
+dontaudit modem_logging_control vendor_sys_default_prop:file { read };
+dontaudit modem_logging_control vendor_sys_default_prop:file { read };
+dontaudit modem_logging_control vendor_sys_default_prop:file { open };
+dontaudit modem_logging_control vendor_sys_default_prop:file { getattr };
+dontaudit modem_logging_control vendor_sys_default_prop:file { map };
+dontaudit modem_logging_control vendor_sys_default_prop:file { open };
+dontaudit modem_logging_control vendor_sys_default_prop:file { getattr };
+dontaudit modem_logging_control vendor_sys_default_prop:file { map };
+# b/176868315
+dontaudit modem_logging_control vendor_sys_default_prop:property_service set ;
diff --git a/tracking_denials/pixelstats_vendor.te b/tracking_denials/pixelstats_vendor.te
new file mode 100644
index 00000000..4eb0f6d0
--- /dev/null
+++ b/tracking_denials/pixelstats_vendor.te
@@ -0,0 +1,4 @@
+# b/181914749
+dontaudit pixelstats_vendor servicemanager:binder { call };
+# b/181915066
+dontaudit pixelstats_vendor servicemanager:binder { call };
diff --git a/tracking_denials/platform_app.te b/tracking_denials/platform_app.te
new file mode 100644
index 00000000..6e8841af
--- /dev/null
+++ b/tracking_denials/platform_app.te
@@ -0,0 +1,8 @@
+# b/178433506
+dontaudit platform_app property_type:file *;
+# b/179093352
+dontaudit platform_app hal_wlc:binder { transfer };
+dontaudit platform_app hal_wlc:binder { call };
+dontaudit platform_app hal_wlc_hwservice:hwservice_manager { find };
+dontaudit platform_app hal_wlc:binder { call };
+dontaudit platform_app hal_wlc:binder { transfer };
diff --git a/tracking_denials/priv_app.te b/tracking_denials/priv_app.te
new file mode 100644
index 00000000..4eba31d3
--- /dev/null
+++ b/tracking_denials/priv_app.te
@@ -0,0 +1,51 @@
+# b/180551518
+dontaudit priv_app apk_verity_prop:file { getattr };
+dontaudit priv_app audio_config_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { open };
+dontaudit priv_app apexd_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { map };
+dontaudit priv_app apk_verity_prop:file { open };
+dontaudit priv_app audio_config_prop:file { open };
+dontaudit priv_app apk_verity_prop:file { map };
+dontaudit priv_app apk_verity_prop:file { getattr };
+dontaudit priv_app apk_verity_prop:file { open };
+dontaudit priv_app apexd_prop:file { map };
+dontaudit priv_app apexd_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { open };
+dontaudit priv_app apexd_prop:file { open };
+dontaudit priv_app apexd_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { map };
+dontaudit priv_app apk_verity_prop:file { open };
+dontaudit priv_app apk_verity_prop:file { getattr };
+dontaudit priv_app apk_verity_prop:file { map };
+dontaudit priv_app audio_config_prop:file { open };
+dontaudit priv_app audio_config_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { open };
+dontaudit priv_app apexd_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { map };
+dontaudit priv_app apk_verity_prop:file { open };
+dontaudit priv_app apk_verity_prop:file { getattr };
+# b/180567612
+dontaudit priv_app audio_config_prop:file { map };
+dontaudit priv_app bluetooth_audio_hal_prop:file { getattr };
+dontaudit priv_app bluetooth_audio_hal_prop:file { map };
+dontaudit priv_app bluetooth_prop:file { open };
+dontaudit priv_app bluetooth_prop:file { getattr };
+dontaudit priv_app bluetooth_audio_hal_prop:file { open };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { map };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { getattr };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { open };
+dontaudit priv_app audio_config_prop:file { map };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { open };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { getattr };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { map };
+dontaudit priv_app bluetooth_audio_hal_prop:file { open };
+dontaudit priv_app bluetooth_audio_hal_prop:file { getattr };
+dontaudit priv_app bluetooth_audio_hal_prop:file { map };
+dontaudit priv_app bluetooth_prop:file { open };
+dontaudit priv_app bluetooth_prop:file { getattr };
+# b/180656244
+dontaudit priv_app property_type:file *;
+# b/180858511
+dontaudit priv_app hal_neuralnetworks_armnn:binder { call };
+dontaudit priv_app hal_neuralnetworks_armnn:binder { call };
diff --git a/tracking_denials/rild.te b/tracking_denials/rild.te
new file mode 100644
index 00000000..10680da3
--- /dev/null
+++ b/tracking_denials/rild.te
@@ -0,0 +1,16 @@
+# b/178980065
+dontaudit rild unlabeled:dir { search };
+dontaudit rild unlabeled:lnk_file { read };
+dontaudit rild unlabeled:dir { search };
+dontaudit rild unlabeled:lnk_file { read };
+# b/179198085
+dontaudit rild unlabeled:file { ioctl };
+dontaudit rild unlabeled:file { open };
+dontaudit rild unlabeled:file { read };
+dontaudit rild unlabeled:file { getattr };
+dontaudit rild unlabeled:file { lock };
+dontaudit rild unlabeled:file { ioctl };
+dontaudit rild unlabeled:file { open };
+dontaudit rild unlabeled:file { read };
+dontaudit rild unlabeled:file { getattr };
+dontaudit rild unlabeled:file { lock };
diff --git a/tracking_denials/scd.te b/tracking_denials/scd.te
new file mode 100644
index 00000000..f66f49eb
--- /dev/null
+++ b/tracking_denials/scd.te
@@ -0,0 +1,13 @@
+# b/173969190
+dontaudit scd vendor_data_file:dir { write };
+dontaudit scd vendor_data_file:dir { add_name };
+dontaudit scd vendor_data_file:dir { write };
+dontaudit scd vendor_data_file:file { create };
+dontaudit scd vendor_data_file:file { lock };
+dontaudit scd vendor_data_file:file { create };
+dontaudit scd vendor_data_file:file { lock };
+dontaudit scd vendor_data_file:file { open };
+dontaudit scd vendor_data_file:file { write };
+dontaudit scd vendor_data_file:file { write };
+dontaudit scd vendor_data_file:file { open };
+dontaudit scd vendor_data_file:dir { add_name };
diff --git a/tracking_denials/sced.te b/tracking_denials/sced.te
new file mode 100644
index 00000000..fa8893fd
--- /dev/null
+++ b/tracking_denials/sced.te
@@ -0,0 +1,10 @@
+# b/171760846
+dontaudit sced hwservicemanager:binder { call };
+dontaudit sced hidl_base_hwservice:hwservice_manager { add };
+dontaudit sced hal_vendor_oem_hwservice:hwservice_manager { add };
+dontaudit sced hal_vendor_oem_hwservice:hwservice_manager { find };
+dontaudit sced hwservicemanager_prop:file { read };
+dontaudit sced hwservicemanager_prop:file { open };
+dontaudit sced hwservicemanager:binder { transfer };
+dontaudit sced hwservicemanager_prop:file { map };
+dontaudit sced hwservicemanager_prop:file { getattr };
diff --git a/tracking_denials/shell.te b/tracking_denials/shell.te
new file mode 100644
index 00000000..66ac4fb3
--- /dev/null
+++ b/tracking_denials/shell.te
@@ -0,0 +1,7 @@
+# b/171760597
+dontaudit shell property_type:file *;
+# b/178979984
+dontaudit shell device:chr_file { ioctl };
+dontaudit shell device:chr_file { read write };
+dontaudit shell device:chr_file { read write };
+dontaudit shell device:chr_file { ioctl };
diff --git a/tracking_denials/surfaceflinger.te b/tracking_denials/surfaceflinger.te
new file mode 100644
index 00000000..1f7fd2ad
--- /dev/null
+++ b/tracking_denials/surfaceflinger.te
@@ -0,0 +1,12 @@
+# b/176868297
+dontaudit surfaceflinger hal_graphics_composer_default:dir search ;
+# b/177176899
+dontaudit surfaceflinger hal_graphics_composer_default:file open ;
+dontaudit surfaceflinger hal_graphics_composer_default:file read ;
+dontaudit surfaceflinger hal_graphics_composer_default:file getattr ;
+dontaudit surfaceflinger hal_graphics_composer_default:file read ;
+dontaudit surfaceflinger hal_graphics_composer_default:file open ;
+dontaudit surfaceflinger hal_graphics_composer_default:file read ;
+dontaudit surfaceflinger hal_graphics_composer_default:file open ;
+dontaudit surfaceflinger hal_graphics_composer_default:file getattr ;
+dontaudit surfaceflinger hal_graphics_composer_default:file getattr ;
diff --git a/tracking_denials/system_app.te b/tracking_denials/system_app.te
new file mode 100644
index 00000000..0dd274b6
--- /dev/null
+++ b/tracking_denials/system_app.te
@@ -0,0 +1,4 @@
+# b/178433618
+dontaudit system_app property_type:file *;
+# b/179435036
+dontaudit system_app default_android_service:service_manager { add };
diff --git a/tracking_denials/system_server.te b/tracking_denials/system_server.te
new file mode 100644
index 00000000..d7e456ab
--- /dev/null
+++ b/tracking_denials/system_server.te
@@ -0,0 +1,2 @@
+# b/178980142
+dontaudit system_server property_type:file *;
diff --git a/tracking_denials/tee.te b/tracking_denials/tee.te
new file mode 100644
index 00000000..9148a9c7
--- /dev/null
+++ b/tracking_denials/tee.te
@@ -0,0 +1,11 @@
+# b/173971240
+dontaudit tee persist_file:file { open };
+dontaudit tee tee_data_file:lnk_file { read };
+dontaudit tee mnt_vendor_file:dir { search };
+dontaudit tee persist_file:dir { search };
+dontaudit tee persist_file:file { open };
+dontaudit tee persist_file:file { read write };
+dontaudit tee persist_file:dir { search };
+dontaudit tee mnt_vendor_file:dir { search };
+dontaudit tee tee_data_file:lnk_file { read };
+dontaudit tee persist_file:file { read write };
diff --git a/tracking_denials/trusty_apploader.te b/tracking_denials/trusty_apploader.te
new file mode 100644
index 00000000..0914a14f
--- /dev/null
+++ b/tracking_denials/trusty_apploader.te
@@ -0,0 +1,9 @@
+# b/180874342
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { read };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { open };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { ioctl };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { read };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { open };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { ioctl };
+dontaudit trusty_apploader trusty_apploader:capability { dac_override };
+dontaudit trusty_apploader trusty_apploader:capability { dac_override };
diff --git a/tracking_denials/untrusted_app.te b/tracking_denials/untrusted_app.te
new file mode 100644
index 00000000..703cdf53
--- /dev/null
+++ b/tracking_denials/untrusted_app.te
@@ -0,0 +1,14 @@
+# b/178331791
+dontaudit untrusted_app selinuxfs:file { open };
+dontaudit untrusted_app vendor_camera_prop:file { map };
+dontaudit untrusted_app vendor_camera_prop:file { open };
+dontaudit untrusted_app vendor_camera_prop:file { getattr };
+dontaudit untrusted_app selinuxfs:file { read };
+dontaudit untrusted_app selinuxfs:file { read };
+dontaudit untrusted_app selinuxfs:file { open };
+dontaudit untrusted_app vendor_camera_prop:file { open };
+dontaudit untrusted_app vendor_camera_prop:file { getattr };
+dontaudit untrusted_app vendor_camera_prop:file { map };
+# b/178433597
+dontaudit untrusted_app vendor_camera_prop:file { read };
+dontaudit untrusted_app vendor_camera_prop:file { read };
diff --git a/tracking_denials/untrusted_app_25.te b/tracking_denials/untrusted_app_25.te
new file mode 100644
index 00000000..3dcf4615
--- /dev/null
+++ b/tracking_denials/untrusted_app_25.te
@@ -0,0 +1,149 @@
+# b/177389321
+dontaudit untrusted_app_25 ab_update_gki_prop:file { map };
+dontaudit untrusted_app_25 aac_drc_prop:file { open };
+dontaudit untrusted_app_25 ab_update_gki_prop:file { getattr };
+dontaudit untrusted_app_25 ab_update_gki_prop:file { open };
+dontaudit untrusted_app_25 aac_drc_prop:file { map };
+dontaudit untrusted_app_25 aac_drc_prop:file { getattr };
+# b/177614659
+dontaudit untrusted_app_25 apk_verity_prop:file { open };
+dontaudit untrusted_app_25 apexd_prop:file { getattr };
+dontaudit untrusted_app_25 apexd_prop:file { open };
+dontaudit untrusted_app_25 apexd_prop:file { map };
+dontaudit untrusted_app_25 apk_verity_prop:file { map };
+dontaudit untrusted_app_25 audio_config_prop:file { open };
+dontaudit untrusted_app_25 audio_config_prop:file { getattr };
+dontaudit untrusted_app_25 audio_config_prop:file { map };
+dontaudit untrusted_app_25 apk_verity_prop:file { getattr };
+# b/177616188
+dontaudit untrusted_app_25 bluetooth_a2dp_offload_prop:file { open };
+dontaudit untrusted_app_25 bluetooth_a2dp_offload_prop:file { getattr };
+dontaudit untrusted_app_25 bluetooth_a2dp_offload_prop:file { map };
+dontaudit untrusted_app_25 bluetooth_audio_hal_prop:file { open };
+dontaudit untrusted_app_25 bluetooth_audio_hal_prop:file { getattr };
+dontaudit untrusted_app_25 bluetooth_audio_hal_prop:file { map };
+dontaudit untrusted_app_25 bluetooth_prop:file { open };
+dontaudit untrusted_app_25 bluetooth_prop:file { getattr };
+dontaudit untrusted_app_25 bluetooth_prop:file { map };
+# b/177778551
+dontaudit untrusted_app_25 boottime_public_prop:file { open };
+dontaudit untrusted_app_25 bootloader_boot_reason_prop:file { getattr };
+dontaudit untrusted_app_25 bootloader_boot_reason_prop:file { map };
+dontaudit untrusted_app_25 boottime_prop:file { open };
+dontaudit untrusted_app_25 boottime_prop:file { getattr };
+dontaudit untrusted_app_25 boottime_prop:file { map };
+dontaudit untrusted_app_25 bootloader_boot_reason_prop:file { open };
+# b/177778793
+dontaudit untrusted_app_25 boottime_public_prop:file { getattr };
+dontaudit untrusted_app_25 boottime_public_prop:file { map };
+dontaudit untrusted_app_25 bpf_progs_loaded_prop:file { open };
+dontaudit untrusted_app_25 bpf_progs_loaded_prop:file { getattr };
+dontaudit untrusted_app_25 bpf_progs_loaded_prop:file { map };
+dontaudit untrusted_app_25 build_bootimage_prop:file { open };
+dontaudit untrusted_app_25 build_bootimage_prop:file { getattr };
+dontaudit untrusted_app_25 build_bootimage_prop:file { map };
+dontaudit untrusted_app_25 build_config_prop:file { open };
+# b/177860838
+dontaudit untrusted_app_25 charger_status_prop:file { open };
+dontaudit untrusted_app_25 charger_prop:file { map };
+dontaudit untrusted_app_25 charger_prop:file { getattr };
+dontaudit untrusted_app_25 charger_prop:file { open };
+dontaudit untrusted_app_25 charger_config_prop:file { map };
+dontaudit untrusted_app_25 charger_config_prop:file { getattr };
+dontaudit untrusted_app_25 build_config_prop:file { map };
+dontaudit untrusted_app_25 build_config_prop:file { getattr };
+dontaudit untrusted_app_25 charger_config_prop:file { open };
+# b/177862777
+dontaudit untrusted_app_25 charger_status_prop:file { getattr };
+dontaudit untrusted_app_25 charger_status_prop:file { map };
+dontaudit untrusted_app_25 cold_boot_done_prop:file { open };
+dontaudit untrusted_app_25 cold_boot_done_prop:file { getattr };
+dontaudit untrusted_app_25 cold_boot_done_prop:file { map };
+dontaudit untrusted_app_25 cpu_variant_prop:file { open };
+dontaudit untrusted_app_25 cpu_variant_prop:file { getattr };
+dontaudit untrusted_app_25 cpu_variant_prop:file { map };
+dontaudit untrusted_app_25 ctl_adbd_prop:file { open };
+# b/178752409
+dontaudit untrusted_app_25 ctl_adbd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { open };
+dontaudit untrusted_app_25 ctl_adbd_prop:file { map };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { map };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { open };
+dontaudit untrusted_app_25 ctl_adbd_prop:file { map };
+dontaudit untrusted_app_25 ctl_adbd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { map };
+dontaudit untrusted_app_25 ctl_bootanim_prop:file { map };
+dontaudit untrusted_app_25 ctl_bootanim_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_bootanim_prop:file { open };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { getattr };
+# b/178753151
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { open };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { map };
+dontaudit untrusted_app_25 ctl_console_prop:file { open };
+dontaudit untrusted_app_25 ctl_console_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_console_prop:file { map };
+dontaudit untrusted_app_25 ctl_default_prop:file { open };
+dontaudit untrusted_app_25 ctl_default_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { open };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { map };
+dontaudit untrusted_app_25 ctl_console_prop:file { open };
+dontaudit untrusted_app_25 ctl_console_prop:file { getattr };
+# b/179310875
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { map };
+dontaudit untrusted_app_25 ctl_fuse_prop:file { open };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { map };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { open };
+dontaudit untrusted_app_25 ctl_default_prop:file { map };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { open };
+dontaudit untrusted_app_25 ctl_default_prop:file { map };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { open };
+dontaudit untrusted_app_25 ctl_fuse_prop:file { map };
+dontaudit untrusted_app_25 ctl_fuse_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_fuse_prop:file { open };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { getattr };
+# b/179437293
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
+# b/179437737
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { map };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
+# b/180963328
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { map };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { open };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { map };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { map };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { getattr };
+# b/180963587
+dontaudit untrusted_app_25 property_type:file *;
diff --git a/tracking_denials/update_engine.te b/tracking_denials/update_engine.te
new file mode 100644
index 00000000..e1f320af
--- /dev/null
+++ b/tracking_denials/update_engine.te
@@ -0,0 +1,5 @@
+# b/174961421
+dontaudit update_engine dumpstate:fifo_file write ;
+dontaudit update_engine dumpstate:fifo_file write ;
+dontaudit update_engine dumpstate:fd use ;
+dontaudit update_engine dumpstate:fd use ;
diff --git a/tracking_denials/vendor_init.te b/tracking_denials/vendor_init.te
new file mode 100644
index 00000000..f00248a0
--- /dev/null
+++ b/tracking_denials/vendor_init.te
@@ -0,0 +1,20 @@
+# b/176528556
+dontaudit vendor_init tmpfs:dir { add_name write };
+# b/176528557
+dontaudit vendor_init debugfs_trace_marker:file { getattr };
+# b/177186257
+dontaudit vendor_init system_data_file:dir { open ioctl read };
+# b/174443175
+dontaudit vendor_init vendor_power_prop:property_service { set };
+# b/177386448
+dontaudit vendor_init device:file { create };
+dontaudit vendor_init device:file { create };
+# b/178980032
+dontaudit vendor_init unlabeled:dir { setattr };
+dontaudit vendor_init unlabeled:dir { read };
+dontaudit vendor_init unlabeled:dir { search };
+dontaudit vendor_init unlabeled:dir { search };
+dontaudit vendor_init unlabeled:dir { open };
+dontaudit vendor_init unlabeled:dir { read };
+dontaudit vendor_init unlabeled:dir { setattr };
+dontaudit vendor_init unlabeled:dir { open };
diff --git a/tracking_denials/vendor_telephony_app.te b/tracking_denials/vendor_telephony_app.te
new file mode 100644
index 00000000..2969a576
--- /dev/null
+++ b/tracking_denials/vendor_telephony_app.te
@@ -0,0 +1,21 @@
+# b/174961423
+dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file open ;
+dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file read ;
+dontaudit vendor_telephony_app system_app_data_file:dir search ;
+dontaudit vendor_telephony_app system_app_data_file:dir getattr ;
+dontaudit vendor_telephony_app system_data_file:dir search ;
+# b/176868380
+dontaudit vendor_telephony_app user_profile_root_file:dir search ;
+dontaudit vendor_telephony_app user_profile_root_file:dir search ;
+dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file getattr ;
+dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file map ;
+dontaudit vendor_telephony_app vendor_slog_file:dir search ;
+# b/177176900
+dontaudit vendor_telephony_app vendor_rild_prop:file getattr ;
+dontaudit vendor_telephony_app vendor_rild_prop:file open ;
+dontaudit vendor_telephony_app vendor_rild_prop:file read ;
+dontaudit vendor_telephony_app vendor_rild_prop:file map ;
+# b/179437464
+dontaudit vendor_telephony_app activity_service:service_manager { find };
+dontaudit vendor_telephony_app thermal_service:service_manager { find };
+dontaudit vendor_telephony_app tethering_service:service_manager { find };
diff --git a/usf/file.te b/usf/file.te
new file mode 100644
index 00000000..e264c277
--- /dev/null
+++ b/usf/file.te
@@ -0,0 +1,12 @@
+#
+# USF file SELinux type enforcements.
+#
+
+# Declare the sensor registry persist file type. By convention, persist file
+# types begin with "persist_".
+type persist_sensor_reg_file, file_type, vendor_persist_type;
+
+# Declare the sensor registry data file type. By convention, data file types
+# end with "data_file".
+type sensor_reg_data_file, file_type, data_file_type;
+
diff --git a/usf/file_contexts b/usf/file_contexts
new file mode 100644
index 00000000..ff3d41d3
--- /dev/null
+++ b/usf/file_contexts
@@ -0,0 +1,10 @@
+#
+# USF SELinux file security contexts.
+#
+
+# Sensor registry persist files.
+/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0
+
+# Sensor registry data files.
+/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0
+
diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te
new file mode 100644
index 00000000..afb74634
--- /dev/null
+++ b/usf/sensor_hal.te
@@ -0,0 +1,22 @@
+#
+# USF sensor HAL SELinux type enforcements.
+#
+
+# Allow reading of sensor registry persist files.
+allow hal_sensors_default persist_file:dir search;
+allow hal_sensors_default mnt_vendor_file:dir search;
+r_dir_file(hal_sensors_default, persist_sensor_reg_file)
+
+# Allow creation and writing of sensor registry data files.
+allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms;
+allow hal_sensors_default sensor_reg_data_file:file create_file_perms;
+
+# Allow access to the AoC communication driver.
+allow hal_sensors_default aoc_device:chr_file rw_file_perms;
+
+# Allow access to the AoC clock and kernel boot time sys FS node. This is needed
+# to synchronize the AP and AoC clock timestamps.
+allow hal_sensors_default sysfs_aoc_boottime:file rw_file_perms;
+
+# Allow create thread to watch AOC's device.
+allow hal_sensors_default device:dir r_dir_perms;
diff --git a/whitechapel/vendor/google/abox.te b/whitechapel/vendor/google/abox.te
new file mode 100644
index 00000000..eb2c3aaf
--- /dev/null
+++ b/whitechapel/vendor/google/abox.te
@@ -0,0 +1,4 @@
+type abox, domain;
+type abox_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(abox)
+
diff --git a/whitechapel/vendor/google/aocd.te b/whitechapel/vendor/google/aocd.te
new file mode 100644
index 00000000..4cab55af
--- /dev/null
+++ b/whitechapel/vendor/google/aocd.te
@@ -0,0 +1,14 @@
+type aocd, domain;
+type aocd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(aocd)
+
+# access persist files
+allow aocd mnt_vendor_file:dir search;
+allow aocd persist_file:dir search;
+
+# sysfs operations
+allow aocd sysfs_aoc:dir search;
+allow aocd sysfs_aoc_firmware:file w_file_perms;
+
+# dev operations
+allow aocd aoc_device:chr_file r_file_perms;
diff --git a/whitechapel/vendor/google/aocdump.te b/whitechapel/vendor/google/aocdump.te
new file mode 100644
index 00000000..bfd11d48
--- /dev/null
+++ b/whitechapel/vendor/google/aocdump.te
@@ -0,0 +1,16 @@
+type aocdump, domain;
+type aocdump_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(aocdump)
+
+userdebug_or_eng(`
+    # Permit communication with AoC
+    allow aocdump aoc_device:chr_file rw_file_perms;
+
+    allow aocdump radio_vendor_data_file:dir rw_dir_perms;
+    allow aocdump radio_vendor_data_file:file create_file_perms;
+    set_prop(aocdump, vendor_audio_prop);
+
+    allow aocdump self:unix_stream_socket create_stream_socket_perms;
+    allow aocdump property_socket:sock_file { write };
+    allow aocdump audio_vendor_data_file:sock_file { create unlink };
+')
diff --git a/whitechapel/vendor/google/attributes b/whitechapel/vendor/google/attributes
new file mode 100644
index 00000000..7e6def72
--- /dev/null
+++ b/whitechapel/vendor/google/attributes
@@ -0,0 +1 @@
+attribute vendor_persist_type;
diff --git a/whitechapel/vendor/google/bipchmgr.te b/whitechapel/vendor/google/bipchmgr.te
new file mode 100644
index 00000000..9298e322
--- /dev/null
+++ b/whitechapel/vendor/google/bipchmgr.te
@@ -0,0 +1,9 @@
+type bipchmgr, domain;
+type bipchmgr_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(bipchmgr)
+
+get_prop(bipchmgr, hwservicemanager_prop);
+
+allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find;
+hwbinder_use(bipchmgr)
+binder_call(bipchmgr, rild)
diff --git a/whitechapel/vendor/google/bootanim.te b/whitechapel/vendor/google/bootanim.te
new file mode 100644
index 00000000..7b3019df
--- /dev/null
+++ b/whitechapel/vendor/google/bootanim.te
@@ -0,0 +1,5 @@
+# TODO(b/62954877). On Android Wear, bootanim reads the time
+# during boot to display. It currently gets that time from a file
+# in /data/system. This should be moved. In the meantime, suppress
+# this denial on phones since this functionality is not used.
+dontaudit bootanim system_data_file:dir r_dir_perms;
diff --git a/whitechapel/vendor/google/bootdevice_sysdev.te b/whitechapel/vendor/google/bootdevice_sysdev.te
new file mode 100644
index 00000000..2ff0acb9
--- /dev/null
+++ b/whitechapel/vendor/google/bootdevice_sysdev.te
@@ -0,0 +1 @@
+allow bootdevice_sysdev sysfs:filesystem associate;
diff --git a/whitechapel/vendor/google/cbd.te b/whitechapel/vendor/google/cbd.te
new file mode 100644
index 00000000..6e21902e
--- /dev/null
+++ b/whitechapel/vendor/google/cbd.te
@@ -0,0 +1,44 @@
+type cbd, domain;
+type cbd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(cbd)
+
+set_prop(cbd, vendor_modem_prop)
+set_prop(cbd, vendor_cbd_prop)
+set_prop(cbd, vendor_rild_prop)
+
+allow cbd kmsg_device:chr_file rw_file_perms;
+
+allow cbd vendor_shell_exec:file execute_no_trans;
+allow cbd vendor_toolbox_exec:file execute_no_trans;
+
+# Allow cbd to access modem block device
+allow cbd block_device:dir search;
+allow cbd modem_block_device:blk_file r_file_perms;
+
+# Allow cbd to access sysfs chosen files
+allow cbd sysfs_chosen:file r_file_perms;
+allow cbd sysfs_chosen:dir r_dir_perms;
+
+allow cbd radio_device:chr_file rw_file_perms;
+
+# Allow cbd to operate with modem EFS file/dir
+allow cbd modem_efs_file:dir create_dir_perms;
+allow cbd modem_efs_file:file create_file_perms;
+
+# Allow cbd to operate with modem userdata file/dir
+allow cbd modem_userdata_file:dir create_dir_perms;
+allow cbd modem_userdata_file:file create_file_perms;
+
+# Allow cbd to access modem image file/dir
+allow cbd modem_img_file:dir r_dir_perms;
+allow cbd modem_img_file:file r_file_perms;
+
+# Allow cbd to collect crash info
+allow cbd sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+
+userdebug_or_eng(`
+  allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms;
+')
+
diff --git a/whitechapel/vendor/google/chre.te b/whitechapel/vendor/google/chre.te
new file mode 100644
index 00000000..f8d395fc
--- /dev/null
+++ b/whitechapel/vendor/google/chre.te
@@ -0,0 +1,13 @@
+type chre, domain;
+type chre_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(chre)
+
+# Permit communication with AoC
+allow chre aoc_device:chr_file rw_file_perms;
+
+# Allow CHRE to determine AoC's current clock
+allow chre sysfs_aoc:dir search;
+allow chre sysfs_aoc_boottime:file r_file_perms;
+
+# Allow CHRE to create thread to watch AOC's device
+allow chre device:dir r_dir_perms;
diff --git a/whitechapel/vendor/google/device.te b/whitechapel/vendor/google/device.te
new file mode 100644
index 00000000..375c91c3
--- /dev/null
+++ b/whitechapel/vendor/google/device.te
@@ -0,0 +1,52 @@
+# Block Devices
+type efs_block_device, dev_type;
+type fat_block_device, dev_type;
+type modem_block_device, dev_type;
+type modem_userdata_block_device, dev_type;
+type persist_block_device, dev_type;
+type vendor_block_device, dev_type;
+type sda_block_device, dev_type;
+
+# Exynos devices
+type vendor_m2m1shot_device, dev_type;
+type vendor_gnss_device, dev_type;
+type vendor_nanohub_device, dev_type;
+type vendor_secmem_device, dev_type;
+type pktrouter_device, dev_type;
+type vendor_toe_device, dev_type;
+type custom_ab_block_device, dev_type;
+type devinfo_block_device, dev_type;
+type tui_device, dev_type;
+
+# usbpd
+type logbuffer_device, dev_type;
+
+# EdgeTPU device (DarwiNN)
+type edgetpu_device, dev_type, mlstrustedobject;
+
+#cpuctl
+type cpuctl_device, dev_type;
+
+# Bt Wifi Coexistence device
+type wb_coexistence_dev, dev_type;
+
+# LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL
+type lwis_device, dev_type;
+
+# sensor direct DMA-BUF heap
+type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type;
+
+#faceauth DMA-BUF heaps
+type faceauth_heap_device, dmabuf_heap_device_type, dev_type;
+
+#vframe-secure DMA-BUF heap
+type vframe_heap_device, dmabuf_heap_device_type, dev_type;
+
+#vscaler-secure DMA-BUF heap
+type vscaler_heap_device, dmabuf_heap_device_type, dev_type;
+
+# subsystem-coredump
+type sscoredump_device, dev_type;
+
+# AOC device
+type aoc_device, dev_type;
diff --git a/whitechapel/vendor/google/dmd.te b/whitechapel/vendor/google/dmd.te
new file mode 100644
index 00000000..c0c695f2
--- /dev/null
+++ b/whitechapel/vendor/google/dmd.te
@@ -0,0 +1,29 @@
+type dmd, domain;
+type dmd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(dmd)
+
+# Grant to access serial device for external logging tool
+allow dmd serial_device:chr_file rw_file_perms;
+
+# Grant to access radio device
+allow dmd radio_device:chr_file rw_file_perms;
+
+# Grant to access slog dir/file
+allow dmd vendor_slog_file:dir create_dir_perms;
+allow dmd vendor_slog_file:file create_file_perms;
+
+# Grant to access tcp socket
+allow dmd node:tcp_socket node_bind;
+allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind };
+
+# Grant to access log related properties
+set_prop(dmd, vendor_diag_prop)
+set_prop(dmd, vendor_slog_prop)
+set_prop(dmd, vendor_modem_prop)
+
+get_prop(dmd, vendor_persist_config_default_prop)
+
+# Grant to access hwservice manager
+get_prop(dmd, hwservicemanager_prop)
+add_hwservice(dmd, hal_vendor_oem_hwservice)
+binder_call(dmd, hwservicemanager)
diff --git a/whitechapel/vendor/google/domain.te b/whitechapel/vendor/google/domain.te
new file mode 100644
index 00000000..cffaf8cd
--- /dev/null
+++ b/whitechapel/vendor/google/domain.te
@@ -0,0 +1 @@
+allow {domain -appdomain -rs} sysfs_vendor_sched:file w_file_perms;
diff --git a/whitechapel/vendor/google/dumpstate.te b/whitechapel/vendor/google/dumpstate.te
new file mode 100644
index 00000000..fb325056
--- /dev/null
+++ b/whitechapel/vendor/google/dumpstate.te
@@ -0,0 +1,4 @@
+dump_hal(hal_telephony)
+
+allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
+allow dumpstate persist_file:dir r_dir_perms;
diff --git a/whitechapel/vendor/google/edgetpu_logging.te b/whitechapel/vendor/google/edgetpu_logging.te
new file mode 100644
index 00000000..021338f4
--- /dev/null
+++ b/whitechapel/vendor/google/edgetpu_logging.te
@@ -0,0 +1,6 @@
+type edgetpu_logging, domain;
+type edgetpu_logging_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(edgetpu_logging)
+
+# The logging service accesses /dev/abrolhos
+allow edgetpu_logging edgetpu_device:chr_file rw_file_perms;
diff --git a/whitechapel/vendor/google/edgetpu_service.te b/whitechapel/vendor/google/edgetpu_service.te
new file mode 100644
index 00000000..241a87eb
--- /dev/null
+++ b/whitechapel/vendor/google/edgetpu_service.te
@@ -0,0 +1,28 @@
+# EdgeTPU server process which runs the EdgeTPU binder service.
+type edgetpu_server, coredomain, domain;
+type edgetpu_server_exec, exec_type, system_file_type, file_type;
+init_daemon_domain(edgetpu_server, edgetpu_server_exec)
+
+# The server will use binder calls.
+binder_use(edgetpu_server);
+
+# The server will serve a binder service.
+binder_service(edgetpu_server);
+
+# EdgeTPU binder service type declaration.
+type edgetpu_service, service_manager_type;
+
+# EdgeTPU server to register the service to service_manager.
+add_service(edgetpu_server, edgetpu_service);
+
+# EdgeTPU service needs to access /dev/abrolhos.
+allow edgetpu_server edgetpu_device:chr_file rw_file_perms;
+allow edgetpu_server sysfs_edgetpu:dir r_dir_perms;
+allow edgetpu_server sysfs_edgetpu:file rw_file_perms;
+
+# Applications are not allowed to open the EdgeTPU device directly.
+neverallow appdomain edgetpu_device:chr_file { open };
+
+# Allow EdgeTPU service access to its data files.
+allow edgetpu_server edgetpu_service_data_file:file create_file_perms;
+allow edgetpu_server edgetpu_service_data_file:dir rw_dir_perms;
diff --git a/whitechapel/vendor/google/exo_camera_injection/dumpstate.te b/whitechapel/vendor/google/exo_camera_injection/dumpstate.te
new file mode 100644
index 00000000..1a5b393d
--- /dev/null
+++ b/whitechapel/vendor/google/exo_camera_injection/dumpstate.te
@@ -0,0 +1,2 @@
+# For collecting bugreports.
+dump_hal(hal_camera)
diff --git a/whitechapel/vendor/google/exo_camera_injection/file_contexts b/whitechapel/vendor/google/exo_camera_injection/file_contexts
new file mode 100644
index 00000000..cfcbd6ff
--- /dev/null
+++ b/whitechapel/vendor/google/exo_camera_injection/file_contexts
@@ -0,0 +1 @@
+/vendor/bin/hw/vendor\.google\.exo_camera_injection@1\.0-service  u:object_r:hal_exo_camera_injection_exec:s0
diff --git a/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te b/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te
new file mode 100644
index 00000000..138d1b1d
--- /dev/null
+++ b/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te
@@ -0,0 +1,10 @@
+# TODO(b/180558115): It will moved to pixel-sepolicy after pixel 6 launches.
+type hal_exo_camera_injection, domain;
+hal_server_domain(hal_exo_camera_injection, hal_camera)
+
+type hal_exo_camera_injection_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_exo_camera_injection)
+
+hwbinder_use(hal_exo_camera_injection)
+add_hwservice(hal_exo_camera_injection, hal_exo_camera_injection_hwservice)
+allow hal_exo_camera_injection hal_graphics_mapper_hwservice:hwservice_manager find;
diff --git a/whitechapel/vendor/google/exo_camera_injection/hwservice.te b/whitechapel/vendor/google/exo_camera_injection/hwservice.te
new file mode 100644
index 00000000..cea97689
--- /dev/null
+++ b/whitechapel/vendor/google/exo_camera_injection/hwservice.te
@@ -0,0 +1 @@
+type hal_exo_camera_injection_hwservice, hwservice_manager_type;
diff --git a/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts b/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts
new file mode 100644
index 00000000..59ccfe67
--- /dev/null
+++ b/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts
@@ -0,0 +1 @@
+vendor.google.exo_camera_injection::IExoCameraInjection         u:object_r:hal_exo_camera_injection_hwservice:s0
diff --git a/whitechapel/vendor/google/exo_camera_injection/platform_app.te b/whitechapel/vendor/google/exo_camera_injection/platform_app.te
new file mode 100644
index 00000000..b4dee87f
--- /dev/null
+++ b/whitechapel/vendor/google/exo_camera_injection/platform_app.te
@@ -0,0 +1,3 @@
+# Allow exo app to find and bind exo camera injection hal.
+allow platform_app hal_exo_camera_injection_hwservice:hwservice_manager find;
+binder_call(platform_app, hal_exo_camera_injection)
diff --git a/whitechapel/vendor/google/file.te b/whitechapel/vendor/google/file.te
new file mode 100644
index 00000000..5ec18e27
--- /dev/null
+++ b/whitechapel/vendor/google/file.te
@@ -0,0 +1,177 @@
+# Exynos Data Files
+#type vendor_data_file, file_type, data_file_type;
+type vendor_cbd_boot_file, file_type, data_file_type;
+type vendor_media_data_file, file_type, data_file_type;
+
+# Exynos Log Files
+type vendor_log_file, file_type, data_file_type;
+type vendor_abox_log_file, file_type, data_file_type;
+type vendor_cbd_log_file, file_type, data_file_type;
+type vendor_dmd_log_file, file_type, data_file_type;
+type vendor_rfsd_log_file, file_type, data_file_type;
+type vendor_dump_log_file, file_type, data_file_type;
+type vendor_rild_log_file, file_type, data_file_type;
+type vendor_sced_log_file, file_type, data_file_type;
+type vendor_slog_file, file_type, data_file_type, mlstrustedobject;
+type vendor_telephony_log_file, file_type, data_file_type;
+type vendor_vcd_log_file, file_type, data_file_type;
+
+# app data files
+type vendor_test_data_file, file_type, data_file_type;
+type vendor_telephony_data_file, file_type, data_file_type;
+type vendor_ims_data_file, file_type, data_file_type;
+type vendor_misc_data_file, file_type, data_file_type;
+type vendor_rpmbmock_data_file, file_type, data_file_type;
+
+# Exynos debugfs
+type vendor_abox_debugfs, fs_type, debugfs_type;
+type vendor_ion_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_dmabuf_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_mali_debugfs, fs_type, debugfs_type;
+type vendor_dri_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_pm_genpd_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_regmap_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_usb_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_maxfg_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_charger_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_votable_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_battery_debugfs, fs_type, debugfs_type, sysfs_type;
+
+# Exynos sysfs
+type sysfs_exynos_bts, sysfs_type, fs_type;
+type sysfs_exynos_bts_stats, sysfs_type, fs_type;
+
+# Exynos Firmware
+type vendor_fw_file, vendor_file_type, file_type;
+
+# ACPM
+type sysfs_acpm_stats, sysfs_type, fs_type;
+
+# Vendor tools
+type vendor_usf_stats, vendor_file_type, file_type;
+type vendor_dumpsys, vendor_file_type, file_type;
+
+# Sensors
+type nanohub_lock_file, file_type, data_file_type;
+type sensor_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+type sensors_cal_file, file_type;
+type sysfs_nanoapp_cmd, sysfs_type, fs_type;
+
+# CHRE
+type chre_socket, file_type;
+
+# IOMMU
+type sysfs_iommu, sysfs_type, fs_type;
+
+type sysfs_devicetree, sysfs_type, fs_type;
+type sysfs_mem, sysfs_type, fs_type;
+type sysfs_sscoredump_level, sysfs_type, fs_type;
+
+# WiFi
+type sysfs_wifi, sysfs_type, fs_type;
+
+# Widevine DRM
+type mediadrm_vendor_data_file, file_type, data_file_type;
+
+# Subsystem coredump
+type sscoredump_vendor_data_coredump_file, file_type, data_file_type, mlstrustedobject;
+type sscoredump_vendor_data_crashinfo_file, file_type, data_file_type, mlstrustedobject;
+
+# Storage Health HAL
+type sysfs_scsi_devices_0000, sysfs_type, fs_type;
+type debugfs_f2fs, debugfs_type, fs_type;
+type proc_f2fs, proc_type, fs_type;
+
+type bootdevice_sysdev, dev_type;
+
+# ZRam
+type per_boot_file, file_type, data_file_type, core_data_file_type;
+
+# Touch
+type proc_touch, proc_type, fs_type, mlstrustedobject;
+type sysfs_touch, sysfs_type, fs_type;
+
+# AOC
+type sysfs_aoc_boottime, sysfs_type, fs_type;
+type sysfs_aoc_firmware, sysfs_type, fs_type;
+type sysfs_aoc, sysfs_type, fs_type;
+
+# Audio
+type persist_audio_file, file_type , vendor_persist_type;
+type audio_vendor_data_file, file_type, data_file_type;
+type aoc_audio_file, file_type, vendor_file_type;
+
+# Radio
+type radio_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+
+# RILD
+type rild_vendor_data_file, file_type, data_file_type;
+
+# Modem
+type modem_stat_data_file, file_type, data_file_type;
+type modem_efs_file, file_type;
+type modem_img_file, file_type;
+type modem_userdata_file, file_type;
+type sysfs_modem, sysfs_type, fs_type;
+
+# Wireless
+type sysfs_wlc, sysfs_type, fs_type;
+
+# Kernel modules
+type vendor_kernel_modules, vendor_file_type, file_type;
+
+# Camera
+type persist_camera_file, file_type;
+type vendor_camera_tuning_file, vendor_file_type, file_type;
+type vendor_camera_data_file, file_type, data_file_type;
+
+# EdgeTPU device (DarwiNN)
+type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type;
+
+# EdgeTPU
+type edgetpu_service_data_file, file_type, data_file_type, core_data_file_type;
+type sysfs_edgetpu, sysfs_type, fs_type;
+
+# Vendor sched files
+type sysfs_vendor_sched, sysfs_type, fs_type;
+
+# GPS
+type vendor_gps_file, file_type, data_file_type;
+userdebug_or_eng(`
+    typeattribute vendor_gps_file mlstrustedobject;
+')
+type sysfs_gps, sysfs_type, fs_type;
+
+# Display
+type sysfs_display, sysfs_type, fs_type;
+
+# Backlight
+type sysfs_backlight, sysfs_type, fs_type;
+
+# Charger
+type sysfs_chargelevel, sysfs_type, fs_type;
+
+# ODPM
+type odpm_config_file, file_type, data_file_type;
+type sysfs_odpm, sysfs_type, fs_type;
+
+# Chosen
+type sysfs_chosen, sysfs_type, fs_type;
+
+type sysfs_chip_id, sysfs_type, fs_type;
+type sysfs_spi, sysfs_type, fs_type;
+
+# subsystem-coredump
+type sscoredump_sysfs_level, sysfs_type, fs_type;
+
+# Battery
+type persist_battery_file, file_type, vendor_persist_type;
+
+# CPU
+type sysfs_cpu, sysfs_type, fs_type;
+
+# Memory
+type sysfs_memory, sysfs_type, fs_type;
+
+# bcmdhd (Broadcom FullMAC wireless cards support)
+type sysfs_bcmdhd, sysfs_type, fs_type;
diff --git a/whitechapel/vendor/google/file_contexts b/whitechapel/vendor/google/file_contexts
new file mode 100644
index 00000000..d16737ec
--- /dev/null
+++ b/whitechapel/vendor/google/file_contexts
@@ -0,0 +1,397 @@
+#
+# Exynos HAL
+#
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.4-service\.widevine                    u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.3-service\.clearkey                    u:object_r:hal_drm_clearkey_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32                            u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service  u:object_r:hal_vendor_hwcservice_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service               u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service         u:object_r:hal_configstore_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.3-service\.gs101                       u:object_r:hal_usb_impl_exec:s0
+/(vendor|system/vendor)/lib(64)?/libion_exynos\.so                                              u:object_r:same_process_hal_file:s0
+
+/(vendor|system/vendor)/lib(64)?/libOpenCL\.so                                                  u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libOpenCL-pixel\.so                                            u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libdmabufheap\.so                                              u:object_r:same_process_hal_file:s0
+
+/vendor/bin/usf_stats                                                                           u:object_r:vendor_usf_stats:s0
+/vendor/bin/dumpsys                                                                             u:object_r:vendor_dumpsys:s0
+
+#
+# HALs
+#
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-2]-service-gs101                   u:object_r:hal_bootctl_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.1-service-brcm                        u:object_r:hal_gnss_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@2\.0-service-brcm                        u:object_r:hal_gnss_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm                u:object_r:hal_gnss_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.gs101                 u:object_r:hal_dumpstate_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101              u:object_r:hal_power_stats_default_exec:s0
+# Wireless charger HAL
+/(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.2-service-vendor             u:object_r:hal_wlc_exec:s0
+
+# Vendor Firmwares
+/(vendor|system/vendor)/firmware(/.*)?                        u:object_r:vendor_fw_file:s0
+
+#
+# Exynos Block Devices
+#
+/dev/block/platform/14700000\.ufs/by-name/cache               u:object_r:cache_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/efs                 u:object_r:efs_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/efs_backup          u:object_r:efs_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/modem_userdata      u:object_r:modem_userdata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/fat                 u:object_r:fat_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/modem_[ab]          u:object_r:modem_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/modem               u:object_r:modem_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/persist             u:object_r:persist_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/system              u:object_r:system_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/userdata            u:object_r:userdata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vendor              u:object_r:vendor_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/frp                 u:object_r:frp_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/misc                u:object_r:misc_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/devinfo             u:object_r:devinfo_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/abl_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/acpm_test_[ab]      u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl1_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl2_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl31_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/boot_[ab]           u:object_r:boot_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab]     u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dtb_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/ect_test_[ab]       u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/gsa_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/hypervisor_[ab]     u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/keystorage_[ab]     u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/metadata            u:object_r:metadata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/pbl_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/reclaim_[ab]        u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/super               u:object_r:super_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab]         u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab]  u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab]    u:object_r:custom_ab_block_device:s0
+/dev/block/sda                                                u:object_r:sda_block_device:s0
+/dev/sys/block/bootdevice(/.*)?                               u:object_r:bootdevice_sysdev:s0
+
+#
+# Exynos Devices
+#
+/dev/gnss_ipc                  u:object_r:vendor_gnss_device:s0
+/dev/bbd_control               u:object_r:vendor_gnss_device:s0
+/dev/ttyBCM                    u:object_r:vendor_gnss_device:s0
+/dev/nanohub                   u:object_r:vendor_nanohub_device:s0
+/dev/nanohub_comms             u:object_r:vendor_nanohub_device:s0
+/dev/m2m1shot_scaler0          u:object_r:vendor_m2m1shot_device:s0
+/dev/radio0                    u:object_r:radio_device:s0
+/dev/dri/card0                 u:object_r:graphics_device:s0
+/dev/fimg2d                    u:object_r:graphics_device:s0
+/dev/g2d                       u:object_r:graphics_device:s0
+/dev/tsmux                     u:object_r:video_device:s0
+/dev/repeater                  u:object_r:video_device:s0
+/dev/scsc_h4_0                 u:object_r:radio_device:s0
+/dev/umts_boot0                u:object_r:radio_device:s0
+/dev/tui-driver                u:object_r:tui_device:s0
+/dev/logbuffer_usbpd           u:object_r:logbuffer_device:s0
+/dev/logbuffer_ssoc            u:object_r:logbuffer_device:s0
+/dev/logbuffer_wireless        u:object_r:logbuffer_device:s0
+/dev/logbuffer_ttf             u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxq            u:object_r:logbuffer_device:s0
+/dev/logbuffer_rtx             u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg           u:object_r:logbuffer_device:s0
+
+# DM tools device
+/dev/umts_dm0                  u:object_r:radio_device:s0
+/dev/umts_router               u:object_r:radio_device:s0
+
+# OEM IPC device
+/dev/oem_ipc[0-7]              u:object_r:radio_device:s0
+
+# SIPC RIL device
+/dev/umts_ipc0                 u:object_r:radio_device:s0
+/dev/umts_ipc1                 u:object_r:radio_device:s0
+/dev/umts_rfs0                 u:object_r:radio_device:s0
+/dev/ttyGS[0-3]                u:object_r:serial_device:s0
+/dev/watchdog0                 u:object_r:watchdog_device:s0
+
+# GPU device
+/dev/mali0                     u:object_r:gpu_device:s0
+/dev/s5p-smem                  u:object_r:vendor_secmem_device:s0
+/dev/umts_wfc[01]                 u:object_r:pktrouter_device:s0
+
+#
+# Exynos Daemon Exec
+#
+/(vendor|system/vendor)/bin/cbd                u:object_r:cbd_exec:s0
+/(vendor|system/vendor)/bin/dmd                u:object_r:dmd_exec:s0
+/(vendor|system/vendor)/bin/hw/scd             u:object_r:scd_exec:s0
+/(vendor|system/vendor)/bin/hw/gpsd            u:object_r:gpsd_exec:s0
+/(vendor|system/vendor)/bin/hw/lhd             u:object_r:lhd_exec:s0
+/(vendor|system/vendor)/bin/hw/rild_exynos     u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/main_abox          u:object_r:abox_exec:s0
+/(vendor|system/vendor)/bin/rfsd               u:object_r:rfsd_exec:s0
+/(vendor|system/vendor)/bin/rpmbd              u:object_r:rpmbd_exec:s0
+/(vendor|system/vendor)/bin/sced               u:object_r:sced_exec:s0
+/(vendor|system/vendor)/bin/vcd                u:object_r:vcd_exec:s0
+/(vendor|system/vendor)/bin/bipchmgr           u:object_r:bipchmgr_exec:s0
+
+# WFC
+/(vendor|system/vendor)/bin/wfc-pkt-router     u:object_r:pktrouter_exec:s0
+
+#
+# Exynos Data Files
+#
+# gnss/gps data/log files
+/data/vendor/gps(/.*)?       u:object_r:vendor_gps_file:s0
+
+#
+# Exynos Log Files
+#
+/data/vendor/log(/.*)?       u:object_r:vendor_log_file:s0
+/data/vendor/log/abox(/.*)?  u:object_r:vendor_abox_log_file:s0
+/data/vendor/log/cbd(/.*)?   u:object_r:vendor_cbd_log_file:s0
+/data/vendor/log/dmd(/.*)?   u:object_r:vendor_dmd_log_file:s0
+/data/vendor/log/rfsd(/.*)?  u:object_r:vendor_rfsd_log_file:s0
+/data/vendor/log/dump(/.*)?  u:object_r:vendor_dump_log_file:s0
+/data/vendor/log/rild(/.*)?  u:object_r:vendor_rild_log_file:s0
+/data/vendor/log/sced(/.*)?  u:object_r:vendor_sced_log_file:s0
+/data/vendor/log/slog(/.*)?  u:object_r:vendor_slog_file:s0
+/data/vendor/slog(/.*)?      u:object_r:vendor_slog_file:s0
+/data/vendor/log/vcd(/.*)?   u:object_r:vendor_vcd_log_file:s0
+
+/persist/sensorcal\.json     u:object_r:sensors_cal_file:s0
+
+# data files
+/data/vendor/mediadrm(/.*)?  u:object_r:mediadrm_vendor_data_file:s0
+
+# Camera
+/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google  u:object_r:hal_camera_default_exec:s0
+/vendor/lib64/camera                                                    u:object_r:vendor_camera_tuning_file:s0
+/vendor/lib64/camera/ghawb_para_lut\.bin                                u:object_r:vendor_camera_tuning_file:s0
+/vendor/lib64/camera/slider_.*\.binarypb                                u:object_r:vendor_camera_tuning_file:s0
+/vendor/bin/rlsservice                                                  u:object_r:rlsservice_exec:s0
+/mnt/vendor/persist/camera(/.*)?                                        u:object_r:persist_camera_file:s0
+/data/vendor/camera(/.*)?                                               u:object_r:vendor_camera_data_file:s0
+
+/dev/lwis-act0                                                          u:object_r:lwis_device:s0
+/dev/lwis-act1                                                          u:object_r:lwis_device:s0
+/dev/lwis-act-ak7377                                                    u:object_r:lwis_device:s0
+/dev/lwis-act-sem1215sa                                                 u:object_r:lwis_device:s0
+/dev/lwis-csi                                                           u:object_r:lwis_device:s0
+/dev/lwis-dpm                                                           u:object_r:lwis_device:s0
+/dev/lwis-eeprom0                                                       u:object_r:lwis_device:s0
+/dev/lwis-eeprom1                                                       u:object_r:lwis_device:s0
+/dev/lwis-eeprom2                                                       u:object_r:lwis_device:s0
+/dev/lwis-eeprom-lc898128                                               u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64s                                                u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x                                                u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x-imx386                                         u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x-imx663                                         u:object_r:lwis_device:s0
+/dev/lwis-eeprom-sem1215sa                                              u:object_r:lwis_device:s0
+/dev/lwis-flash0                                                        u:object_r:lwis_device:s0
+/dev/lwis-flash-lm3644                                                  u:object_r:lwis_device:s0
+/dev/lwis-g3aa                                                          u:object_r:lwis_device:s0
+/dev/lwis-gdc0                                                          u:object_r:lwis_device:s0
+/dev/lwis-gdc1                                                          u:object_r:lwis_device:s0
+/dev/lwis-gtnr-align                                                    u:object_r:lwis_device:s0
+/dev/lwis-gtnr-merge                                                    u:object_r:lwis_device:s0
+/dev/lwis-ipp                                                           u:object_r:lwis_device:s0
+/dev/lwis-itp                                                           u:object_r:lwis_device:s0
+/dev/lwis-mcsc                                                          u:object_r:lwis_device:s0
+/dev/lwis-ois-lc898128                                                  u:object_r:lwis_device:s0
+/dev/lwis-ois-sem1215sa                                                 u:object_r:lwis_device:s0
+/dev/lwis-pdp                                                           u:object_r:lwis_device:s0
+/dev/lwis-scsc                                                          u:object_r:lwis_device:s0
+/dev/lwis-sensor0                                                       u:object_r:lwis_device:s0
+/dev/lwis-sensor1                                                       u:object_r:lwis_device:s0
+/dev/lwis-sensor2                                                       u:object_r:lwis_device:s0
+/dev/lwis-sensor-gn1                                                    u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx355                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx386                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx586                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx663                                                 u:object_r:lwis_device:s0
+/dev/lwis-slc                                                           u:object_r:lwis_device:s0
+/dev/lwis-top                                                           u:object_r:lwis_device:s0
+/dev/lwis-votf                                                          u:object_r:lwis_device:s0
+
+# VIDEO
+/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service                u:object_r:mediacodec_exec:s0
+/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service                 u:object_r:mediacodec_exec:s0
+/data/vendor/media(/.*)?                                                u:object_r:vendor_media_data_file:s0
+
+# thermal sysfs files
+/sys/class/thermal(/.*)?               u:object_r:sysfs_thermal:s0
+/sys/devices/virtual/thermal(/.*)?     u:object_r:sysfs_thermal:s0
+
+
+# IMS VoWiFi
+/data/vendor/misc(/.*)?                u:object_r:vendor_misc_data_file:s0
+/data/vendor/VoWiFi(/.*)?              u:object_r:vendor_ims_data_file:s0
+
+# Sensors
+/data/vendor/sensor(/.*)?              u:object_r:sensor_vendor_data_file:s0
+/dev/acd-com.google.usf                u:object_r:aoc_device:s0
+/dev/acd-logging                       u:object_r:aoc_device:s0
+/dev/aoc                               u:object_r:aoc_device:s0
+
+# Contexthub
+/vendor/bin/hw/android\.hardware\.contexthub@1\.2-service\.small_fragments  u:object_r:hal_contexthub_default_exec:s0
+/(vendor|system/vendor)/bin/chre                                            u:object_r:chre_exec:s0
+/dev/socket/chre                                                            u:object_r:chre_socket:s0
+
+# Modem logging
+/vendor/bin/modem_logging_control   u:object_r:modem_logging_control_exec:s0
+
+# Audio logging
+/vendor/bin/aocdump                 u:object_r:aocdump_exec:s0
+
+# modem_svc_sit files
+/vendor/bin/modem_svc_sit           u:object_r:modem_svc_sit_exec:s0
+/data/vendor/modem_stat/debug\.txt  u:object_r:modem_stat_data_file:s0
+
+# modem mnt files
+/mnt/vendor/efs(/.*)?                                         u:object_r:modem_efs_file:s0
+/mnt/vendor/efs_backup(/.*)?                                  u:object_r:modem_efs_file:s0
+/mnt/vendor/modem_img(/.*)?                                   u:object_r:modem_img_file:s0
+/mnt/vendor/modem_userdata(/.*)?                              u:object_r:modem_userdata_file:s0
+
+# Subsystem coredump
+/vendor/bin/sscoredump                         u:object_r:sscoredump_exec:s0
+/data/vendor/ssrdump(/.*)?                     u:object_r:sscoredump_vendor_data_crashinfo_file:s0
+/data/vendor/ssrdump/coredump(/.*)?            u:object_r:sscoredump_vendor_data_coredump_file:s0
+/dev/sscd_.*                                   u:object_r:sscoredump_device:s0
+
+# Kernel modules related
+/vendor/bin/init\.insmod\.sh    u:object_r:init-insmod-sh_exec:s0
+
+# NFC
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st                u:object_r:hal_nfc_default_exec:s0
+/dev/st21nfc                                                                          u:object_r:nfc_device:s0
+/data/nfc(/.*)?                                                                       u:object_r:nfc_data_file:s0
+
+# SecureElement
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service\.st     u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto     u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2     u:object_r:hal_secure_element_default_exec:s0
+/dev/st54j_se                                                                         u:object_r:secure_element_device:s0
+/dev/st54spi                                                                          u:object_r:secure_element_device:s0
+/dev/st33spi                                                                          u:object_r:secure_element_device:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service    u:object_r:hal_secure_element_default_exec:s0
+
+# Bluetooth
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
+/dev/wbrc                           u:object_r:wb_coexistence_dev:s0
+/dev/ttySAC16                       u:object_r:hci_attach_dev:s0
+
+# Audio
+/mnt/vendor/persist/audio(/.*)?     u:object_r:persist_audio_file:s0
+/data/vendor/audio(/.*)?            u:object_r:audio_vendor_data_file:s0
+/vendor/etc/aoc(/.*)?               u:object_r:aoc_audio_file:s0
+/dev/acd-audio_output_tuning        u:object_r:aoc_device:s0
+/dev/acd-audio_bulk_tx              u:object_r:aoc_device:s0
+/dev/acd-audio_bulk_rx              u:object_r:aoc_device:s0
+/dev/acd-audio_input_tuning         u:object_r:aoc_device:s0
+/dev/acd-audio_input_bulk_tx        u:object_r:aoc_device:s0
+/dev/acd-audio_input_bulk_rx        u:object_r:aoc_device:s0
+/dev/acd-sound_trigger              u:object_r:aoc_device:s0
+/dev/acd-hotword_notification       u:object_r:aoc_device:s0
+/dev/acd-hotword_pcm                u:object_r:aoc_device:s0
+/dev/acd-ambient_pcm                u:object_r:aoc_device:s0
+/dev/acd-model_data                 u:object_r:aoc_device:s0
+/dev/acd-debug                      u:object_r:aoc_device:s0
+/dev/acd-audio_tap[0-9]*            u:object_r:aoc_device:s0
+
+# Trusty
+/vendor/bin/securedpud.slider        u:object_r:securedpud_slider_exec:s0
+/vendor/bin/storageproxyd            u:object_r:tee_exec:s0
+/vendor/bin/trusty_apploader         u:object_r:trusty_apploader_exec:s0
+/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0
+/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty                 u:object_r:hal_keymaster_default_exec:s0
+/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
+/dev/trusty-ipc-dev0                 u:object_r:tee_device:s0
+/data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
+/mnt/vendor/persist/data/ss(/.*)?    u:object_r:tee_data_file:s0
+/dev/sg1                             u:object_r:sg_device:s0
+
+# Battery
+/mnt/vendor/persist/battery(/.*)?    u:object_r:persist_battery_file:s0
+
+# AoC file contexts.
+/vendor/bin/aocd   u:object_r:aocd_exec:s0
+
+# NeuralNetworks file contexts
+/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-armnn   u:object_r:hal_neuralnetworks_armnn_exec:s0
+/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-darwinn u:object_r:hal_neuralnetworks_darwinn_exec:s0
+
+# GRIL
+/vendor/bin/hw/vendor\.google\.radioext@1\.0-service                 u:object_r:hal_radioext_default_exec:s0
+
+# Radio files.
+/data/vendor/radio(/.*)?                                                    u:object_r:radio_vendor_data_file:s0
+
+# RILD files
+/data/vendor/rild(/.*)?                                                     u:object_r:rild_vendor_data_file:s0
+
+# Citadel StrongBox
+/dev/gsc0                                                                   u:object_r:citadel_device:s0
+
+# EdgeTPU device (DarwiNN)
+/dev/abrolhos                      u:object_r:edgetpu_device:s0
+/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
+/system_ext/bin/hw/vendor\.google\.edgetpu@1\.0-service u:object_r:edgetpu_server_exec:s0
+/vendor/lib64/libedgetpu_darwinn2\.so u:object_r:same_process_hal_file:s0
+/data/vendor/hal_neuralnetworks_darwinn(/.*)?           u:object_r:hal_neuralnetworks_darwinn_data_file:s0
+
+# EdgeTPU data file
+/data/edgetpu(/.*)?                                                         u:object_r:edgetpu_service_data_file:s0
+
+# Tetheroffload Service
+/dev/dit2                      u:object_r:vendor_toe_device:s0
+/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service     u:object_r:hal_tetheroffload_default_exec:s0
+
+# pixelstats binary
+/vendor/bin/pixelstats-vendor           u:object_r:pixelstats_vendor_exec:s0
+
+# Vendor_kernel_modules
+/vendor/lib/modules/.*\.ko                                                    u:object_r:vendor_kernel_modules:s0
+
+# Display
+/vendor/lib(64)?/libion_google\.so                                               u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libdrm\.so                                                      u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/gralloc\.gs101\.so                                           u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/vulkan\.gs101\.so                                            u:object_r:same_process_hal_file:s0
+
+# Fingerprint
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix        u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc           u:object_r:hal_fingerprint_default_exec:s0
+
+# ECC List
+/vendor/bin/init\.radio\.sh     u:object_r:init_radio_exec:s0
+
+# Zram
+/data/per_boot(/.*)?                                                          u:object_r:per_boot_file:s0
+
+# cpuctl
+/dev/cpuctl(/.*)?	                                                      u:object_r:cpuctl_device:s0
+
+# ODPM
+/data/vendor/powerstats(/.*)?                                              u:object_r:odpm_config_file:s0
+
+# sensor direct DMA-BUF heap
+/dev/dma_heap/sensor_direct_heap                                               u:object_r:sensor_direct_heap_device:s0
+
+# Console
+/dev/ttySAC0                                                                   u:object_r:tty_device:s0
+
+# faceauth DMA-BUF heaps
+/dev/dma_heap/faceauth_tpu-secure                                              u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/faimg-secure                                                     u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/famodel-secure                                                   u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/faprev-secure                                                    u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/farawimg-secure                                                  u:object_r:faceauth_heap_device:s0
+
+# vframe-secure DMA-BUF heap
+/dev/dma_heap/vframe-secure                                                    u:object_r:vframe_heap_device:s0
+
+# vscaler-secure DMA-BUF heap
+/dev/dma_heap/vscaler-secure                                                   u:object_r:vscaler_heap_device:s0
diff --git a/whitechapel/vendor/google/fsck.te b/whitechapel/vendor/google/fsck.te
new file mode 100644
index 00000000..d29555b3
--- /dev/null
+++ b/whitechapel/vendor/google/fsck.te
@@ -0,0 +1,3 @@
+allow fsck persist_block_device:blk_file rw_file_perms;
+allow fsck efs_block_device:blk_file rw_file_perms;
+allow fsck modem_userdata_block_device:blk_file rw_file_perms;
diff --git a/whitechapel/vendor/google/genfs_contexts b/whitechapel/vendor/google/genfs_contexts
new file mode 100644
index 00000000..b98a7494
--- /dev/null
+++ b/whitechapel/vendor/google/genfs_contexts
@@ -0,0 +1,178 @@
+# AOC
+genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0
+genfscon sysfs /devices/platform/19000000.aoc/firmware                      u:object_r:sysfs_aoc_firmware:s0
+genfscon sysfs /devices/platform/19000000.aoc                               u:object_r:sysfs_aoc:s0
+
+# WiFi
+genfscon sysfs /wifi                                                        u:object_r:sysfs_wifi:s0
+# Battery
+genfscon sysfs /devices/platform/google,battery/power_supply/battery            u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply                        u:object_r:sysfs_batteryinfo:s0
+
+#   Slider
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/7-003c                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/7-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+#   Whitefin
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply       u:object_r:sysfs_batteryinfo:s0
+#   R4 / P7 LunchBox
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+#   O6
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply       u:object_r:sysfs_batteryinfo:s0
+
+# Storage
+genfscon debugfs /f2fs                                u:object_r:debugfs_f2fs:s0
+genfscon proc /fs/f2fs                                u:object_r:proc_f2fs:s0
+genfscon proc /sys/vm/swappiness                      u:object_r:proc_dirty:s0
+genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt           u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt          u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt          u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/slowio_sync_cnt           u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/manual_gc                 u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/io_stats                  u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/req_stats                 u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/err_stats                 u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/device_descriptor         u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/clkgate_enable            u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable    u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/health_descriptor         u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:  u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/ufs_stats                 u:object_r:sysfs_scsi_devices_0000:s0
+
+# Vibrator
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043            u:object_r:sysfs_vibrator:s0
+
+# System_suspend
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/cpif/wakeup/wakeup                                           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup/wakeup              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup/wakeup          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/wakeup/wakeup                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /sys/devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/3-0008/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup                       u:object_r:sysfs_wakeup:s0
+
+# Touch
+genfscon sysfs /class/spi_master/spi11/spi11.0                                  u:object_r:sysfs_touch:s0
+genfscon proc  /fts/driver_test                                                 u:object_r:proc_touch:s0
+genfscon sysfs /devices/virtual/sec/tsp                                         u:object_r:sysfs_touch:s0
+
+# EdgeTPU
+genfscon sysfs /class/edgetpu                                                   u:object_r:sysfs_edgetpu:s0
+
+# Vendor sched files
+genfscon sysfs /kernel/vendor_sched/clear_prefer_high_cap                      u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/set_prefer_high_cap                        u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/prefer_high_cap_enable                     u:object_r:sysfs_vendor_sched:s0
+
+# GPS
+genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0
+
+# Display
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma       u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma       u:object_r:sysfs_display:s0
+
+# Modem
+genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u:object_r:sysfs_modem:s0
+
+# Bluetooth
+genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state                             u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state                             u:object_r:sysfs_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/lpm                                                              u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/btwrite                                                          u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/btwake                                                           u:object_r:proc_bluetooth_writable:s0
+
+# ODPM
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+
+# Chosen
+genfscon sysfs /firmware/devicetree/base/chosen                                u:object_r:sysfs_chosen:s0
+
+genfscon sysfs /devices/system/chip-id/ap_hw_tune_str  u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/evt_ver         u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/lot_id          u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/product_id      u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/revision        u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/raw_str         u:object_r:sysfs_chip_id:s0
+
+# system_suspend wakeup nodes
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/power_supply/wireless/wakeup               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/wakeup/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply/tcpm-source-psy-5-0025/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/wakeup/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply/usb/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup                                            u:object_r:sysfs_wakeup:s0
+
+# subsystem-coredump
+genfscon sysfs /class/sscoredump/level                                                                  u:object_r:sscoredump_sysfs_level:s0
+
+# ACPM
+genfscon sysfs /devices/platform/1742048c.acpm_stats                                                    u:object_r:sysfs_acpm_stats:s0
+
+genfscon sysfs /devices/platform/10d40000.spi/spi_master                                                u:object_r:sysfs_spi:s0
+
+# Exynos
+genfscon sysfs /devices/platform/exynos-bts                                                             u:object_r:sysfs_exynos_bts:s0
+genfscon sysfs /devices/platform/exynos-bts/bts_stats                                                   u:object_r:sysfs_exynos_bts_stats:s0
+
+# CPU
+genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state        u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state                                              u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state  u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state        u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state      u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state        u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/1c500000.mali/time_in_state                                            u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state          u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state        u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state        u:object_r:sysfs_cpu:s0
+
+# nvmem (Non Volatile Memory layer)
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem                              u:object_r:sysfs_memory:s0
+
+# Broadcom
+genfscon sysfs /module/bcmdhd4389                                                                       u:object_r:sysfs_bcmdhd:s0
+
+# debugfs
+
+genfscon debugfs /maxfg                                                                                   u:object_r:vendor_maxfg_debugfs:s0
+genfscon debugfs /dma_buf/bufinfo                                                                         u:object_r:vendor_dmabuf_debugfs:s0
+genfscon debugfs /dri/0/crtc-                                                                             u:object_r:vendor_dri_debugfs:s0
+genfscon debugfs /ion                                                                                     u:object_r:vendor_ion_debugfs:s0
+genfscon debugfs /pm_genpd/pm_genpd_summary                                                               u:object_r:vendor_pm_genpd_debugfs:s0
+genfscon debugfs /regmap                                                                                  u:object_r:vendor_regmap_debugfs:s0
+genfscon debugfs /usb                                                                                     u:object_r:vendor_usb_debugfs:s0
+genfscon debugfs /google_charger                                                                          u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /gvotables                                                                               u:object_r:vendor_votable_debugfs:s0
+genfscon debugfs /google_battery                                                                          u:object_r:vendor_battery_debugfs:s0
diff --git a/whitechapel/vendor/google/gpsd.te b/whitechapel/vendor/google/gpsd.te
new file mode 100644
index 00000000..64591cba
--- /dev/null
+++ b/whitechapel/vendor/google/gpsd.te
@@ -0,0 +1,25 @@
+type gpsd, domain;
+type gpsd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(gpsd)
+
+# Allow gpsd access PixelLogger unix socket in debug build only
+userdebug_or_eng(`
+    typeattribute gpsd mlstrustedsubject;
+    allow gpsd logger_app:unix_stream_socket connectto;
+')
+
+# Allow gpsd to obtain wakelock
+wakelock_use(gpsd)
+
+# Allow gpsd access data vendor gps files
+allow gpsd vendor_gps_file:dir create_dir_perms;
+allow gpsd vendor_gps_file:file create_file_perms;
+allow gpsd vendor_gps_file:fifo_file create_file_perms;
+
+# Allow gpsd to access rild
+binder_call(gpsd, rild);
+allow gpsd hal_exynos_rild_hwservice:hwservice_manager find;
+
+# Allow gpsd to access sensor service
+binder_call(gpsd, system_server);
+allow gpsd fwk_sensor_hwservice:hwservice_manager find;
diff --git a/whitechapel/vendor/google/grilservice_app.te b/whitechapel/vendor/google/grilservice_app.te
new file mode 100644
index 00000000..9eb8b8e0
--- /dev/null
+++ b/whitechapel/vendor/google/grilservice_app.te
@@ -0,0 +1,8 @@
+type grilservice_app, domain;
+app_domain(grilservice_app)
+
+allow grilservice_app hal_radioext_hwservice:hwservice_manager find;
+allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find;
+allow grilservice_app app_api_service:service_manager find;
+binder_call(grilservice_app, hal_radioext_default)
+binder_call(grilservice_app, hal_wifi_ext)
diff --git a/whitechapel/vendor/google/hal_audio_default.te b/whitechapel/vendor/google/hal_audio_default.te
new file mode 100644
index 00000000..079d6bdf
--- /dev/null
+++ b/whitechapel/vendor/google/hal_audio_default.te
@@ -0,0 +1,22 @@
+vndbinder_use(hal_audio_default)
+hwbinder_use(hal_audio_default)
+
+allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms;
+allow hal_audio_default audio_vendor_data_file:file create_file_perms;
+
+r_dir_file(hal_audio_default, aoc_audio_file);
+r_dir_file(hal_audio_default, mnt_vendor_file);
+r_dir_file(hal_audio_default, persist_audio_file);
+
+allow hal_audio_default persist_file:dir search;
+allow hal_audio_default aoc_device:file rw_file_perms;
+allow hal_audio_default aoc_device:chr_file rw_file_perms;
+
+allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add };
+
+get_prop(hal_audio_default, vendor_audio_prop);
+
+userdebug_or_eng(`
+    allow hal_audio_default self:unix_stream_socket create_stream_socket_perms;
+    allow hal_audio_default audio_vendor_data_file:sock_file { create unlink };
+')
diff --git a/whitechapel/vendor/google/hal_bluetooth_btlinux.te b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
new file mode 100644
index 00000000..4e61c620
--- /dev/null
+++ b/whitechapel/vendor/google/hal_bluetooth_btlinux.te
@@ -0,0 +1,19 @@
+add_hwservice(hal_bluetooth_btlinux, hal_bluetooth_coexistence_hwservice);
+
+allow hal_bluetooth_btlinux sysfs_bluetooth_writable:file rw_file_perms;
+allow hal_bluetooth_btlinux proc_bluetooth_writable:file rw_file_perms;
+allow hal_bluetooth_btlinux hci_attach_dev:chr_file rw_file_perms;
+allow hal_bluetooth_btlinux wb_coexistence_dev:chr_file rw_file_perms;
+
+# power stats
+vndbinder_use(hal_bluetooth_btlinux)
+allow hal_bluetooth_btlinux hal_power_stats_vendor_service:service_manager find;
+binder_call(hal_bluetooth_btlinux, hal_power_stats_default)
+
+allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+
+userdebug_or_eng(`
+  allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:file create_file_perms;
+')
diff --git a/whitechapel/vendor/google/hal_bootctl_default.te b/whitechapel/vendor/google/hal_bootctl_default.te
new file mode 100644
index 00000000..63741aed
--- /dev/null
+++ b/whitechapel/vendor/google/hal_bootctl_default.te
@@ -0,0 +1 @@
+allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;
diff --git a/whitechapel/vendor/google/hal_camera_default.te b/whitechapel/vendor/google/hal_camera_default.te
new file mode 100644
index 00000000..0de87854
--- /dev/null
+++ b/whitechapel/vendor/google/hal_camera_default.te
@@ -0,0 +1,36 @@
+allow hal_camera_default self:global_capability_class_set sys_nice;
+
+vndbinder_use(hal_camera_default);
+
+allow hal_camera_default vendor_camera_tuning_file:dir r_dir_perms;
+allow hal_camera_default vendor_camera_tuning_file:file r_file_perms;
+allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
+allow hal_camera_default vendor_camera_data_file:file create_file_perms;
+allow hal_camera_default lwis_device:chr_file rw_file_perms;
+allow hal_camera_default gpu_device:chr_file rw_file_perms;
+allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
+allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
+allow hal_camera_default sysfs_edgetpu:file r_file_perms;
+allow hal_camera_default sysfs_chip_id:file r_file_perms;
+
+allow hal_camera_default mnt_vendor_file:dir search;
+allow hal_camera_default persist_file:dir search;
+allow hal_camera_default persist_camera_file:dir search;
+allow hal_camera_default persist_camera_file:file r_file_perms;
+
+get_prop(hal_camera_default, vendor_camera_prop);
+get_prop(hal_camera_default, vendor_camera_debug_prop);
+
+hal_client_domain(hal_camera_default, hal_graphics_allocator);
+hal_client_domain(hal_camera_default, hal_power);
+hal_client_domain(hal_camera_default, hal_thermal);
+
+# Allow access to sensor service for sensor_listener
+binder_call(hal_camera_default, system_server);
+
+# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
+allow hal_camera_default eco_service:service_manager find;
+binder_call(hal_camera_default, mediacodec);
+
+# grant access to hal_graphics_composer
+hal_client_domain(hal_camera_default, hal_graphics_composer)
diff --git a/whitechapel/vendor/google/hal_confirmationui.te b/whitechapel/vendor/google/hal_confirmationui.te
new file mode 100644
index 00000000..a8f4ae8c
--- /dev/null
+++ b/whitechapel/vendor/google/hal_confirmationui.te
@@ -0,0 +1,13 @@
+allow hal_confirmationui_default tee_device:chr_file rw_file_perms;
+
+binder_call(hal_confirmationui_default, keystore)
+
+vndbinder_use(hal_confirmationui_default)
+binder_call(hal_confirmationui_default, citadeld)
+allow hal_confirmationui_default citadeld_service:service_manager find;
+
+allow hal_confirmationui_default input_device:chr_file rw_file_perms;
+allow hal_confirmationui_default input_device:dir r_dir_perms;
+
+allow hal_confirmationui_default dmabuf_system_heap_device:chr_file r_file_perms;
+allow hal_confirmationui_default ion_device:chr_file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_contexthub.te b/whitechapel/vendor/google/hal_contexthub.te
new file mode 100644
index 00000000..ba776c89
--- /dev/null
+++ b/whitechapel/vendor/google/hal_contexthub.te
@@ -0,0 +1,3 @@
+# Allow context hub HAL to communicate with daemon via socket
+allow hal_contexthub_default chre:unix_stream_socket connectto;
+allow hal_contexthub_default chre_socket:sock_file write;
\ No newline at end of file
diff --git a/whitechapel/vendor/google/hal_drm_clearkey.te b/whitechapel/vendor/google/hal_drm_clearkey.te
new file mode 100644
index 00000000..0e0a5c24
--- /dev/null
+++ b/whitechapel/vendor/google/hal_drm_clearkey.te
@@ -0,0 +1,5 @@
+type hal_drm_clearkey, domain;
+type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_drm_clearkey)
+
+hal_server_domain(hal_drm_clearkey, hal_drm)
diff --git a/whitechapel/vendor/google/hal_drm_default.te b/whitechapel/vendor/google/hal_drm_default.te
new file mode 100644
index 00000000..30e443a8
--- /dev/null
+++ b/whitechapel/vendor/google/hal_drm_default.te
@@ -0,0 +1,6 @@
+# L3
+allow hal_drm_default mediadrm_vendor_data_file:file create_file_perms;
+allow hal_drm_default mediadrm_vendor_data_file:dir create_dir_perms;
+
+# L1
+allow hal_drm_default dmabuf_system_heap_device:chr_file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_dumpstate_default.te b/whitechapel/vendor/google/hal_dumpstate_default.te
new file mode 100644
index 00000000..d590a06d
--- /dev/null
+++ b/whitechapel/vendor/google/hal_dumpstate_default.te
@@ -0,0 +1,142 @@
+allow hal_dumpstate_default sysfs_exynos_bts:dir search;
+allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_bcmdhd:dir search;
+allow hal_dumpstate_default sysfs_bcmdhd:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_memory:file r_file_perms;
+allow hal_dumpstate_default sysfs_cpu:file r_file_perms;
+
+vndbinder_use(hal_dumpstate_default)
+
+allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms;
+allow hal_dumpstate_default vendor_gps_file:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_wlc:dir search;
+allow hal_dumpstate_default sysfs_wlc:file r_file_perms;
+
+allow hal_dumpstate_default shell_data_file:file getattr;
+
+allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms;
+allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms;
+
+allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms;
+allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms;
+
+allow hal_dumpstate_default vendor_log_file:dir search;
+
+allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans;
+allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans;
+
+allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_spi:dir search;
+allow hal_dumpstate_default sysfs_spi:file rw_file_perms;
+
+allow hal_dumpstate_default device:dir r_dir_perms;
+allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms;
+allow hal_dumpstate_default aoc_device:chr_file rw_file_perms;
+
+allow hal_dumpstate_default sysfs_wifi:dir search;
+allow hal_dumpstate_default sysfs_wifi:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_thermal:file r_file_perms;
+allow hal_dumpstate_default sysfs_thermal:lnk_file read;
+
+allow hal_dumpstate_default modem_efs_file:dir search;
+allow hal_dumpstate_default modem_efs_file:file r_file_perms;
+allow hal_dumpstate_default modem_stat_data_file:file r_file_perms;
+
+allow hal_dumpstate_default block_device:dir r_dir_perms;
+
+allow hal_dumpstate_default proc_f2fs:dir r_dir_perms;
+allow hal_dumpstate_default proc_f2fs:file r_file_perms;
+allow hal_dumpstate_default proc_touch:file rw_file_perms;
+
+allow hal_dumpstate_default sysfs_batteryinfo:dir search;
+allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms;
+allow hal_dumpstate_default sysfs_chip_id:file r_file_perms;
+
+allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans;
+allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans;
+
+allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms;
+allow hal_dumpstate_default debugfs_f2fs:file r_file_perms;
+allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms;
+
+userdebug_or_eng(`
+  allow hal_dumpstate_default mnt_vendor_file:dir search;
+  allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search;
+  allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms;
+')
+
+get_prop(hal_dumpstate_default, boottime_public_prop)
+get_prop(hal_dumpstate_default, vendor_gps_prop)
+get_prop(hal_dumpstate_default, vendor_persist_sys_modem_prop)
+get_prop(hal_dumpstate_default, vendor_rild_prop)
+
+userdebug_or_eng(`
+  allow hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_ion_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms;
+  allow hal_dumpstate_default vendor_dri_debugfs:dir search;
+
+  allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_usb_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_maxfg_debugfs:dir search;
+  allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms;
+')
+
+dontaudit hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_ion_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms;
+dontaudit hal_dumpstate_default vendor_dri_debugfs:dir search;
+
+dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_usb_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir search;
+dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_gnss_default.te b/whitechapel/vendor/google/hal_gnss_default.te
new file mode 100644
index 00000000..e3004237
--- /dev/null
+++ b/whitechapel/vendor/google/hal_gnss_default.te
@@ -0,0 +1,4 @@
+# Allow hal_gnss_default access data vendor gps files
+allow hal_gnss_default vendor_gps_file:dir create_dir_perms;
+allow hal_gnss_default vendor_gps_file:file create_file_perms;
+allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms;
diff --git a/whitechapel/vendor/google/hal_graphics_allocator_default.te b/whitechapel/vendor/google/hal_graphics_allocator_default.te
new file mode 100644
index 00000000..63a7dcfb
--- /dev/null
+++ b/whitechapel/vendor/google/hal_graphics_allocator_default.te
@@ -0,0 +1,4 @@
+allow hal_graphics_allocator_default sensor_direct_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default faceauth_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default vframe_heap_device:chr_file r_file_perms;
+allow hal_graphics_allocator_default vscaler_heap_device:chr_file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_graphics_composer_default.te b/whitechapel/vendor/google/hal_graphics_composer_default.te
new file mode 100644
index 00000000..f1d97149
--- /dev/null
+++ b/whitechapel/vendor/google/hal_graphics_composer_default.te
@@ -0,0 +1,5 @@
+allow hal_graphics_composer_default sysfs_display:dir search;
+allow hal_graphics_composer_default sysfs_display:file rw_file_perms;
+
+# allow HWC to access power hal
+binder_call(hal_graphics_composer_default, hal_power_default);
diff --git a/whitechapel/vendor/google/hal_health_default.te b/whitechapel/vendor/google/hal_health_default.te
new file mode 100644
index 00000000..4bc85f26
--- /dev/null
+++ b/whitechapel/vendor/google/hal_health_default.te
@@ -0,0 +1,7 @@
+allow hal_health_default mnt_vendor_file:dir search;
+allow hal_health_default persist_file:dir search;
+allow hal_health_default persist_battery_file:file create_file_perms;
+allow hal_health_default persist_battery_file:dir rw_dir_perms;
+
+set_prop(hal_health_default, vendor_battery_defender_prop)
+r_dir_file(hal_health_default, sysfs_scsi_devices_0000)
diff --git a/whitechapel/vendor/google/hal_health_storage_default.te b/whitechapel/vendor/google/hal_health_storage_default.te
new file mode 100644
index 00000000..2aa0881e
--- /dev/null
+++ b/whitechapel/vendor/google/hal_health_storage_default.te
@@ -0,0 +1,3 @@
+# Access to /sys/devices/platform/14700000.ufs/*
+allow hal_health_storage_default sysfs_scsi_devices_0000:dir r_dir_perms;
+allow hal_health_storage_default sysfs_scsi_devices_0000:file rw_file_perms;
diff --git a/whitechapel/vendor/google/hal_neuralnetworks_armnn.te b/whitechapel/vendor/google/hal_neuralnetworks_armnn.te
new file mode 100644
index 00000000..f81d617b
--- /dev/null
+++ b/whitechapel/vendor/google/hal_neuralnetworks_armnn.te
@@ -0,0 +1,4 @@
+type hal_neuralnetworks_armnn, domain;
+type hal_neuralnetworks_armnn_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_neuralnetworks_armnn)
+
diff --git a/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
new file mode 100644
index 00000000..9329a878
--- /dev/null
+++ b/whitechapel/vendor/google/hal_neuralnetworks_darwinn.te
@@ -0,0 +1,20 @@
+type hal_neuralnetworks_darwinn, domain;
+hal_server_domain(hal_neuralnetworks_darwinn, hal_neuralnetworks)
+
+type hal_neuralnetworks_darwinn_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_neuralnetworks_darwinn)
+
+# The TPU HAL looks for TPU instance in /dev/abrolhos
+allow hal_neuralnetworks_darwinn edgetpu_device:chr_file rw_file_perms;
+
+# Allow DawriNN service to use a client-provided fd residing in /vendor/etc/.
+allow hal_neuralnetworks_darwinn vendor_configs_file:file r_file_perms;
+
+# Allow DarwiNN service to access data files.
+allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:file create_file_perms;
+allow hal_neuralnetworks_darwinn hal_neuralnetworks_darwinn_data_file:dir rw_dir_perms;
+
+# Register to hwbinder service
+add_hwservice(hal_neuralnetworks_darwinn, hal_neuralnetworks_hwservice)
+hwbinder_use(hal_neuralnetworks_darwinn)
+get_prop(hal_neuralnetworks_darwinn, hwservicemanager_prop)
diff --git a/whitechapel/vendor/google/hal_nfc_default.te b/whitechapel/vendor/google/hal_nfc_default.te
new file mode 100644
index 00000000..f98e78c6
--- /dev/null
+++ b/whitechapel/vendor/google/hal_nfc_default.te
@@ -0,0 +1,9 @@
+# NFC property
+set_prop(hal_nfc_default, vendor_nfc_prop)
+
+# SecureElement property
+set_prop(hal_nfc_default, vendor_secure_element_prop)
+
+# Modem property
+set_prop(hal_nfc_default, vendor_modem_prop)
+
diff --git a/whitechapel/vendor/google/hal_power_default.te b/whitechapel/vendor/google/hal_power_default.te
new file mode 100644
index 00000000..c5aa154a
--- /dev/null
+++ b/whitechapel/vendor/google/hal_power_default.te
@@ -0,0 +1,8 @@
+allow hal_power_default sysfs_scsi_devices_0000:file rw_file_perms;
+allow hal_power_default sysfs_fs_f2fs:dir r_dir_perms;
+allow hal_power_default sysfs_fs_f2fs:file rw_file_perms;
+allow hal_power_default sysfs_vendor_sched:file rw_file_perms;
+allow hal_power_default cpuctl_device:file rw_file_perms;
+set_prop(hal_power_default, vendor_camera_prop)
+set_prop(hal_power_default, vendor_camera_debug_prop)
+set_prop(hal_power_default, vendor_camera_fatp_prop)
diff --git a/whitechapel/vendor/google/hal_power_stats_default.te b/whitechapel/vendor/google/hal_power_stats_default.te
new file mode 100644
index 00000000..8ffff074
--- /dev/null
+++ b/whitechapel/vendor/google/hal_power_stats_default.te
@@ -0,0 +1,9 @@
+allow hal_power_stats_default sysfs_scsi_devices_0000:dir r_dir_perms;
+allow hal_power_stats_default sysfs_scsi_devices_0000:file r_file_perms;
+
+# getStats AIDL callback to each power entry
+binder_call(hal_power_stats_default, hal_bluetooth_btlinux)
+
+allow hal_power_stats_default odpm_config_file:dir search;
+allow hal_power_stats_default odpm_config_file:file r_file_perms;
+allow hal_power_stats_default sysfs_odpm:file rw_file_perms;
diff --git a/whitechapel/vendor/google/hal_radioext_default.te b/whitechapel/vendor/google/hal_radioext_default.te
new file mode 100644
index 00000000..666d8db4
--- /dev/null
+++ b/whitechapel/vendor/google/hal_radioext_default.te
@@ -0,0 +1,12 @@
+type hal_radioext_default, domain;
+type hal_radioext_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_radioext_default)
+
+hwbinder_use(hal_radioext_default)
+get_prop(hal_radioext_default, hwservicemanager_prop)
+add_hwservice(hal_radioext_default, hal_radioext_hwservice)
+
+binder_call(hal_radioext_default, grilservice_app)
+
+# RW /dev/oem_ipc0
+allow hal_radioext_default radio_device:chr_file rw_file_perms;
diff --git a/whitechapel/vendor/google/hal_secure_element_default.te b/whitechapel/vendor/google/hal_secure_element_default.te
new file mode 100644
index 00000000..dc048746
--- /dev/null
+++ b/whitechapel/vendor/google/hal_secure_element_default.te
@@ -0,0 +1,10 @@
+allow hal_secure_element_default secure_element_device:chr_file rw_file_perms;
+allow hal_secure_element_default nfc_device:chr_file rw_file_perms;
+set_prop(hal_secure_element_default, vendor_secure_element_prop)
+set_prop(hal_secure_element_default, vendor_nfc_prop)
+set_prop(hal_secure_element_default, vendor_modem_prop)
+
+# Allow hal_secure_element_default to access rild
+binder_call(hal_secure_element_default, rild);
+allow hal_secure_element_default hal_exynos_rild_hwservice:hwservice_manager find;
+
diff --git a/whitechapel/vendor/google/hal_sensors_default.te b/whitechapel/vendor/google/hal_sensors_default.te
new file mode 100644
index 00000000..64620ba3
--- /dev/null
+++ b/whitechapel/vendor/google/hal_sensors_default.te
@@ -0,0 +1,19 @@
+# Allow access to the files of CDT information.
+r_dir_file(hal_sensors_default, sysfs_chosen)
+
+# Allow access to the leds driver.
+allow hal_sensors_default sysfs_leds:dir search;
+allow hal_sensors_default sysfs_leds:file rw_file_perms;
+
+# Allow access to the power supply files for MagCC.
+r_dir_file(hal_sensors_default, sysfs_batteryinfo)
+allow hal_sensors_default sysfs_wlc:dir r_dir_perms;
+
+# Allow access to sensor service for sensor_listener.
+binder_call(hal_sensors_default, system_server);
+
+# Allow access to the stats service.
+allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find;
+
+# Allow access to the sysfs_aoc.
+allow hal_sensors_default sysfs_aoc:dir search;
diff --git a/whitechapel/vendor/google/hal_tetheroffload_default.te b/whitechapel/vendor/google/hal_tetheroffload_default.te
new file mode 100644
index 00000000..00ae3214
--- /dev/null
+++ b/whitechapel/vendor/google/hal_tetheroffload_default.te
@@ -0,0 +1,17 @@
+# associate netdomain to use for accessing internet sockets
+net_domain(hal_tetheroffload_default)
+
+# Allow operations with TOE device
+allow hal_tetheroffload_default vendor_toe_device:chr_file rw_file_perms;
+
+# Allow NETLINK and socket
+allow hal_tetheroffload_default self:{
+    netlink_socket
+    netlink_generic_socket
+    unix_dgram_socket
+} create_socket_perms_no_ioctl;
+
+# Register to hwbinder service
+add_hwservice(hal_tetheroffload_default, hal_tetheroffload_hwservice)
+hwbinder_use(hal_tetheroffload_default)
+get_prop(hal_tetheroffload_default, hwservicemanager_prop)
diff --git a/whitechapel/vendor/google/hal_thermal_default.te b/whitechapel/vendor/google/hal_thermal_default.te
new file mode 100644
index 00000000..66c3af87
--- /dev/null
+++ b/whitechapel/vendor/google/hal_thermal_default.te
@@ -0,0 +1 @@
+allow hal_thermal_default self:netlink_generic_socket create_socket_perms_no_ioctl;
diff --git a/whitechapel/vendor/google/hal_usb_impl.te b/whitechapel/vendor/google/hal_usb_impl.te
new file mode 100644
index 00000000..c95035ca
--- /dev/null
+++ b/whitechapel/vendor/google/hal_usb_impl.te
@@ -0,0 +1,12 @@
+type hal_usb_impl, domain;
+hal_server_domain(hal_usb_impl, hal_usb)
+hal_server_domain(hal_usb_impl, hal_usb_gadget)
+
+type hal_usb_impl_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_usb_impl)
+
+allow hal_usb_impl functionfs:dir { watch watch_reads };
+set_prop(hal_usb_impl, vendor_usb_config_prop)
+
+allow hal_usb_impl sysfs_batteryinfo:dir search;
+allow hal_usb_impl sysfs_batteryinfo:file r_file_perms;
diff --git a/whitechapel/vendor/google/hal_vendor_hwcservice_default.te b/whitechapel/vendor/google/hal_vendor_hwcservice_default.te
new file mode 100644
index 00000000..0cd13b33
--- /dev/null
+++ b/whitechapel/vendor/google/hal_vendor_hwcservice_default.te
@@ -0,0 +1,4 @@
+type hal_vendor_hwcservice_default, domain;
+type hal_vendor_hwcservice_default_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_vendor_hwcservice_default)
+
diff --git a/whitechapel/vendor/google/hal_wlc.te b/whitechapel/vendor/google/hal_wlc.te
new file mode 100644
index 00000000..891853c9
--- /dev/null
+++ b/whitechapel/vendor/google/hal_wlc.te
@@ -0,0 +1,16 @@
+type hal_wlc, domain;
+type hal_wlc_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(hal_wlc)
+hwbinder_use(hal_wlc)
+add_hwservice(hal_wlc, hal_wlc_hwservice)
+get_prop(hal_wlc, hwservicemanager_prop)
+
+r_dir_file(hal_wlc, sysfs_batteryinfo)
+allow hal_wlc sysfs_wlc:dir r_dir_perms;
+allow hal_wlc sysfs_wlc:file rw_file_perms;
+
+allow hal_wlc self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+
+binder_call(hal_wlc, platform_app)
+binder_call(hal_wlc, system_app)
\ No newline at end of file
diff --git a/whitechapel/vendor/google/hardware_info_app.te b/whitechapel/vendor/google/hardware_info_app.te
new file mode 100644
index 00000000..b8774183
--- /dev/null
+++ b/whitechapel/vendor/google/hardware_info_app.te
@@ -0,0 +1,5 @@
+type hardware_info_app, domain;
+
+app_domain(hardware_info_app)
+
+allow hardware_info_app app_api_service:service_manager find;
diff --git a/whitechapel/vendor/google/hbmsvmanager_app.te b/whitechapel/vendor/google/hbmsvmanager_app.te
new file mode 100644
index 00000000..534f6c82
--- /dev/null
+++ b/whitechapel/vendor/google/hbmsvmanager_app.te
@@ -0,0 +1,11 @@
+type hbmsvmanager_app, domain, coredomain;
+
+app_domain(hbmsvmanager_app);
+
+allow hbmsvmanager_app hal_pixel_display_service:service_manager find;
+binder_call(hbmsvmanager_app, hal_graphics_composer_default)
+
+# Standard system services
+allow hbmsvmanager_app app_api_service:service_manager find;
+
+allow hbmsvmanager_app cameraserver_service:service_manager find;
diff --git a/whitechapel/vendor/google/hwservice.te b/whitechapel/vendor/google/hwservice.te
new file mode 100644
index 00000000..0b489022
--- /dev/null
+++ b/whitechapel/vendor/google/hwservice.te
@@ -0,0 +1,20 @@
+type hal_vendor_telephony_hwservice, hwservice_manager_type;
+type hal_vendor_surfaceflinger_hwservice, hwservice_manager_type;
+
+# dmd servcie
+type hal_vendor_oem_hwservice, hwservice_manager_type;
+
+# rild service
+type hal_exynos_rild_hwservice, hwservice_manager_type;
+
+# GRIL service
+type hal_radioext_hwservice, hwservice_manager_type;
+
+# Audio
+type hal_audio_ext_hwservice, hwservice_manager_type;
+
+# WLC
+type hal_wlc_hwservice, hwservice_manager_type;
+
+# Bluetooth HAL extension
+type hal_bluetooth_coexistence_hwservice, hwservice_manager_type, vendor_hwservice_type;
diff --git a/whitechapel/vendor/google/hwservice_contexts b/whitechapel/vendor/google/hwservice_contexts
new file mode 100644
index 00000000..64a59cb6
--- /dev/null
+++ b/whitechapel/vendor/google/hwservice_contexts
@@ -0,0 +1,28 @@
+vendor.samsung_slsi.hardware.radio::IOemSamsungslsi                   u:object_r:hal_telephony_hwservice:s0
+vendor.samsung_slsi.hardware.ExynosHWCServiceTW::IExynosHWCServiceTW  u:object_r:hal_vendor_surfaceflinger_hwservice:s0
+vendor.samsung_slsi.hardware.configstore::IExynosHWCConfigs  u:object_r:hal_configstore_ISurfaceFlingerConfigs:s0
+
+# dmd HAL
+vendor.samsung_slsi.telephony.hardware.oemservice::IOemService  u:object_r:hal_vendor_oem_hwservice:s0
+
+# rild HAL
+vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi        u:object_r:hal_exynos_rild_hwservice:s0
+android.vendor.samsung_slsi.telephony.hardware.radio::IOemSamsungslsi        u:object_r:hal_exynos_rild_hwservice:s0
+vendor.samsung_slsi.telephony.hardware.radioExternal::IOemSlsiRadioExternal        u:object_r:hal_exynos_rild_hwservice:s0
+
+# VIDEO
+android.hardware.media.c2::IComponentStore                      u:object_r:hal_codec2_hwservice:s0
+android.hardware.media.c2::IConfigurable                        u:object_r:hal_codec2_hwservice:s0
+
+# GRIL HAL
+vendor.google.radioext::IRadioExt                               u:object_r:hal_radioext_hwservice:s0
+
+#Audio
+vendor.google.whitechapel.audio.audioext::IAudioExt             u:object_r:hal_audio_ext_hwservice:s0
+
+# Wireless charger hal
+vendor.google.wireless_charger::IWirelessCharger                u:object_r:hal_wlc_hwservice:s0
+
+# Bluetooth HAL extension
+hardware.google.bluetooth.bt_channel_avoidance::IBTChannelAvoidance   u:object_r:hal_bluetooth_coexistence_hwservice:s0
+hardware.google.bluetooth.sar::IBluetoothSar                          u:object_r:hal_bluetooth_coexistence_hwservice:s0
diff --git a/whitechapel/vendor/google/hwservicemanager.te b/whitechapel/vendor/google/hwservicemanager.te
new file mode 100644
index 00000000..7b64499b
--- /dev/null
+++ b/whitechapel/vendor/google/hwservicemanager.te
@@ -0,0 +1 @@
+binder_call(hwservicemanager, bipchmgr)
diff --git a/whitechapel/vendor/google/init-insmod-sh.te b/whitechapel/vendor/google/init-insmod-sh.te
new file mode 100644
index 00000000..e8424941
--- /dev/null
+++ b/whitechapel/vendor/google/init-insmod-sh.te
@@ -0,0 +1,11 @@
+type init-insmod-sh, domain;
+type init-insmod-sh_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(init-insmod-sh)
+
+allow init-insmod-sh self:capability sys_module;
+allow init-insmod-sh vendor_kernel_modules:system module_load;
+allow init-insmod-sh vendor_toolbox_exec:file execute_no_trans;
+
+set_prop(init-insmod-sh, vendor_device_prop)
+
+dontaudit init-insmod-sh proc_cmdline:file r_file_perms;
diff --git a/whitechapel/vendor/google/init.te b/whitechapel/vendor/google/init.te
new file mode 100644
index 00000000..a703c47a
--- /dev/null
+++ b/whitechapel/vendor/google/init.te
@@ -0,0 +1,15 @@
+allow init custom_ab_block_device:lnk_file relabelto;
+
+# This is needed for chaining a boot partition vbmeta
+# descriptor, where init will probe the boot partition
+# to read the chained vbmeta in the first-stage, then
+# relabel /dev/block/by-name/boot_[a|b] to block_device
+# after loading sepolicy in the second stage.
+allow init boot_block_device:lnk_file relabelto;
+
+allow init persist_file:dir mounton;
+allow init modem_efs_file:dir mounton;
+allow init modem_userdata_file:dir mounton;
+allow init ram_device:blk_file w_file_perms;
+allow init per_boot_file:file ioctl;
+allowxperm init per_boot_file:file ioctl { F2FS_IOC_SET_PIN_FILE };
diff --git a/whitechapel/vendor/google/init_radio.te b/whitechapel/vendor/google/init_radio.te
new file mode 100644
index 00000000..3a29edf3
--- /dev/null
+++ b/whitechapel/vendor/google/init_radio.te
@@ -0,0 +1,8 @@
+type init_radio, domain;
+type init_radio_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_radio);
+
+allow init_radio vendor_toolbox_exec:file execute_no_trans;
+allow init_radio radio_vendor_data_file:dir create_dir_perms;
+allow init_radio radio_vendor_data_file:file create_file_perms;
diff --git a/whitechapel/vendor/google/kernel.te b/whitechapel/vendor/google/kernel.te
new file mode 100644
index 00000000..cab39fb5
--- /dev/null
+++ b/whitechapel/vendor/google/kernel.te
@@ -0,0 +1,5 @@
+allow kernel vendor_fw_file:dir search;
+allow kernel vendor_fw_file:file r_file_perms;
+
+# ZRam
+allow kernel per_boot_file:file r_file_perms;
diff --git a/whitechapel/vendor/google/lhd.te b/whitechapel/vendor/google/lhd.te
new file mode 100644
index 00000000..e980897c
--- /dev/null
+++ b/whitechapel/vendor/google/lhd.te
@@ -0,0 +1,23 @@
+type lhd, domain;
+type lhd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(lhd)
+
+# Allow lhd access PixelLogger unix socket in debug build only
+userdebug_or_eng(`
+    typeattribute lhd mlstrustedsubject;
+    allow lhd logger_app:unix_stream_socket connectto;
+')
+
+# Allow lhd access data vendor gps files
+allow lhd vendor_gps_file:dir create_dir_perms;
+allow lhd vendor_gps_file:file create_file_perms;
+allow lhd vendor_gps_file:fifo_file create_file_perms;
+
+# Allow lhd to obtain wakelock
+wakelock_use(lhd)
+
+# Allow lhd access /dev/bbd_control file
+allow lhd vendor_gnss_device:chr_file rw_file_perms;
+
+# Allow lhd access nstandby gpio
+allow lhd sysfs_gps:file rw_file_perms;
diff --git a/whitechapel/vendor/google/logger_app.te b/whitechapel/vendor/google/logger_app.te
new file mode 100644
index 00000000..3e603c5f
--- /dev/null
+++ b/whitechapel/vendor/google/logger_app.te
@@ -0,0 +1,19 @@
+type logger_app, domain;
+
+userdebug_or_eng(`
+  app_domain(logger_app)
+  net_domain(logger_app)
+
+  allow logger_app app_api_service:service_manager find;
+  allow logger_app surfaceflinger_service:service_manager find;
+
+  allow logger_app radio_vendor_data_file:file create_file_perms;
+  allow logger_app radio_vendor_data_file:dir create_dir_perms;
+  allow logger_app vendor_slog_file:file {r_file_perms unlink};
+  allow logger_app vendor_gps_file:file create_file_perms;
+  allow logger_app vendor_gps_file:dir create_dir_perms;
+
+  set_prop(logger_app, vendor_modem_prop)
+  set_prop(logger_app, vendor_persist_sys_modem_prop)
+  set_prop(logger_app, vendor_gps_prop)
+')
diff --git a/whitechapel/vendor/google/mediacodec.te b/whitechapel/vendor/google/mediacodec.te
new file mode 100644
index 00000000..d3b108f6
--- /dev/null
+++ b/whitechapel/vendor/google/mediacodec.te
@@ -0,0 +1,6 @@
+userdebug_or_eng(`
+  set_prop(mediacodec, vendor_codec2_debug_prop)
+')
+
+add_service(mediacodec, eco_service)
+allow mediacodec hal_camera_default:binder call;
diff --git a/whitechapel/vendor/google/modem_logging_control.te b/whitechapel/vendor/google/modem_logging_control.te
new file mode 100644
index 00000000..7392297f
--- /dev/null
+++ b/whitechapel/vendor/google/modem_logging_control.te
@@ -0,0 +1,17 @@
+type modem_logging_control, domain;
+type modem_logging_control_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(modem_logging_control)
+
+hwbinder_use(modem_logging_control)
+binder_call(modem_logging_control, dmd)
+
+allow modem_logging_control radio_device:chr_file rw_file_perms;
+allow modem_logging_control hal_vendor_oem_hwservice:hwservice_manager find;
+allow modem_logging_control radio_vendor_data_file:dir create_dir_perms;
+allow modem_logging_control radio_vendor_data_file:file create_file_perms;
+allow modem_logging_control vendor_slog_file:dir create_dir_perms;
+allow modem_logging_control vendor_slog_file:file create_file_perms;
+
+set_prop(modem_logging_control, vendor_modem_prop)
+get_prop(modem_logging_control, hwservicemanager_prop)
diff --git a/whitechapel/vendor/google/modem_svc_sit.te b/whitechapel/vendor/google/modem_svc_sit.te
new file mode 100644
index 00000000..9ee5976f
--- /dev/null
+++ b/whitechapel/vendor/google/modem_svc_sit.te
@@ -0,0 +1,24 @@
+type modem_svc_sit, domain;
+type modem_svc_sit_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(modem_svc_sit)
+
+hwbinder_use(modem_svc_sit)
+binder_call(modem_svc_sit, rild)
+
+# Grant sysfs_modem access
+allow modem_svc_sit sysfs_modem:file rw_file_perms;
+
+# Grant radio device access
+allow modem_svc_sit radio_device:chr_file rw_file_perms;
+
+# Grant vendor radio and modem file/dir creation permission
+allow modem_svc_sit radio_vendor_data_file:dir create_dir_perms;
+allow modem_svc_sit radio_vendor_data_file:file create_file_perms;
+allow modem_svc_sit modem_stat_data_file:file create_file_perms;
+
+# RIL property
+get_prop(modem_svc_sit, vendor_rild_prop)
+
+# hwservice permission
+allow modem_svc_sit hal_exynos_rild_hwservice:hwservice_manager find;
+get_prop(modem_svc_sit, hwservicemanager_prop)
diff --git a/whitechapel/vendor/google/netutils_wrapper.te b/whitechapel/vendor/google/netutils_wrapper.te
new file mode 100644
index 00000000..a8090e37
--- /dev/null
+++ b/whitechapel/vendor/google/netutils_wrapper.te
@@ -0,0 +1,4 @@
+allow netutils_wrapper pktrouter:fd use;
+allow netutils_wrapper pktrouter:fifo_file write;
+allow netutils_wrapper pktrouter:packet_socket { read write };
+allow netutils_wrapper pktrouter:rawip_socket { read write };
diff --git a/whitechapel/vendor/google/pixelstats_vendor.te b/whitechapel/vendor/google/pixelstats_vendor.te
new file mode 100644
index 00000000..23ae03d5
--- /dev/null
+++ b/whitechapel/vendor/google/pixelstats_vendor.te
@@ -0,0 +1,15 @@
+# pixelstats vendor
+type pixelstats_vendor, domain;
+
+type pixelstats_vendor_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(pixelstats_vendor)
+
+unix_socket_connect(pixelstats_vendor, chre, chre)
+
+get_prop(pixelstats_vendor, hwservicemanager_prop)
+hwbinder_use(pixelstats_vendor)
+
+allow pixelstats_vendor fwk_stats_hwservice:hwservice_manager find;
+binder_call(pixelstats_vendor, stats_service_server)
+
+allow pixelstats_vendor sysfs_scsi_devices_0000:file rw_file_perms;
diff --git a/whitechapel/vendor/google/pktrouter.te b/whitechapel/vendor/google/pktrouter.te
new file mode 100644
index 00000000..8c436f3f
--- /dev/null
+++ b/whitechapel/vendor/google/pktrouter.te
@@ -0,0 +1,12 @@
+type pktrouter, domain;
+type pktrouter_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(pktrouter)
+net_domain(pktrouter)
+
+domain_auto_trans(pktrouter, netutils_wrapper_exec, netutils_wrapper);
+
+allow pktrouter pktrouter_device:chr_file rw_file_perms;
+allow pktrouter self:netlink_route_socket nlmsg_write;
+allow pktrouter self:packet_socket { bind create read write getattr shutdown};
+
+get_prop(pktrouter, vendor_ims_prop);
diff --git a/whitechapel/vendor/google/platform_app.te b/whitechapel/vendor/google/platform_app.te
new file mode 100644
index 00000000..3c7be060
--- /dev/null
+++ b/whitechapel/vendor/google/platform_app.te
@@ -0,0 +1,8 @@
+binder_call(platform_app, rild)
+allow platform_app hal_exynos_rild_hwservice:hwservice_manager find;
+
+allow platform_app hal_wlc_hwservice:hwservice_manager find;
+binder_call(platform_app, hal_wlc)
+
+allow platform_app fwk_stats_hwservice:hwservice_manager find;
+allow platform_app nfc_service:service_manager find;
\ No newline at end of file
diff --git a/whitechapel/vendor/google/priv_app.te b/whitechapel/vendor/google/priv_app.te
new file mode 100644
index 00000000..aed639f7
--- /dev/null
+++ b/whitechapel/vendor/google/priv_app.te
@@ -0,0 +1,6 @@
+# Allows privileged applications to discover the EdgeTPU service.
+allow priv_app edgetpu_service:service_manager find;
+
+# Allows privileged applications to access the EdgeTPU device, except open,
+# which is guarded by the EdgeTPU service.
+allow priv_app edgetpu_device:chr_file { getattr read write ioctl map };
diff --git a/whitechapel/vendor/google/property.te b/whitechapel/vendor/google/property.te
new file mode 100644
index 00000000..5ac31d8b
--- /dev/null
+++ b/whitechapel/vendor/google/property.te
@@ -0,0 +1,34 @@
+# For Exynos Properties
+vendor_internal_prop(vendor_prop)
+vendor_internal_prop(vendor_ims_prop)
+vendor_internal_prop(vendor_rild_prop)
+vendor_internal_prop(vendor_slog_prop)
+vendor_internal_prop(sensors_prop)
+vendor_internal_prop(vendor_ssrdump_prop)
+vendor_internal_prop(vendor_device_prop)
+vendor_internal_prop(vendor_usb_config_prop)
+vendor_internal_prop(vendor_secure_element_prop)
+vendor_internal_prop(vendor_modem_prop)
+vendor_internal_prop(vendor_diag_prop)
+vendor_internal_prop(vendor_cbd_prop)
+# vendor defaults
+vendor_internal_prop(vendor_config_default_prop)
+vendor_internal_prop(vendor_ro_config_default_prop)
+vendor_internal_prop(vendor_persist_config_default_prop)
+vendor_internal_prop(vendor_sys_default_prop)
+vendor_internal_prop(vendor_ro_sys_default_prop)
+vendor_internal_prop(vendor_persist_sys_default_prop)
+vendor_internal_prop(vendor_audio_prop)
+vendor_internal_prop(vendor_codec2_debug_prop)
+vendor_internal_prop(vendor_display_prop)
+vendor_internal_prop(vendor_persist_sys_modem_prop)
+vendor_internal_prop(vendor_camera_prop)
+vendor_internal_prop(vendor_camera_debug_prop)
+vendor_internal_prop(vendor_camera_fatp_prop)
+vendor_internal_prop(vendor_gps_prop)
+
+# Battery defender
+vendor_internal_prop(vendor_battery_defender_prop)
+
+# NFC
+vendor_internal_prop(vendor_nfc_prop)
diff --git a/whitechapel/vendor/google/property_contexts b/whitechapel/vendor/google/property_contexts
new file mode 100644
index 00000000..a3f993b1
--- /dev/null
+++ b/whitechapel/vendor/google/property_contexts
@@ -0,0 +1,89 @@
+# for rild
+persist.vendor.debug_level       u:object_r:vendor_rild_prop:s0
+persist.vendor.ril.              u:object_r:vendor_rild_prop:s0
+persist.vendor.radio.            u:object_r:vendor_rild_prop:s0
+vendor.radio.ril.                u:object_r:vendor_rild_prop:s0
+vendor.sys.rild_reset            u:object_r:vendor_rild_prop:s0
+vendor.ril.                      u:object_r:vendor_rild_prop:s0
+ro.vendor.build.svn              u:object_r:vendor_rild_prop:s0
+
+# for ims service
+vendor.charon.                u:object_r:vendor_ims_prop:s0
+vendor.pktrouter              u:object_r:vendor_ims_prop:s0
+
+# Ramdump
+persist.vendor.sys.crash_rcu    u:object_r:vendor_ramdump_prop:s0
+
+# SSR Detector
+vendor.debug.ssrdump.           u:object_r:vendor_ssrdump_prop:s0
+persist.vendor.sys.ssr.         u:object_r:vendor_ssrdump_prop:s0
+
+# Kernel modules related
+vendor.common.modules.ready     u:object_r:vendor_device_prop:s0
+vendor.device.modules.ready     u:object_r:vendor_device_prop:s0
+vendor.all.modules.ready        u:object_r:vendor_device_prop:s0
+vendor.all.devices.ready        u:object_r:vendor_device_prop:s0
+
+# for codec2
+vendor.debug.c2.level       u:object_r:vendor_codec2_debug_prop:s0
+vendor.debug.c2.dump        u:object_r:vendor_codec2_debug_prop:s0
+vendor.debug.c2.dump.opt    u:object_r:vendor_codec2_debug_prop:s0
+
+# USB HAL
+persist.vendor.usb.    u:object_r:vendor_usb_config_prop:s0
+vendor.usb.            u:object_r:vendor_usb_config_prop:s0
+
+# for modem
+persist.vendor.modem.        u:object_r:vendor_modem_prop:s0
+vendor.modem.                u:object_r:vendor_modem_prop:s0
+vendor.sys.modem.            u:object_r:vendor_modem_prop:s0
+vendor.sys.exynos.modempath  u:object_r:vendor_modem_prop:s0
+persist.vendor.sys.modem.    u:object_r:vendor_persist_sys_modem_prop:s0
+
+# for cbd
+vendor.cbd.                  u:object_r:vendor_cbd_prop:s0
+persist.vendor.cbd.          u:object_r:vendor_cbd_prop:s0
+
+# for slog
+vendor.sys.silentlog.        u:object_r:vendor_slog_prop:s0
+vendor.sys.exynos.slog.      u:object_r:vendor_slog_prop:s0
+
+# for dmd
+persist.vendor.sys.dm.       u:object_r:vendor_diag_prop:s0
+persist.vendor.sys.diag.     u:object_r:vendor_diag_prop:s0
+vendor.sys.dmd.              u:object_r:vendor_diag_prop:s0
+vendor.sys.diag.             u:object_r:vendor_diag_prop:s0
+
+# vendor default
+vendor.config.               u:object_r:vendor_config_default_prop:s0
+ro.vendor.config.            u:object_r:vendor_ro_config_default_prop:s0
+persist.vendor.config.       u:object_r:vendor_persist_config_default_prop:s0
+vendor.sys.                  u:object_r:vendor_sys_default_prop:s0
+ro.vendor.sys.               u:object_r:vendor_ro_sys_default_prop:s0
+persist.vendor.sys.          u:object_r:vendor_persist_sys_default_prop:s0
+
+
+# for audio
+vendor.audio_hal.period_multiplier      u:object_r:vendor_audio_prop:s0
+vendor.audiodump.enable                 u:object_r:vendor_audio_prop:s0
+
+# for display
+ro.vendor.hwc.drm.device                u:object_r:vendor_display_prop:s0
+
+# for camera
+persist.camera.                      u:object_r:vendor_camera_prop:s0
+vendor.camera.                       u:object_r:vendor_camera_prop:s0
+vendor.camera.debug.                 u:object_r:vendor_camera_debug_prop:s0
+vendor.camera.fatp.                  u:object_r:vendor_camera_fatp_prop:s0
+
+# for gps
+vendor.gps                   u:object_r:vendor_gps_prop:s0
+
+# SecureElement
+persist.vendor.se.                              u:object_r:vendor_secure_element_prop:s0
+
+# NFC
+persist.vendor.nfc.                             u:object_r:vendor_nfc_prop:s0
+
+# Battery
+vendor.battery.defender.                        u:object_r:vendor_battery_defender_prop:s0
diff --git a/whitechapel/vendor/google/radio.te b/whitechapel/vendor/google/radio.te
new file mode 100644
index 00000000..ffa43521
--- /dev/null
+++ b/whitechapel/vendor/google/radio.te
@@ -0,0 +1 @@
+allow radio hal_exynos_rild_hwservice:hwservice_manager find;
diff --git a/whitechapel/vendor/google/ramdump_app.te b/whitechapel/vendor/google/ramdump_app.te
new file mode 100644
index 00000000..308e9fb7
--- /dev/null
+++ b/whitechapel/vendor/google/ramdump_app.te
@@ -0,0 +1,24 @@
+type ramdump_app, domain;
+
+userdebug_or_eng(`
+  app_domain(ramdump_app)
+
+  allow ramdump_app app_api_service:service_manager find;
+
+  allow ramdump_app ramdump_vendor_data_file:file create_file_perms;
+  allow ramdump_app ramdump_vendor_data_file:dir create_dir_perms;
+
+  set_prop(ramdump_app, vendor_ramdump_prop)
+  get_prop(ramdump_app, system_boot_reason_prop)
+
+  # To access ramdumpfs.
+  allow ramdump_app mnt_vendor_file:dir search;
+  allow ramdump_app ramdump_vendor_mnt_file:dir create_dir_perms;
+  allow ramdump_app ramdump_vendor_mnt_file:file create_file_perms;
+
+  # To access subsystem ramdump files and dirs.
+  allow ramdump_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+  allow ramdump_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
+  allow ramdump_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
+  allow ramdump_app sscoredump_vendor_data_coredump_file:file r_file_perms;
+')
diff --git a/whitechapel/vendor/google/rfsd.te b/whitechapel/vendor/google/rfsd.te
new file mode 100644
index 00000000..df395cb4
--- /dev/null
+++ b/whitechapel/vendor/google/rfsd.te
@@ -0,0 +1,32 @@
+type rfsd, domain;
+type rfsd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(rfsd)
+
+# Allow to setuid from root to radio
+allow rfsd self:capability { chown setuid };
+
+# Allow to search block device and mnt dir for modem EFS partitions
+allow rfsd mnt_vendor_file:dir search;
+allow rfsd block_device:dir search;
+
+# Allow to operate with modem EFS file/dir
+allow rfsd modem_efs_file:dir create_dir_perms;
+allow rfsd modem_efs_file:file create_file_perms;
+
+allow rfsd radio_vendor_data_file:dir r_dir_perms;
+allow rfsd radio_vendor_data_file:file r_file_perms;
+
+# Allow to access rfsd log file/dir
+allow rfsd vendor_log_file:dir search;
+allow rfsd vendor_rfsd_log_file:dir create_dir_perms;
+allow rfsd vendor_rfsd_log_file:file create_file_perms;
+
+# Allow to read/write modem block device
+allow rfsd modem_block_device:blk_file rw_file_perms;
+
+# Allow to operate with radio device
+allow rfsd radio_device:chr_file rw_file_perms;
+
+# Allow to set rild and modem property
+set_prop(rfsd, vendor_modem_prop)
+set_prop(rfsd, vendor_rild_prop)
diff --git a/whitechapel/vendor/google/rild.te b/whitechapel/vendor/google/rild.te
new file mode 100644
index 00000000..a45d2b5f
--- /dev/null
+++ b/whitechapel/vendor/google/rild.te
@@ -0,0 +1,28 @@
+set_prop(rild, vendor_rild_prop)
+
+get_prop(rild, vendor_persist_config_default_prop)
+get_prop(rild, vendor_ro_config_default_prop)
+set_prop(rild, vendor_sys_default_prop)
+
+get_prop(rild, system_boot_reason_prop)
+
+allow rild proc_net:file rw_file_perms;
+allow rild radio_vendor_data_file:dir create_dir_perms;
+allow rild radio_vendor_data_file:file create_file_perms;
+allow rild rild_vendor_data_file:dir create_dir_perms;
+allow rild rild_vendor_data_file:file create_file_perms;
+allow rild vendor_fw_file:file r_file_perms;
+allow rild mnt_vendor_file:dir r_dir_perms;
+
+r_dir_file(rild, modem_img_file)
+
+binder_call(rild, bipchmgr)
+binder_call(rild, gpsd)
+binder_call(rild, hal_audio_default)
+binder_call(rild, hal_secure_element_default)
+binder_call(rild, platform_app)
+binder_call(rild, modem_svc_sit)
+
+# for hal service
+add_hwservice(rild, hal_exynos_rild_hwservice)
+allow rild hal_audio_ext_hwservice:hwservice_manager find;
diff --git a/whitechapel/vendor/google/rlsservice.te b/whitechapel/vendor/google/rlsservice.te
new file mode 100644
index 00000000..2217908d
--- /dev/null
+++ b/whitechapel/vendor/google/rlsservice.te
@@ -0,0 +1,21 @@
+type rlsservice, domain;
+type rlsservice_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(rlsservice)
+
+vndbinder_use(rlsservice)
+
+add_service(rlsservice, rls_service)
+
+# access rainbow sensor calibration files
+allow rlsservice persist_file:dir search;
+allow rlsservice persist_camera_file:dir search;
+allow rlsservice persist_camera_file:file r_file_perms;
+allow rlsservice mnt_vendor_file:dir search;
+
+binder_call(rlsservice, hal_sensors_default)
+binder_call(rlsservice, hal_camera_default)
+
+# Allow access to always-on compute device node
+allow rlsservice device:dir { read watch };
+allow rlsservice aoc_device:chr_file rw_file_perms;
diff --git a/whitechapel/vendor/google/rpmbd.te b/whitechapel/vendor/google/rpmbd.te
new file mode 100644
index 00000000..4113c2d8
--- /dev/null
+++ b/whitechapel/vendor/google/rpmbd.te
@@ -0,0 +1,4 @@
+type rpmbd, domain;
+type rpmbd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(rpmbd)
+
diff --git a/whitechapel/vendor/google/scd.te b/whitechapel/vendor/google/scd.te
new file mode 100644
index 00000000..28aaee0a
--- /dev/null
+++ b/whitechapel/vendor/google/scd.te
@@ -0,0 +1,17 @@
+type scd, domain;
+type scd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(scd)
+
+# Allow scd access PixelLogger unix socket in debug build only
+userdebug_or_eng(`
+    typeattribute scd mlstrustedsubject;
+    allow scd logger_app:unix_stream_socket connectto;
+')
+
+# Allow a base set of permissions required for network access.
+net_domain(scd);
+
+# Allow scd access data vendor gps files
+allow scd vendor_gps_file:dir create_dir_perms;
+allow scd vendor_gps_file:file create_file_perms;
+allow scd vendor_gps_file:fifo_file create_file_perms;
diff --git a/whitechapel/vendor/google/sced.te b/whitechapel/vendor/google/sced.te
new file mode 100644
index 00000000..52c2b2b6
--- /dev/null
+++ b/whitechapel/vendor/google/sced.te
@@ -0,0 +1,10 @@
+type sced, domain;
+type sced_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(sced)
+
+userdebug_or_eng(`
+hwbinder_use(sced)
+binder_call(sced, dmd)
+
+get_prop(sced, hwservicemanager_prop)
+')
\ No newline at end of file
diff --git a/whitechapel/vendor/google/seapp_contexts b/whitechapel/vendor/google/seapp_contexts
new file mode 100644
index 00000000..8dfa07e4
--- /dev/null
+++ b/whitechapel/vendor/google/seapp_contexts
@@ -0,0 +1,30 @@
+# Samsung S.LSI telephony
+user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging domain=vendor_telephony_app
+user=system seinfo=platform name=com.samsung.slsi.telephony.silentlogging:remote domain=vendor_telephony_app
+user=system seinfo=platform name=com.samsung.slsi.telephony.testmode domain=vendor_telephony_app
+user=system seinfo=platform name=com.samsung.slsi.telephony.uartswitch domain=vendor_telephony_app
+user=system seinfo=platform name=com.samsung.slsi.sysdebugmode domain=vendor_telephony_app
+user=system seinfo=platform name=com.samsung.slsi.telephony.networktestmode domain=vendor_telephony_app
+
+# Samsung S.LSI IMS
+user=system seinfo=platform name=com.shannon.imsservice domain=vendor_ims_app
+user=system seinfo=platform name=com.shannon.imsservice:remote domain=vendor_ims_app
+user=system seinfo=platform name=com.shannon.dataservice domain=vendor_ims_app
+user=system seinfo=platform name=com.shannon.networkservice domain=vendor_ims_app
+user=system seinfo=platform name=com.shannon.qualifiednetworksservice domain=vendor_ims_app
+
+# coredump/ramdump
+user=system seinfo=platform name=com.google.SSRestartDetector domain=ssr_detector_app type=system_app_data_file levelFrom=user
+user=_app seinfo=platform name=com.android.ramdump domain=ramdump_app type=app_data_file levelFrom=all
+
+# grilservice
+user=_app isPrivApp=true seinfo=platform name=com.google.android.grilservice domain=grilservice_app levelFrom=all
+
+# PixelLogger
+user=_app seinfo=platform name=com.android.pixellogger domain=logger_app type=app_data_file levelFrom=all
+
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
+
+# Hardware Info Collection
+user=_app isPrivApp=true name=com.google.android.hardwareinfo domain=hardware_info_app type=app_data_file levelFrom=user
diff --git a/whitechapel/vendor/google/securedpud.slider.te b/whitechapel/vendor/google/securedpud.slider.te
new file mode 100644
index 00000000..fd553a30
--- /dev/null
+++ b/whitechapel/vendor/google/securedpud.slider.te
@@ -0,0 +1,9 @@
+type securedpud_slider, domain;
+type securedpud_slider_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(securedpud_slider)
+
+allow securedpud_slider dmabuf_heap_device:chr_file r_file_perms;
+allow securedpud_slider ion_device:chr_file r_file_perms;
+allow securedpud_slider tee_device:chr_file rw_file_perms;
+allow securedpud_slider tui_device:chr_file rw_file_perms;
diff --git a/whitechapel/vendor/google/service.te b/whitechapel/vendor/google/service.te
new file mode 100644
index 00000000..9c935e9c
--- /dev/null
+++ b/whitechapel/vendor/google/service.te
@@ -0,0 +1 @@
+type hal_pixel_display_service, service_manager_type, vendor_service;
diff --git a/whitechapel/vendor/google/service_contexts b/whitechapel/vendor/google/service_contexts
new file mode 100644
index 00000000..aed05336
--- /dev/null
+++ b/whitechapel/vendor/google/service_contexts
@@ -0,0 +1,3 @@
+# EdgeTPU service
+com.google.edgetpu.IEdgeTpuService/default  u:object_r:edgetpu_service:s0
+com.google.hardware.pixel.display.IDisplay/default                            u:object_r:hal_pixel_display_service:s0
diff --git a/whitechapel/vendor/google/shell.te b/whitechapel/vendor/google/shell.te
new file mode 100644
index 00000000..29274f5f
--- /dev/null
+++ b/whitechapel/vendor/google/shell.te
@@ -0,0 +1 @@
+allow shell eco_service:service_manager find;
diff --git a/whitechapel/vendor/google/sscoredump.te b/whitechapel/vendor/google/sscoredump.te
new file mode 100644
index 00000000..e66abc66
--- /dev/null
+++ b/whitechapel/vendor/google/sscoredump.te
@@ -0,0 +1,17 @@
+type sscoredump, domain;
+type sscoredump_exec, vendor_file_type, exec_type, file_type;
+
+init_daemon_domain(sscoredump)
+
+set_prop(sscoredump, vendor_ssrdump_prop)
+
+allow sscoredump device:dir r_dir_perms;
+allow sscoredump sscoredump_device:chr_file rw_file_perms;
+allow sscoredump sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+allow sscoredump sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+
+userdebug_or_eng(`
+  allow sscoredump sscoredump_sysfs_level:file rw_file_perms;
+  allow sscoredump sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow sscoredump sscoredump_vendor_data_coredump_file:file create_file_perms;
+')
diff --git a/whitechapel/vendor/google/ssr_detector.te b/whitechapel/vendor/google/ssr_detector.te
new file mode 100644
index 00000000..48361bd8
--- /dev/null
+++ b/whitechapel/vendor/google/ssr_detector.te
@@ -0,0 +1,16 @@
+type ssr_detector_app, domain;
+
+app_domain(ssr_detector_app)
+allow ssr_detector_app app_api_service:service_manager find;
+allow ssr_detector_app radio_service:service_manager find;
+
+allow ssr_detector_app system_app_data_file:dir r_dir_perms;
+
+allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+allow ssr_detector_app sscoredump_vendor_data_crashinfo_file:file r_file_perms;
+userdebug_or_eng(`
+  allow ssr_detector_app sscoredump_vendor_data_coredump_file:dir r_dir_perms;
+  allow ssr_detector_app sscoredump_vendor_data_coredump_file:file r_file_perms;
+')
+
+get_prop(ssr_detector_app, vendor_ssrdump_prop)
diff --git a/whitechapel/vendor/google/storageproxyd.te b/whitechapel/vendor/google/storageproxyd.te
new file mode 100644
index 00000000..ef9d93a8
--- /dev/null
+++ b/whitechapel/vendor/google/storageproxyd.te
@@ -0,0 +1,4 @@
+type sg_device, dev_type;
+
+allow tee sg_device:chr_file rw_file_perms;
+allow tee self:capability { setgid setuid };
diff --git a/whitechapel/vendor/google/system_app.te b/whitechapel/vendor/google/system_app.te
new file mode 100644
index 00000000..f8fe4f20
--- /dev/null
+++ b/whitechapel/vendor/google/system_app.te
@@ -0,0 +1,6 @@
+allow system_app sysfs_vendor_sched:file w_file_perms;
+
+allow system_app hal_wlc_hwservice:hwservice_manager find;
+binder_call(system_app, hal_wlc)
+
+allow system_app fwk_stats_hwservice:hwservice_manager find;
\ No newline at end of file
diff --git a/whitechapel/vendor/google/system_server.te b/whitechapel/vendor/google/system_server.te
new file mode 100644
index 00000000..329a693a
--- /dev/null
+++ b/whitechapel/vendor/google/system_server.te
@@ -0,0 +1,3 @@
+# Allow system server to send sensor data callbacks to GPS and camera HALs
+binder_call(system_server, gpsd);
+binder_call(system_server, hal_camera_default);
diff --git a/whitechapel/vendor/google/toolbox.te b/whitechapel/vendor/google/toolbox.te
new file mode 100644
index 00000000..9fbbb7ab
--- /dev/null
+++ b/whitechapel/vendor/google/toolbox.te
@@ -0,0 +1,3 @@
+allow toolbox ram_device:blk_file rw_file_perms;
+allow toolbox per_boot_file:dir create_dir_perms;
+allow toolbox per_boot_file:file create_file_perms;
diff --git a/whitechapel/vendor/google/trusty_apploader.te b/whitechapel/vendor/google/trusty_apploader.te
new file mode 100644
index 00000000..b3f91794
--- /dev/null
+++ b/whitechapel/vendor/google/trusty_apploader.te
@@ -0,0 +1,6 @@
+type trusty_apploader, domain;
+type trusty_apploader_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(trusty_apploader)
+
+allow trusty_apploader ion_device:chr_file r_file_perms;
+allow trusty_apploader tee_device:chr_file rw_file_perms;
diff --git a/whitechapel/vendor/google/untrusted_app_all.te b/whitechapel/vendor/google/untrusted_app_all.te
new file mode 100644
index 00000000..8e79515f
--- /dev/null
+++ b/whitechapel/vendor/google/untrusted_app_all.te
@@ -0,0 +1,6 @@
+# Allows applications to discover the EdgeTPU service.
+allow untrusted_app_all edgetpu_service:service_manager find;
+
+# Allows applications to access the EdgeTPU device, except open, which is guarded
+# by the EdgeTPU service.
+allow untrusted_app_all edgetpu_device:chr_file { getattr read write ioctl map };
diff --git a/whitechapel/vendor/google/vcd.te b/whitechapel/vendor/google/vcd.te
new file mode 100644
index 00000000..c4af485f
--- /dev/null
+++ b/whitechapel/vendor/google/vcd.te
@@ -0,0 +1,11 @@
+type vcd, domain;
+type vcd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(vcd)
+
+get_prop(vcd, vendor_rild_prop);
+get_prop(vcd, vendor_persist_config_default_prop);
+
+allow vcd serial_device:chr_file rw_file_perms;
+allow vcd radio_device:chr_file rw_file_perms;
+allow vcd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+allow vcd node:tcp_socket node_bind;
diff --git a/whitechapel/vendor/google/vendor_ims_app.te b/whitechapel/vendor/google/vendor_ims_app.te
new file mode 100644
index 00000000..058450d0
--- /dev/null
+++ b/whitechapel/vendor/google/vendor_ims_app.te
@@ -0,0 +1,2 @@
+type vendor_ims_app, domain;
+app_domain(vendor_ims_app)
diff --git a/whitechapel/vendor/google/vendor_init.te b/whitechapel/vendor/google/vendor_init.te
new file mode 100644
index 00000000..7a0a9d51
--- /dev/null
+++ b/whitechapel/vendor/google/vendor_init.te
@@ -0,0 +1,14 @@
+set_prop(vendor_init, vendor_device_prop)
+set_prop(vendor_init, vendor_modem_prop)
+set_prop(vendor_init, vendor_cbd_prop)
+get_prop(vendor_init, vendor_rild_prop)
+get_prop(vendor_init, vendor_persist_sys_modem_prop)
+
+allow vendor_init proc_dirty:file w_file_perms;
+allow vendor_init proc_sched:file write;
+allow vendor_init bootdevice_sysdev:file create_file_perms;
+
+# NFC vendor property
+set_prop(vendor_init, vendor_nfc_prop)
+# SecureElement vendor property
+set_prop(vendor_init, vendor_secure_element_prop)
diff --git a/whitechapel/vendor/google/vendor_telephony_app.te b/whitechapel/vendor/google/vendor_telephony_app.te
new file mode 100644
index 00000000..06d867c7
--- /dev/null
+++ b/whitechapel/vendor/google/vendor_telephony_app.te
@@ -0,0 +1,4 @@
+type vendor_telephony_app, domain;
+app_domain(vendor_telephony_app)
+
+set_prop(vendor_telephony_app, vendor_modem_prop)
\ No newline at end of file
diff --git a/whitechapel/vendor/google/vndservice.te b/whitechapel/vendor/google/vndservice.te
new file mode 100644
index 00000000..f70a26fe
--- /dev/null
+++ b/whitechapel/vendor/google/vndservice.te
@@ -0,0 +1,4 @@
+type rls_service, vndservice_manager_type;
+type vendor_surfaceflinger_vndservice, vndservice_manager_type;
+type vendor_displaycolor_service, vndservice_manager_type;
+type eco_service, vndservice_manager_type;
diff --git a/whitechapel/vendor/google/vndservice_contexts b/whitechapel/vendor/google/vndservice_contexts
new file mode 100644
index 00000000..d44e1cb8
--- /dev/null
+++ b/whitechapel/vendor/google/vndservice_contexts
@@ -0,0 +1,4 @@
+Exynos.HWCService     u:object_r:vendor_surfaceflinger_vndservice:s0
+rlsservice            u:object_r:rls_service:s0
+displaycolor          u:object_r:vendor_displaycolor_service:s0
+media.ecoservice      u:object_r:eco_service:s0
diff --git a/whitechapel/vendor/google/vold.te b/whitechapel/vendor/google/vold.te
new file mode 100644
index 00000000..ecea1946
--- /dev/null
+++ b/whitechapel/vendor/google/vold.te
@@ -0,0 +1,6 @@
+allow vold sysfs_scsi_devices_0000:file rw_file_perms;
+allow vold modem_efs_file:dir rw_dir_perms;
+allow vold modem_userdata_file:dir rw_dir_perms;
+
+dontaudit vold dumpstate:fifo_file rw_file_perms;
+dontaudit vold dumpstate:fd { use };