Move slider-sepolicy into gs101-sepolicy

from: 71e609c24c97fc8d44843af30527cbeb90d5dcdf

Bug: 167996145
Change-Id: Ie00e7e0983a3ca695bbd5140c929d07a80144301

OWNERS

@@ -1,3 +1,11 @@
-aaronding@google.com
+adamshih@google.com
-robinpeng@google.com
+alanstokes@google.com
-lucaswei@google.com
+bowgotsai@google.com
+jbires@google.com
+jeffv@google.com
+jgalenson@google.com
+jiyong@google.com
+rurumihong@google.com
+sspatil@google.com
+smoreland@google.com
+trong@google.com

ambient/exo_app.te

@@ -0,0 +1,11 @@
+type exo_app, domain;
+
+app_domain(exo_app)
+
+allow exo_app app_api_service:service_manager find;
+allow exo_app audioserver_service:service_manager find;
+allow exo_app cameraserver_service:service_manager find;
+allow exo_app mediaserver_service:service_manager find;
+allow exo_app radio_service:service_manager find;
+allow exo_app fwk_stats_hwservice:hwservice_manager find;
+binder_call(exo_app, statsd)

ambient/exo_wirecutter_app.te

@@ -0,0 +1,7 @@
+type exo_wirecutter_app, domain;
+
+app_domain(exo_wirecutter_app)
+
+allow exo_wirecutter_app app_api_service:service_manager find;
+allow exo_wirecutter_app fwk_stats_hwservice:hwservice_manager find;
+binder_call(exo_wirecutter_app, statsd)

ambient/keys.conf

@@ -0,0 +1,2 @@
+[@EXO_WIRECUTTER]
+ALL : vendor/google/dev-keystore/certs/com_google_pixel_wirecutter/com_google_pixel_wirecutter.x509.pem

ambient/mac_permissions.xml

@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<policy>
+
+<!--
+
+    * A signature is a hex encoded X.509 certificate or a tag defined in
+      keys.conf and is required for each signer tag.
+    * A signer tag may contain a seinfo tag and multiple package stanzas.
+    * A default tag is allowed that can contain policy for all apps not signed with a
+      previously listed cert. It may not contain any inner package stanzas.
+    * Each signer/default/package tag is allowed to contain one seinfo tag. This tag
+      represents additional info that each app can use in setting a SELinux security
+      context on the eventual process.
+    * When a package is installed the following logic is used to determine what seinfo
+      value, if any, is assigned.
+      - All signatures used to sign the app are checked first.
+      - If a signer stanza has inner package stanzas, those stanza will be checked
+        to try and match the package name of the app. If the package name matches
+        then that seinfo tag is used. If no inner package matches then the outer
+        seinfo tag is assigned.
+      - The default tag is consulted last if needed.
+-->
+    <signer signature="@EXO_WIRECUTTER" >
+        <seinfo value="wirecutter" />
+    </signer>
+</policy>

ambient/seapp_contexts

@@ -0,0 +1,5 @@
+# Domain for Exo app
+user=_app isPrivApp=true seinfo=platform name=com.google.pixel.exo domain=exo_app type=app_data_file levelFrom=all
+
+# Domain for Exo Wirecutter app
+user=_app seinfo=wirecutter name=com.google.pixel.wirecutter domain=exo_wirecutter_app type=app_data_file levelFrom=all

display/common/file.te

@@ -0,0 +1 @@
+type persist_display_file, file_type, vendor_persist_type;

display/common/file_contexts

@@ -0,0 +1 @@
+/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0

display/gs101/genfs_contexts

@@ -0,0 +1,11 @@
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight                 u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name                u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number             u:object_r:sysfs_display:s0
+genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2C0000/panel@0/compatible                 u:object_r:sysfs_display:s0
+
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight                 u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name                u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number             u:object_r:sysfs_display:s0
+genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible                 u:object_r:sysfs_display:s0
+
+genfscon sysfs /module/drm/parameters/vblankoffdelay                                           u:object_r:sysfs_display:s0

display/gs101/hal_graphics_composer_default.te

@@ -0,0 +1,34 @@
+allow hal_graphics_composer_default video_device:chr_file rw_file_perms;
+add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice)
+hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator)
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+vndbinder_use(hal_graphics_composer_default)
+
+userdebug_or_eng(`
+    allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms;
+
+    # For HWC/libdisplaycolor to generate calibration file.
+    allow hal_graphics_composer_default persist_display_file:file create_file_perms;
+    allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms;
+')
+
+# allow HWC/libdisplaycolor to read calibration data
+allow hal_graphics_composer_default mnt_vendor_file:dir search;
+allow hal_graphics_composer_default persist_file:dir search;
+allow hal_graphics_composer_default persist_display_file:file r_file_perms;
+
+# allow HWC to r/w backlight
+allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms;
+allow hal_graphics_composer_default sysfs_leds:file rw_file_perms;
+
+# allow HWC to get vendor_persist_sys_default_prop
+get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop)
+
+# allow HWC to get vendor_display_prop
+get_prop(hal_graphics_composer_default, vendor_display_prop)
+
+# allow HWC to access vendor_displaycolor_service
+add_service(hal_graphics_composer_default, vendor_displaycolor_service)
+
+add_service(hal_graphics_composer_default, hal_pixel_display_service)
+binder_use(hal_graphics_composer_default)

gs101-sepolicy.mk

@@ -0,0 +1,23 @@
+# sepolicy that are shared among devices using whitechapel
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/whitechapel/vendor/google
+
+# unresolved SELinux error log with bug tracking
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/tracking_denials
+
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/private
+
+#
+# Pixel-wide
+#
+#   Dauntless (uses Citadel policy currently)
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/citadel
+
+#   Wifi
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/wifi_ext
+
+#   PowerStats HAL
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
+
+# Display
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/common
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/gs101

private/gmscore_app.te

@@ -0,0 +1,2 @@
+# b/177389198
+dontaudit gmscore_app adbd_prop:file *;

private/hal_dumpstate_default.te

@@ -0,0 +1,2 @@
+# b/176868217
+dontaudit hal_dumpstate adbd_prop:file *;

private/hal_vibrator_default.te

@@ -0,0 +1,2 @@
+# b/177176811
+dontaudit hal_vibrator adbd_prop:file *;

private/incidentd.te

@@ -0,0 +1,14 @@
+# b/174961589
+dontaudit incidentd adbd_config_prop:file open ;
+dontaudit incidentd adbd_prop:file getattr ;
+dontaudit incidentd adbd_prop:file open ;
+dontaudit incidentd adbd_config_prop:file open ;
+dontaudit incidentd adbd_config_prop:file getattr ;
+dontaudit incidentd adbd_config_prop:file map ;
+dontaudit incidentd adbd_prop:file open ;
+dontaudit incidentd adbd_prop:file getattr ;
+dontaudit incidentd adbd_prop:file map ;
+dontaudit incidentd apexd_prop:file open ;
+dontaudit incidentd adbd_config_prop:file getattr ;
+dontaudit incidentd adbd_config_prop:file map ;
+dontaudit incidentd adbd_prop:file map ;

private/lpdumpd.te

@@ -0,0 +1,7 @@
+# b/177176997
+dontaudit lpdumpd block_device:blk_file getattr ;
+dontaudit lpdumpd block_device:blk_file getattr ;
+dontaudit lpdumpd block_device:blk_file read ;
+dontaudit lpdumpd block_device:blk_file getattr ;
+dontaudit lpdumpd block_device:blk_file read ;
+dontaudit lpdumpd block_device:blk_file read ;

private/priv_app.te

@@ -0,0 +1,19 @@
+# b/178433525
+dontaudit priv_app adbd_prop:file { map };
+dontaudit priv_app adbd_prop:file { getattr };
+dontaudit priv_app adbd_prop:file { open };
+dontaudit priv_app ab_update_gki_prop:file { map };
+dontaudit priv_app ab_update_gki_prop:file { getattr };
+dontaudit priv_app ab_update_gki_prop:file { open };
+dontaudit priv_app aac_drc_prop:file { map };
+dontaudit priv_app aac_drc_prop:file { getattr };
+dontaudit priv_app aac_drc_prop:file { open };
+dontaudit priv_app adbd_prop:file { map };
+dontaudit priv_app aac_drc_prop:file { open };
+dontaudit priv_app aac_drc_prop:file { getattr };
+dontaudit priv_app aac_drc_prop:file { map };
+dontaudit priv_app ab_update_gki_prop:file { open };
+dontaudit priv_app ab_update_gki_prop:file { getattr };
+dontaudit priv_app ab_update_gki_prop:file { map };
+dontaudit priv_app adbd_prop:file { open };
+dontaudit priv_app adbd_prop:file { getattr };

private/radio.te

@@ -0,0 +1 @@
+add_service(radio, uce_service)

private/service_contexts

@@ -0,0 +1 @@
+telephony.oem.oemrilhook        u:object_r:radio_service:s0

private/untrusted_app_25.te

@@ -0,0 +1,2 @@
+# b/177389321
+dontaudit untrusted_app_25 adbd_prop:file *;

tracking_denials/aocd.te

@@ -0,0 +1,2 @@
+# b/171267323
+dontaudit aocd device:dir r_dir_perms;

tracking_denials/bootanim.te

@@ -0,0 +1,5 @@
+# b/180567480
+dontaudit bootanim traced_producer_socket:sock_file { write };
+dontaudit bootanim traced:unix_stream_socket { connectto };
+dontaudit bootanim traced:unix_stream_socket { connectto };
+dontaudit bootanim traced_producer_socket:sock_file { write };

tracking_denials/cbd.te

@@ -0,0 +1,51 @@
+# b/171267363
+dontaudit cbd cbd:capability {setuid };
+dontaudit cbd proc_cmdline:file {open };
+dontaudit cbd persist_file:dir {search };
+dontaudit cbd init:unix_stream_socket {connectto };
+dontaudit cbd proc_cmdline:file {read };
+dontaudit cbd kernel:system {syslog_read };
+# b/173971138
+dontaudit cbd radio_prop:file { map };
+dontaudit cbd radio_prop:file { open };
+dontaudit cbd radio_prop:file { read };
+dontaudit cbd radio_prop:file { open };
+dontaudit cbd radio_prop:file { map };
+dontaudit cbd radio_prop:file { read };
+dontaudit cbd radio_prop:file { getattr };
+dontaudit cbd radio_prop:file { getattr };
+# b/178331928
+dontaudit cbd mnt_vendor_file:dir { search };
+dontaudit cbd mnt_vendor_file:dir { search };
+# b/178979986
+dontaudit cbd unlabeled:dir { getattr };
+dontaudit cbd unlabeled:file { open };
+dontaudit cbd unlabeled:file { read };
+dontaudit cbd unlabeled:file { getattr };
+dontaudit cbd unlabeled:lnk_file { read };
+dontaudit cbd unlabeled:dir { search };
+dontaudit cbd unlabeled:file { getattr };
+dontaudit cbd unlabeled:dir { getattr };
+dontaudit cbd unlabeled:lnk_file { read };
+dontaudit cbd unlabeled:dir { search };
+dontaudit cbd unlabeled:file { read };
+dontaudit cbd unlabeled:file { open };
+# b/179198083
+dontaudit cbd radio_vendor_data_file:dir { search };
+dontaudit cbd radio_vendor_data_file:dir { write };
+dontaudit cbd radio_vendor_data_file:dir { add_name };
+dontaudit cbd radio_vendor_data_file:file { create };
+dontaudit cbd radio_vendor_data_file:file { write };
+dontaudit cbd radio_vendor_data_file:file { open };
+dontaudit cbd unlabeled:file { ioctl };
+dontaudit cbd radio_vendor_data_file:file { open };
+dontaudit cbd radio_vendor_data_file:file { read };
+dontaudit cbd radio_vendor_data_file:dir { search };
+dontaudit cbd unlabeled:file { ioctl };
+dontaudit cbd radio_vendor_data_file:file { open };
+dontaudit cbd radio_vendor_data_file:file { read };
+dontaudit cbd radio_vendor_data_file:file { write };
+dontaudit cbd radio_vendor_data_file:file { create };
+dontaudit cbd radio_vendor_data_file:dir { add_name };
+dontaudit cbd radio_vendor_data_file:dir { search };
+dontaudit cbd radio_vendor_data_file:dir { write };

tracking_denials/dumpstate.te

@@ -0,0 +1,35 @@
+# ag/13067824
+dontaudit dumpstate fuse:dir r_dir_perms;
+# b/174618507
+dontaudit dumpstate default_android_service:service_manager { find };
+dontaudit dumpstate vold:binder { call };
+dontaudit dumpstate modem_userdata_file:dir { getattr };
+dontaudit dumpstate modem_efs_file:dir { getattr };
+dontaudit dumpstate vold:binder { call };
+dontaudit dumpstate modem_userdata_file:dir { getattr };
+dontaudit dumpstate hal_drm_clearkey:process { signal };
+dontaudit dumpstate hal_drm_clearkey:process { signal };
+dontaudit dumpstate modem_efs_file:dir { getattr };
+# b/177778645
+dontaudit dumpstate ramdump_vendor_mnt_file:filesystem { getattr };
+dontaudit dumpstate ramdump_vendor_mnt_file:filesystem { getattr };
+dontaudit dumpstate ramdump_vendor_mnt_file:dir { getattr };
+dontaudit dumpstate ramdump_vendor_mnt_file:dir { getattr };
+# b/177860804
+dontaudit dumpstate incident:process { sigkill };
+dontaudit dumpstate incident:process { signal };
+dontaudit dumpstate incident:process { sigkill };
+dontaudit dumpstate incident:process { signal };
+# b/179310854
+dontaudit dumpstate unlabeled:dir { getattr };
+dontaudit dumpstate unlabeled:dir { getattr };
+# b/180963249
+dontaudit dumpstate hal_neuralnetworks_armnn:process { signal };
+dontaudit dumpstate hal_neuralnetworks_armnn:process { signal };
+# b/181915316
+dontaudit dumpstate vendor_dmabuf_debugfs:file { read };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { open };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { getattr };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { getattr };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { read };
+dontaudit dumpstate vendor_dmabuf_debugfs:file { open };

tracking_denials/gmscore_app.te

@@ -0,0 +1,67 @@
+# b/177389198
+dontaudit gmscore_app aac_drc_prop:file { open };
+dontaudit gmscore_app ab_update_gki_prop:file { map };
+dontaudit gmscore_app ab_update_gki_prop:file { getattr };
+dontaudit gmscore_app aac_drc_prop:file { map };
+dontaudit gmscore_app ab_update_gki_prop:file { open };
+dontaudit gmscore_app aac_drc_prop:file { getattr };
+# b/177860960
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+dontaudit gmscore_app hal_memtrack_default:binder { call };
+# b/178752576
+dontaudit gmscore_app apexd_prop:file { open };
+dontaudit gmscore_app ramdump_vendor_mnt_file:filesystem { getattr };
+dontaudit gmscore_app apexd_prop:file { getattr };
+dontaudit gmscore_app apexd_prop:file { map };
+dontaudit gmscore_app ramdump_vendor_mnt_file:filesystem { getattr };
+dontaudit gmscore_app ramdump_vendor_mnt_file:filesystem { getattr };
+# b/178753472
+dontaudit gmscore_app audio_config_prop:file { getattr };
+dontaudit gmscore_app apk_verity_prop:file { map };
+dontaudit gmscore_app apk_verity_prop:file { getattr };
+dontaudit gmscore_app apk_verity_prop:file { open };
+dontaudit gmscore_app audio_config_prop:file { open };
+# b/179310892
+dontaudit gmscore_app bluetooth_a2dp_offload_prop:file { map };
+dontaudit gmscore_app bluetooth_a2dp_offload_prop:file { open };
+dontaudit gmscore_app bluetooth_prop:file { getattr };
+dontaudit gmscore_app audio_config_prop:file { map };
+dontaudit gmscore_app bluetooth_audio_hal_prop:file { open };
+dontaudit gmscore_app bluetooth_audio_hal_prop:file { getattr };
+dontaudit gmscore_app bluetooth_audio_hal_prop:file { map };
+dontaudit gmscore_app bluetooth_prop:file { open };
+dontaudit gmscore_app bluetooth_a2dp_offload_prop:file { getattr };
+# b/179437292
+dontaudit gmscore_app bootloader_boot_reason_prop:file { getattr };
+dontaudit gmscore_app bluetooth_prop:file { map };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { open };
+dontaudit gmscore_app boottime_prop:file { open };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { map };
+# b/179437988
+dontaudit gmscore_app bluetooth_prop:file { map };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { open };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { getattr };
+dontaudit gmscore_app bootloader_boot_reason_prop:file { map };
+dontaudit gmscore_app boottime_prop:file { open };
+dontaudit gmscore_app boottime_prop:file { getattr };
+dontaudit gmscore_app boottime_prop:file { map };
+dontaudit gmscore_app boottime_public_prop:file { open };
+dontaudit gmscore_app boottime_public_prop:file { getattr };
+# b/180656125
+dontaudit gmscore_app boottime_public_prop:file { map };
+dontaudit gmscore_app build_bootimage_prop:file { open };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { map };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { getattr };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { open };
+dontaudit gmscore_app build_bootimage_prop:file { open };
+dontaudit gmscore_app boottime_public_prop:file { map };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { map };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { getattr };
+dontaudit gmscore_app bpf_progs_loaded_prop:file { open };
+# b/180960879
+dontaudit gmscore_app property_type:file *;

tracking_denials/gpsd.te

@@ -0,0 +1,11 @@
+# b/173969091
+dontaudit gpsd radio_prop:file { read };
+dontaudit gpsd radio_prop:file { open };
+dontaudit gpsd radio_prop:file { map };
+dontaudit gpsd radio_prop:file { map };
+dontaudit gpsd system_data_file:dir { search };
+dontaudit gpsd radio_prop:file { read };
+dontaudit gpsd radio_prop:file { open };
+dontaudit gpsd radio_prop:file { getattr };
+dontaudit gpsd system_data_file:dir { search };
+dontaudit gpsd radio_prop:file { getattr };

tracking_denials/hal_camera_default.te

@@ -0,0 +1,15 @@
+# b/178980085
+dontaudit hal_camera_default system_data_file:dir { search };
+dontaudit hal_camera_default system_data_file:dir { search };
+# b/180567725
+dontaudit hal_camera_default traced:unix_stream_socket { connectto };
+dontaudit hal_camera_default traced:unix_stream_socket { connectto };
+dontaudit hal_camera_default traced_producer_socket:sock_file { write };
+dontaudit hal_camera_default traced_producer_socket:sock_file { write };
+# b/181913550
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { read };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { read };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { open };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { ioctl };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { open };
+dontaudit hal_camera_default dmabuf_system_heap_device:chr_file { ioctl };

tracking_denials/hal_dumpstate_default.te

@@ -0,0 +1,16 @@
+# b/181915591
+dontaudit hal_dumpstate_default aac_drc_prop:file { open };
+dontaudit hal_dumpstate_default sysfs:dir { read };
+dontaudit hal_dumpstate_default sysfs:dir { open };
+dontaudit hal_dumpstate_default vendor_displaycolor_service:service_manager { find };
+dontaudit hal_dumpstate_default hal_graphics_composer_default:binder { call };
+dontaudit hal_dumpstate_default aac_drc_prop:file { getattr };
+dontaudit hal_dumpstate_default aac_drc_prop:file { map };
+dontaudit hal_dumpstate_default aac_drc_prop:file { open };
+dontaudit hal_dumpstate_default aac_drc_prop:file { getattr };
+dontaudit hal_dumpstate_default aac_drc_prop:file { map };
+dontaudit hal_dumpstate_default ab_update_gki_prop:file { open };
+dontaudit hal_dumpstate_default ab_update_gki_prop:file { open };
+dontaudit hal_dumpstate_default sysfs:dir { read };
+dontaudit hal_dumpstate_default sysfs:dir { open };
+dontaudit hal_dumpstate_default hal_graphics_composer_default:binder { call };

tracking_denials/hal_fingerprint_default.te

@@ -0,0 +1,52 @@
+# b/174438167
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
+dontaudit hal_fingerprint_default tee_device:chr_file { ioctl };
+dontaudit hal_fingerprint_default system_data_root_file:file { read };
+dontaudit hal_fingerprint_default system_data_root_file:file { open };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
+dontaudit hal_fingerprint_default tee_device:chr_file { open };
+dontaudit hal_fingerprint_default tee_device:chr_file { ioctl };
+dontaudit hal_fingerprint_default tee_device:chr_file { open };
+dontaudit hal_fingerprint_default tee_device:chr_file { read write };
+dontaudit hal_fingerprint_default device:chr_file { open };
+dontaudit hal_fingerprint_default device:chr_file { read write };
+dontaudit hal_fingerprint_default tee_device:chr_file { read write };
+dontaudit hal_fingerprint_default device:chr_file { ioctl };
+dontaudit hal_fingerprint_default device:chr_file { open };
+dontaudit hal_fingerprint_default system_data_root_file:file { read };
+dontaudit hal_fingerprint_default system_data_root_file:file { open };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { create };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { bind };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { write };
+dontaudit hal_fingerprint_default hal_fingerprint_default:netlink_socket { read };
+dontaudit hal_fingerprint_default device:chr_file { ioctl };
+dontaudit hal_fingerprint_default device:chr_file { read write };
+# b/174714991
+dontaudit hal_fingerprint_default system_data_file:file { read };
+dontaudit hal_fingerprint_default system_data_file:file { open };
+dontaudit hal_fingerprint_default system_data_file:file { read };
+dontaudit hal_fingerprint_default system_data_file:file { open };
+# b/177966377
+dontaudit hal_fingerprint_default default_prop:file { getattr };
+dontaudit hal_fingerprint_default default_prop:file { map };
+dontaudit hal_fingerprint_default default_prop:file { open };
+dontaudit hal_fingerprint_default default_prop:file { read };
+dontaudit hal_fingerprint_default default_prop:file { map };
+dontaudit hal_fingerprint_default default_prop:file { getattr };
+dontaudit hal_fingerprint_default default_android_hwservice:hwservice_manager { add };
+dontaudit hal_fingerprint_default default_prop:file { open };
+dontaudit hal_fingerprint_default default_prop:file { read };
+# b/180655836
+dontaudit hal_fingerprint_default system_data_root_file:dir { write };
+dontaudit hal_fingerprint_default system_data_root_file:file { write };
+dontaudit hal_fingerprint_default system_data_root_file:file { create };
+dontaudit hal_fingerprint_default system_data_root_file:dir { create };
+dontaudit hal_fingerprint_default system_data_root_file:dir { write };
+dontaudit hal_fingerprint_default system_data_root_file:file { write };
+dontaudit hal_fingerprint_default system_data_root_file:file { create };
+dontaudit hal_fingerprint_default system_data_root_file:dir { create };
+dontaudit hal_fingerprint_default system_data_root_file:dir { add_name };
+dontaudit hal_fingerprint_default system_data_root_file:dir { add_name };

tracking_denials/hal_graphics_composer_default.te

@@ -0,0 +1,23 @@
+# b/181712799
+dontaudit hal_graphics_composer_default hal_power_default:binder { call };
+dontaudit hal_graphics_composer_default boot_status_prop:file { read };
+dontaudit hal_graphics_composer_default boot_status_prop:file { open };
+dontaudit hal_graphics_composer_default boot_status_prop:file { getattr };
+dontaudit hal_graphics_composer_default boot_status_prop:file { map };
+dontaudit hal_graphics_composer_default hal_power_default:binder { call };
+dontaudit hal_graphics_composer_default boot_status_prop:file { map };
+dontaudit hal_graphics_composer_default vendor_log_file:file { create };
+dontaudit hal_graphics_composer_default vendor_log_file:file { append open };
+dontaudit hal_graphics_composer_default vendor_log_file:file { getattr };
+dontaudit hal_graphics_composer_default vendor_log_file:file { getattr };
+dontaudit hal_graphics_composer_default vendor_log_file:file { append open };
+dontaudit hal_graphics_composer_default vendor_log_file:file { create };
+dontaudit hal_graphics_composer_default hal_power_service:service_manager { find };
+dontaudit hal_graphics_composer_default boot_status_prop:file { read };
+dontaudit hal_graphics_composer_default boot_status_prop:file { open };
+dontaudit hal_graphics_composer_default boot_status_prop:file { getattr };
+# b/181915065
+dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };
+dontaudit hal_graphics_composer_default hal_dumpstate_default:fifo_file { write };
+dontaudit hal_graphics_composer_default hal_dumpstate_default:fd { use };
+dontaudit hal_graphics_composer_default hal_dumpstate_default:fifo_file { write };

tracking_denials/hal_health_default.te

@@ -0,0 +1,15 @@
+# b/177966434
+dontaudit hal_health_default sysfs_wlc:dir { search };
+# b/181177925
+dontaudit hal_health_default thermal_link_device:dir { search };
+dontaudit hal_health_default sysfs_thermal:file { open };
+dontaudit hal_health_default sysfs_thermal:file { write };
+dontaudit hal_health_default sysfs_thermal:lnk_file { read };
+dontaudit hal_health_default sysfs_thermal:dir { search };
+dontaudit hal_health_default sysfs_thermal:file { write };
+dontaudit hal_health_default sysfs_thermal:file { open };
+dontaudit hal_health_default sysfs_batteryinfo:file { write };
+dontaudit hal_health_default sysfs_thermal:dir { search };
+dontaudit hal_health_default thermal_link_device:dir { search };
+dontaudit hal_health_default sysfs_batteryinfo:file { write };
+dontaudit hal_health_default sysfs_thermal:lnk_file { read };

tracking_denials/hal_memtrack_default.te

@@ -0,0 +1,3 @@
+# b/181913683
+dontaudit hal_memtrack_default vendor_ion_debugfs:dir { search };
+dontaudit hal_memtrack_default vendor_ion_debugfs:dir { search };

tracking_denials/hal_neuralnetworks_armnn.te

@@ -0,0 +1,33 @@
+# b/171160755
+dontaudit hal_neuralnetworks_armnn traced:unix_stream_socket connectto ;
+dontaudit hal_neuralnetworks_armnn hal_neuralnetworks_hwservice:hwservice_manager add ;
+dontaudit hal_neuralnetworks_armnn hal_neuralnetworks_hwservice:hwservice_manager find ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager:binder transfer ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager:binder call ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file map ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file getattr ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file open ;
+dontaudit hal_neuralnetworks_armnn hwservicemanager_prop:file read ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file {read write} ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file open ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file getattr ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file ioctl ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file map ;
+dontaudit hal_neuralnetworks_armnn gpu_device:chr_file {read write} ;
+dontaudit hal_neuralnetworks_armnn traced_producer_socket:sock_file write ;
+dontaudit hal_neuralnetworks_armnn hidl_base_hwservice:hwservice_manager add ;
+# b/171670122
+dontaudit hal_neuralnetworks_armnn debugfs_tracing:file { read };
+dontaudit hal_neuralnetworks_armnn debugfs_tracing:file { open };
+# b/180550063
+dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
+dontaudit hal_neuralnetworks_armnn system_data_file:dir { search };
+# b/180858476
+dontaudit hal_neuralnetworks_armnn default_prop:file { read };
+dontaudit hal_neuralnetworks_armnn default_prop:file { read };
+dontaudit hal_neuralnetworks_armnn default_prop:file { open };
+dontaudit hal_neuralnetworks_armnn default_prop:file { getattr };
+dontaudit hal_neuralnetworks_armnn default_prop:file { map };
+dontaudit hal_neuralnetworks_armnn default_prop:file { open };
+dontaudit hal_neuralnetworks_armnn default_prop:file { getattr };
+dontaudit hal_neuralnetworks_armnn default_prop:file { map };

tracking_denials/hal_power_default.te

@@ -0,0 +1,15 @@
+# b/171760921
+dontaudit hal_power_default hal_power_default:capability { dac_override };
+# b/178331773
+dontaudit hal_power_default sysfs:file { write };
+dontaudit hal_power_default sysfs:file { open };
+dontaudit hal_power_default sysfs:file { write };
+dontaudit hal_power_default sysfs:file { open };
+# b/178752616
+dontaudit hal_power_default sysfs:file { read };
+dontaudit hal_power_default sysfs:file { getattr };
+dontaudit hal_power_default sysfs:file { read };
+dontaudit hal_power_default sysfs:file { getattr };
+# b/181713002
+dontaudit hal_power_default hal_graphics_composer_default:binder { transfer };
+dontaudit hal_power_default hal_graphics_composer_default:binder { transfer };

tracking_denials/hal_power_stats_default.te

@@ -0,0 +1,68 @@
+# b/171760721
+dontaudit hal_power_stats_default sysfs:file { read };
+dontaudit hal_power_stats_default sysfs:file { getattr };
+dontaudit hal_power_stats_default citadeld:binder { call };
+dontaudit hal_power_stats_default sysfs:file { read };
+dontaudit hal_power_stats_default sysfs:file { getattr };
+dontaudit hal_power_stats_default sysfs:file { open };
+dontaudit hal_power_stats_default sysfs:file { getattr };
+dontaudit hal_power_stats_default sysfs:dir { read };
+dontaudit hal_power_stats_default sysfs:dir { open };
+dontaudit hal_power_stats_default sysfs:file { read };
+dontaudit hal_power_stats_default sysfs:file { open };
+dontaudit hal_power_stats_default sysfs:file { open };
+# b/176777337
+dontaudit hal_power_stats_default sysfs_leds:dir search ;
+dontaudit hal_power_stats_default sysfs_leds:file open ;
+dontaudit hal_power_stats_default sysfs_leds:dir search ;
+dontaudit hal_power_stats_default sysfs_leds:file read ;
+dontaudit hal_power_stats_default sysfs_leds:file open ;
+# b/176868314
+dontaudit hal_power_stats_default sysfs_leds:file read ;
+dontaudit hal_power_stats_default sysfs_leds:file open ;
+dontaudit hal_power_stats_default sysfs_leds:dir search ;
+# b/179093124
+dontaudit hal_power_stats_default sysfs_backlight:file { open };
+dontaudit hal_power_stats_default sysfs_backlight:file { read };
+dontaudit hal_power_stats_default sysfs_backlight:file { open };
+dontaudit hal_power_stats_default sysfs_backlight:dir { search };
+dontaudit hal_power_stats_default sysfs_backlight:dir { search };
+dontaudit hal_power_stats_default sysfs_backlight:file { read };
+# b/180963514
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
+dontaudit hal_power_stats_default sysfs_aoc:dir { search };
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
+dontaudit hal_power_stats_default sysfs_aoc:dir { search };
+dontaudit hal_power_stats_default sysfs_aoc:dir { search };
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+dontaudit hal_power_stats_default sysfs_aoc:file { open };
+dontaudit hal_power_stats_default sysfs_aoc:file { getattr };
+dontaudit hal_power_stats_default sysfs_aoc:file { read };
+# b/181915165
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
+dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search };
+dontaudit hal_power_stats_default sysfs_wifi:file { getattr };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
+dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search };
+dontaudit hal_power_stats_default sysfs_wifi:file { open };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { open };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { getattr };
+dontaudit hal_power_stats_default sysfs_wifi:file { getattr };
+dontaudit hal_power_stats_default sysfs_wifi:file { open };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
+dontaudit hal_power_stats_default sysfs_wifi:file { read };
+dontaudit hal_power_stats_default sysfs_wifi:dir { search };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { getattr };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { open };
+dontaudit hal_power_stats_default sysfs_acpm_stats:file { read };
+dontaudit hal_power_stats_default sysfs_acpm_stats:dir { search };
+dontaudit hal_power_stats_default sysfs_wifi:dir { search };
+dontaudit hal_power_stats_default sysfs_wifi:file { read };

tracking_denials/hal_vibrator_default.te

@@ -0,0 +1,2 @@
+# b/174961422
+dontaudit hal_vibrator_default property_type:file * ;

tracking_denials/hal_wifi_ext.te

@@ -0,0 +1,4 @@
+# b/177966433
+dontaudit hal_wifi_ext vendor_default_prop:property_service { set };
+dontaudit hal_wifi_ext grilservice_app:binder { call };
+dontaudit hal_wifi_ext grilservice_app:binder { call };

tracking_denials/hardware_info_app.te

@@ -0,0 +1,18 @@
+# b/181177926
+dontaudit hardware_info_app sysfs_scsi_devices_0000:file { getattr };
+dontaudit hardware_info_app sysfs_scsi_devices_0000:file { open };
+dontaudit hardware_info_app sysfs_batteryinfo:file { read };
+dontaudit hardware_info_app sysfs:file { read };
+dontaudit hardware_info_app sysfs:file { open };
+dontaudit hardware_info_app sysfs:file { getattr };
+dontaudit hardware_info_app sysfs_scsi_devices_0000:dir { search };
+dontaudit hardware_info_app sysfs_scsi_devices_0000:file { read };
+dontaudit hardware_info_app sysfs_batteryinfo:dir { search };
+# b/181914888
+dontaudit hardware_info_app sysfs_batteryinfo:file { open };
+dontaudit hardware_info_app sysfs_batteryinfo:file { getattr };
+dontaudit hardware_info_app vendor_regmap_debugfs:dir { search };
+# b/181915166
+dontaudit hardware_info_app sysfs_batteryinfo:file { getattr };
+dontaudit hardware_info_app sysfs_batteryinfo:file { open };
+dontaudit hardware_info_app vendor_regmap_debugfs:dir { search };

tracking_denials/incidentd.te

@@ -0,0 +1,139 @@
+# b/176868159
+dontaudit incidentd apk_verity_prop:file getattr ;
+dontaudit incidentd apk_verity_prop:file map ;
+dontaudit incidentd apk_verity_prop:file getattr ;
+dontaudit incidentd apk_verity_prop:file open ;
+dontaudit incidentd apexd_prop:file map ;
+dontaudit incidentd apexd_prop:file getattr ;
+dontaudit incidentd apexd_prop:file getattr ;
+dontaudit incidentd apexd_prop:file map ;
+dontaudit incidentd apk_verity_prop:file open ;
+dontaudit incidentd apk_verity_prop:file map ;
+# b/177176812
+dontaudit incidentd audio_config_prop:file open ;
+dontaudit incidentd ab_update_gki_prop:file open ;
+dontaudit incidentd ab_update_gki_prop:file map ;
+dontaudit incidentd ab_update_gki_prop:file getattr ;
+dontaudit incidentd audio_config_prop:file open ;
+dontaudit incidentd aac_drc_prop:file map ;
+dontaudit incidentd aac_drc_prop:file getattr ;
+dontaudit incidentd aac_drc_prop:file open ;
+dontaudit incidentd aac_drc_prop:file open ;
+dontaudit incidentd ab_update_gki_prop:file map ;
+dontaudit incidentd aac_drc_prop:file map ;
+dontaudit incidentd ab_update_gki_prop:file getattr ;
+dontaudit incidentd aac_drc_prop:file getattr ;
+dontaudit incidentd ab_update_gki_prop:file open ;
+# b/177389412
+dontaudit incidentd audio_config_prop:file { getattr };
+dontaudit incidentd audio_config_prop:file { getattr };
+dontaudit incidentd audio_config_prop:file { map };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { open };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { map };
+dontaudit incidentd nfc_service:service_manager { find };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { map };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { getattr };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { open };
+dontaudit incidentd audio_config_prop:file { map };
+dontaudit incidentd bluetooth_a2dp_offload_prop:file { getattr };
+# b/177614642
+dontaudit incidentd bluetooth_audio_hal_prop:file { map };
+dontaudit incidentd bluetooth_audio_hal_prop:file { open };
+dontaudit incidentd bluetooth_prop:file { map };
+dontaudit incidentd bluetooth_prop:file { getattr };
+dontaudit incidentd bluetooth_prop:file { open };
+dontaudit incidentd bluetooth_audio_hal_prop:file { map };
+dontaudit incidentd bluetooth_audio_hal_prop:file { getattr };
+dontaudit incidentd boottime_prop:file { open };
+dontaudit incidentd bluetooth_prop:file { map };
+dontaudit incidentd bluetooth_prop:file { getattr };
+dontaudit incidentd bluetooth_prop:file { open };
+dontaudit incidentd bluetooth_audio_hal_prop:file { open };
+dontaudit incidentd bluetooth_audio_hal_prop:file { getattr };
+dontaudit incidentd boottime_prop:file { open };
+# b/177778217
+dontaudit incidentd boottime_public_prop:file { getattr };
+dontaudit incidentd boottime_prop:file { getattr };
+dontaudit incidentd bpf_progs_loaded_prop:file { open };
+dontaudit incidentd boottime_public_prop:file { map };
+dontaudit incidentd boottime_public_prop:file { getattr };
+dontaudit incidentd boottime_public_prop:file { open };
+dontaudit incidentd boottime_prop:file { map };
+dontaudit incidentd bpf_progs_loaded_prop:file { getattr };
+dontaudit incidentd bpf_progs_loaded_prop:file { open };
+dontaudit incidentd boottime_public_prop:file { map };
+dontaudit incidentd boottime_prop:file { getattr };
+dontaudit incidentd boottime_prop:file { map };
+dontaudit incidentd boottime_public_prop:file { open };
+dontaudit incidentd bpf_progs_loaded_prop:file { getattr };
+# b/177860841
+dontaudit incidentd build_bootimage_prop:file { map };
+dontaudit incidentd build_config_prop:file { getattr };
+dontaudit incidentd build_config_prop:file { open };
+dontaudit incidentd bpf_progs_loaded_prop:file { map };
+dontaudit incidentd build_bootimage_prop:file { open };
+dontaudit incidentd build_bootimage_prop:file { getattr };
+dontaudit incidentd build_bootimage_prop:file { map };
+dontaudit incidentd build_bootimage_prop:file { getattr };
+dontaudit incidentd build_config_prop:file { getattr };
+dontaudit incidentd build_config_prop:file { map };
+dontaudit incidentd bpf_progs_loaded_prop:file { map };
+dontaudit incidentd build_bootimage_prop:file { open };
+dontaudit incidentd build_config_prop:file { open };
+dontaudit incidentd build_config_prop:file { map };
+# b/178752460
+dontaudit incidentd camera_calibration_prop:file { open };
+dontaudit incidentd charger_config_prop:file { getattr };
+dontaudit incidentd charger_config_prop:file { open };
+dontaudit incidentd camera_calibration_prop:file { map };
+dontaudit incidentd camera_calibration_prop:file { getattr };
+dontaudit incidentd charger_config_prop:file { getattr };
+dontaudit incidentd camera_calibration_prop:file { open };
+dontaudit incidentd camera_calibration_prop:file { getattr };
+dontaudit incidentd camera_calibration_prop:file { map };
+dontaudit incidentd charger_config_prop:file { open };
+# b/179310909
+dontaudit incidentd charger_status_prop:file { open };
+dontaudit incidentd charger_prop:file { open };
+dontaudit incidentd charger_prop:file { getattr };
+dontaudit incidentd charger_prop:file { map };
+dontaudit incidentd charger_status_prop:file { open };
+dontaudit incidentd charger_status_prop:file { getattr };
+dontaudit incidentd charger_status_prop:file { map };
+dontaudit incidentd charger_config_prop:file { map };
+dontaudit incidentd charger_status_prop:file { map };
+dontaudit incidentd charger_status_prop:file { getattr };
+dontaudit incidentd charger_config_prop:file { map };
+dontaudit incidentd charger_prop:file { open };
+dontaudit incidentd charger_prop:file { getattr };
+dontaudit incidentd charger_prop:file { map };
+# b/179437463
+dontaudit incidentd cold_boot_done_prop:file { map };
+dontaudit incidentd cold_boot_done_prop:file { getattr };
+dontaudit incidentd cpu_variant_prop:file { map };
+dontaudit incidentd cpu_variant_prop:file { getattr };
+dontaudit incidentd cold_boot_done_prop:file { map };
+dontaudit incidentd cpu_variant_prop:file { map };
+dontaudit incidentd cpu_variant_prop:file { open };
+dontaudit incidentd cold_boot_done_prop:file { getattr };
+dontaudit incidentd cold_boot_done_prop:file { open };
+dontaudit incidentd cold_boot_done_prop:file { open };
+dontaudit incidentd cpu_variant_prop:file { open };
+dontaudit incidentd cpu_variant_prop:file { getattr };
+# b/180963481
+dontaudit incidentd ctl_bootanim_prop:file { open };
+dontaudit incidentd ctl_adbd_prop:file { open };
+dontaudit incidentd ctl_adbd_prop:file { getattr };
+dontaudit incidentd ctl_adbd_prop:file { map };
+dontaudit incidentd ctl_apexd_prop:file { getattr };
+dontaudit incidentd ctl_apexd_prop:file { map };
+dontaudit incidentd ctl_adbd_prop:file { open };
+dontaudit incidentd ctl_adbd_prop:file { getattr };
+dontaudit incidentd ctl_adbd_prop:file { map };
+dontaudit incidentd ctl_apexd_prop:file { open };
+dontaudit incidentd ctl_apexd_prop:file { getattr };
+dontaudit incidentd ctl_apexd_prop:file { map };
+dontaudit incidentd ctl_bootanim_prop:file { open };
+dontaudit incidentd ctl_apexd_prop:file { open };
+# b/181177909
+dontaudit incidentd property_type:file *;

tracking_denials/init-thermal-symlinks-sh.te

@@ -0,0 +1,9 @@
+# b/177862403
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };
+dontaudit init-thermal-symlinks-sh sysfs_thermal:lnk_file { read };

tracking_denials/init.te

@@ -0,0 +1,20 @@
+# b/177966144
+dontaudit init sysfs:file { open };
+dontaudit init sysfs:file { setattr };
+dontaudit init sysfs:file { open };
+dontaudit init sysfs:file { write };
+dontaudit init sysfs:file { setattr };
+dontaudit init sysfs:file { write };
+# b/178979985
+dontaudit init device:chr_file { ioctl };
+dontaudit init modem_img_file:dir { mounton };
+dontaudit init device:chr_file { open };
+dontaudit init device:chr_file { read write };
+dontaudit init modem_img_file:dir { mounton };
+dontaudit init device:chr_file { ioctl };
+dontaudit init device:chr_file { open };
+dontaudit init device:chr_file { read write };
+# b/180963348
+dontaudit init overlayfs_file:chr_file { unlink };
+dontaudit init unlabeled:dir { mounton };
+dontaudit init overlayfs_file:file { rename };

tracking_denials/mediacodec.te

@@ -0,0 +1,6 @@
+# b/172173484
+dontaudit mediacodec sysfs:file { getattr };
+dontaudit mediacodec sysfs:file { open };
+dontaudit mediacodec sysfs:file { read };
+# b/176777184
+dontaudit mediacodec default_android_vndservice:service_manager add ;

tracking_denials/modem_logging_control.te

@@ -0,0 +1,13 @@
+# b/176777145
+dontaudit modem_logging_control vendor_sys_default_prop:property_service set ;
+# b/176851633
+dontaudit modem_logging_control vendor_sys_default_prop:file { read };
+dontaudit modem_logging_control vendor_sys_default_prop:file { read };
+dontaudit modem_logging_control vendor_sys_default_prop:file { open };
+dontaudit modem_logging_control vendor_sys_default_prop:file { getattr };
+dontaudit modem_logging_control vendor_sys_default_prop:file { map };
+dontaudit modem_logging_control vendor_sys_default_prop:file { open };
+dontaudit modem_logging_control vendor_sys_default_prop:file { getattr };
+dontaudit modem_logging_control vendor_sys_default_prop:file { map };
+# b/176868315
+dontaudit modem_logging_control vendor_sys_default_prop:property_service set ;

tracking_denials/pixelstats_vendor.te

@@ -0,0 +1,4 @@
+# b/181914749
+dontaudit pixelstats_vendor servicemanager:binder { call };
+# b/181915066
+dontaudit pixelstats_vendor servicemanager:binder { call };

tracking_denials/platform_app.te

@@ -0,0 +1,8 @@
+# b/178433506
+dontaudit platform_app property_type:file *;
+# b/179093352
+dontaudit platform_app hal_wlc:binder { transfer };
+dontaudit platform_app hal_wlc:binder { call };
+dontaudit platform_app hal_wlc_hwservice:hwservice_manager { find };
+dontaudit platform_app hal_wlc:binder { call };
+dontaudit platform_app hal_wlc:binder { transfer };

tracking_denials/priv_app.te

@@ -0,0 +1,51 @@
+# b/180551518
+dontaudit priv_app apk_verity_prop:file { getattr };
+dontaudit priv_app audio_config_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { open };
+dontaudit priv_app apexd_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { map };
+dontaudit priv_app apk_verity_prop:file { open };
+dontaudit priv_app audio_config_prop:file { open };
+dontaudit priv_app apk_verity_prop:file { map };
+dontaudit priv_app apk_verity_prop:file { getattr };
+dontaudit priv_app apk_verity_prop:file { open };
+dontaudit priv_app apexd_prop:file { map };
+dontaudit priv_app apexd_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { open };
+dontaudit priv_app apexd_prop:file { open };
+dontaudit priv_app apexd_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { map };
+dontaudit priv_app apk_verity_prop:file { open };
+dontaudit priv_app apk_verity_prop:file { getattr };
+dontaudit priv_app apk_verity_prop:file { map };
+dontaudit priv_app audio_config_prop:file { open };
+dontaudit priv_app audio_config_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { open };
+dontaudit priv_app apexd_prop:file { getattr };
+dontaudit priv_app apexd_prop:file { map };
+dontaudit priv_app apk_verity_prop:file { open };
+dontaudit priv_app apk_verity_prop:file { getattr };
+# b/180567612
+dontaudit priv_app audio_config_prop:file { map };
+dontaudit priv_app bluetooth_audio_hal_prop:file { getattr };
+dontaudit priv_app bluetooth_audio_hal_prop:file { map };
+dontaudit priv_app bluetooth_prop:file { open };
+dontaudit priv_app bluetooth_prop:file { getattr };
+dontaudit priv_app bluetooth_audio_hal_prop:file { open };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { map };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { getattr };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { open };
+dontaudit priv_app audio_config_prop:file { map };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { open };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { getattr };
+dontaudit priv_app bluetooth_a2dp_offload_prop:file { map };
+dontaudit priv_app bluetooth_audio_hal_prop:file { open };
+dontaudit priv_app bluetooth_audio_hal_prop:file { getattr };
+dontaudit priv_app bluetooth_audio_hal_prop:file { map };
+dontaudit priv_app bluetooth_prop:file { open };
+dontaudit priv_app bluetooth_prop:file { getattr };
+# b/180656244
+dontaudit priv_app property_type:file *;
+# b/180858511
+dontaudit priv_app hal_neuralnetworks_armnn:binder { call };
+dontaudit priv_app hal_neuralnetworks_armnn:binder { call };

tracking_denials/rild.te

@@ -0,0 +1,16 @@
+# b/178980065
+dontaudit rild unlabeled:dir { search };
+dontaudit rild unlabeled:lnk_file { read };
+dontaudit rild unlabeled:dir { search };
+dontaudit rild unlabeled:lnk_file { read };
+# b/179198085
+dontaudit rild unlabeled:file { ioctl };
+dontaudit rild unlabeled:file { open };
+dontaudit rild unlabeled:file { read };
+dontaudit rild unlabeled:file { getattr };
+dontaudit rild unlabeled:file { lock };
+dontaudit rild unlabeled:file { ioctl };
+dontaudit rild unlabeled:file { open };
+dontaudit rild unlabeled:file { read };
+dontaudit rild unlabeled:file { getattr };
+dontaudit rild unlabeled:file { lock };

tracking_denials/scd.te

@@ -0,0 +1,13 @@
+# b/173969190
+dontaudit scd vendor_data_file:dir { write };
+dontaudit scd vendor_data_file:dir { add_name };
+dontaudit scd vendor_data_file:dir { write };
+dontaudit scd vendor_data_file:file { create };
+dontaudit scd vendor_data_file:file { lock };
+dontaudit scd vendor_data_file:file { create };
+dontaudit scd vendor_data_file:file { lock };
+dontaudit scd vendor_data_file:file { open };
+dontaudit scd vendor_data_file:file { write };
+dontaudit scd vendor_data_file:file { write };
+dontaudit scd vendor_data_file:file { open };
+dontaudit scd vendor_data_file:dir { add_name };

tracking_denials/sced.te

@@ -0,0 +1,10 @@
+# b/171760846
+dontaudit sced hwservicemanager:binder { call };
+dontaudit sced hidl_base_hwservice:hwservice_manager { add };
+dontaudit sced hal_vendor_oem_hwservice:hwservice_manager { add };
+dontaudit sced hal_vendor_oem_hwservice:hwservice_manager { find };
+dontaudit sced hwservicemanager_prop:file { read };
+dontaudit sced hwservicemanager_prop:file { open };
+dontaudit sced hwservicemanager:binder { transfer };
+dontaudit sced hwservicemanager_prop:file { map };
+dontaudit sced hwservicemanager_prop:file { getattr };

tracking_denials/shell.te

@@ -0,0 +1,7 @@
+# b/171760597
+dontaudit shell property_type:file *;
+# b/178979984
+dontaudit shell device:chr_file { ioctl };
+dontaudit shell device:chr_file { read write };
+dontaudit shell device:chr_file { read write };
+dontaudit shell device:chr_file { ioctl };

tracking_denials/surfaceflinger.te

@@ -0,0 +1,12 @@
+# b/176868297
+dontaudit surfaceflinger hal_graphics_composer_default:dir search ;
+# b/177176899
+dontaudit surfaceflinger hal_graphics_composer_default:file open ;
+dontaudit surfaceflinger hal_graphics_composer_default:file read ;
+dontaudit surfaceflinger hal_graphics_composer_default:file getattr ;
+dontaudit surfaceflinger hal_graphics_composer_default:file read ;
+dontaudit surfaceflinger hal_graphics_composer_default:file open ;
+dontaudit surfaceflinger hal_graphics_composer_default:file read ;
+dontaudit surfaceflinger hal_graphics_composer_default:file open ;
+dontaudit surfaceflinger hal_graphics_composer_default:file getattr ;
+dontaudit surfaceflinger hal_graphics_composer_default:file getattr ;

tracking_denials/system_app.te

@@ -0,0 +1,4 @@
+# b/178433618
+dontaudit system_app property_type:file *;
+# b/179435036
+dontaudit system_app default_android_service:service_manager { add };

tracking_denials/system_server.te

@@ -0,0 +1,2 @@
+# b/178980142
+dontaudit system_server property_type:file *;

tracking_denials/tee.te

@@ -0,0 +1,11 @@
+# b/173971240
+dontaudit tee persist_file:file { open };
+dontaudit tee tee_data_file:lnk_file { read };
+dontaudit tee mnt_vendor_file:dir { search };
+dontaudit tee persist_file:dir { search };
+dontaudit tee persist_file:file { open };
+dontaudit tee persist_file:file { read write };
+dontaudit tee persist_file:dir { search };
+dontaudit tee mnt_vendor_file:dir { search };
+dontaudit tee tee_data_file:lnk_file { read };
+dontaudit tee persist_file:file { read write };

tracking_denials/trusty_apploader.te

@@ -0,0 +1,9 @@
+# b/180874342
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { read };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { open };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { ioctl };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { read };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { open };
+dontaudit trusty_apploader dmabuf_system_heap_device:chr_file { ioctl };
+dontaudit trusty_apploader trusty_apploader:capability { dac_override };
+dontaudit trusty_apploader trusty_apploader:capability { dac_override };

tracking_denials/untrusted_app.te

@@ -0,0 +1,14 @@
+# b/178331791
+dontaudit untrusted_app selinuxfs:file { open };
+dontaudit untrusted_app vendor_camera_prop:file { map };
+dontaudit untrusted_app vendor_camera_prop:file { open };
+dontaudit untrusted_app vendor_camera_prop:file { getattr };
+dontaudit untrusted_app selinuxfs:file { read };
+dontaudit untrusted_app selinuxfs:file { read };
+dontaudit untrusted_app selinuxfs:file { open };
+dontaudit untrusted_app vendor_camera_prop:file { open };
+dontaudit untrusted_app vendor_camera_prop:file { getattr };
+dontaudit untrusted_app vendor_camera_prop:file { map };
+# b/178433597
+dontaudit untrusted_app vendor_camera_prop:file { read };
+dontaudit untrusted_app vendor_camera_prop:file { read };

tracking_denials/untrusted_app_25.te

@@ -0,0 +1,149 @@
+# b/177389321
+dontaudit untrusted_app_25 ab_update_gki_prop:file { map };
+dontaudit untrusted_app_25 aac_drc_prop:file { open };
+dontaudit untrusted_app_25 ab_update_gki_prop:file { getattr };
+dontaudit untrusted_app_25 ab_update_gki_prop:file { open };
+dontaudit untrusted_app_25 aac_drc_prop:file { map };
+dontaudit untrusted_app_25 aac_drc_prop:file { getattr };
+# b/177614659
+dontaudit untrusted_app_25 apk_verity_prop:file { open };
+dontaudit untrusted_app_25 apexd_prop:file { getattr };
+dontaudit untrusted_app_25 apexd_prop:file { open };
+dontaudit untrusted_app_25 apexd_prop:file { map };
+dontaudit untrusted_app_25 apk_verity_prop:file { map };
+dontaudit untrusted_app_25 audio_config_prop:file { open };
+dontaudit untrusted_app_25 audio_config_prop:file { getattr };
+dontaudit untrusted_app_25 audio_config_prop:file { map };
+dontaudit untrusted_app_25 apk_verity_prop:file { getattr };
+# b/177616188
+dontaudit untrusted_app_25 bluetooth_a2dp_offload_prop:file { open };
+dontaudit untrusted_app_25 bluetooth_a2dp_offload_prop:file { getattr };
+dontaudit untrusted_app_25 bluetooth_a2dp_offload_prop:file { map };
+dontaudit untrusted_app_25 bluetooth_audio_hal_prop:file { open };
+dontaudit untrusted_app_25 bluetooth_audio_hal_prop:file { getattr };
+dontaudit untrusted_app_25 bluetooth_audio_hal_prop:file { map };
+dontaudit untrusted_app_25 bluetooth_prop:file { open };
+dontaudit untrusted_app_25 bluetooth_prop:file { getattr };
+dontaudit untrusted_app_25 bluetooth_prop:file { map };
+# b/177778551
+dontaudit untrusted_app_25 boottime_public_prop:file { open };
+dontaudit untrusted_app_25 bootloader_boot_reason_prop:file { getattr };
+dontaudit untrusted_app_25 bootloader_boot_reason_prop:file { map };
+dontaudit untrusted_app_25 boottime_prop:file { open };
+dontaudit untrusted_app_25 boottime_prop:file { getattr };
+dontaudit untrusted_app_25 boottime_prop:file { map };
+dontaudit untrusted_app_25 bootloader_boot_reason_prop:file { open };
+# b/177778793
+dontaudit untrusted_app_25 boottime_public_prop:file { getattr };
+dontaudit untrusted_app_25 boottime_public_prop:file { map };
+dontaudit untrusted_app_25 bpf_progs_loaded_prop:file { open };
+dontaudit untrusted_app_25 bpf_progs_loaded_prop:file { getattr };
+dontaudit untrusted_app_25 bpf_progs_loaded_prop:file { map };
+dontaudit untrusted_app_25 build_bootimage_prop:file { open };
+dontaudit untrusted_app_25 build_bootimage_prop:file { getattr };
+dontaudit untrusted_app_25 build_bootimage_prop:file { map };
+dontaudit untrusted_app_25 build_config_prop:file { open };
+# b/177860838
+dontaudit untrusted_app_25 charger_status_prop:file { open };
+dontaudit untrusted_app_25 charger_prop:file { map };
+dontaudit untrusted_app_25 charger_prop:file { getattr };
+dontaudit untrusted_app_25 charger_prop:file { open };
+dontaudit untrusted_app_25 charger_config_prop:file { map };
+dontaudit untrusted_app_25 charger_config_prop:file { getattr };
+dontaudit untrusted_app_25 build_config_prop:file { map };
+dontaudit untrusted_app_25 build_config_prop:file { getattr };
+dontaudit untrusted_app_25 charger_config_prop:file { open };
+# b/177862777
+dontaudit untrusted_app_25 charger_status_prop:file { getattr };
+dontaudit untrusted_app_25 charger_status_prop:file { map };
+dontaudit untrusted_app_25 cold_boot_done_prop:file { open };
+dontaudit untrusted_app_25 cold_boot_done_prop:file { getattr };
+dontaudit untrusted_app_25 cold_boot_done_prop:file { map };
+dontaudit untrusted_app_25 cpu_variant_prop:file { open };
+dontaudit untrusted_app_25 cpu_variant_prop:file { getattr };
+dontaudit untrusted_app_25 cpu_variant_prop:file { map };
+dontaudit untrusted_app_25 ctl_adbd_prop:file { open };
+# b/178752409
+dontaudit untrusted_app_25 ctl_adbd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { open };
+dontaudit untrusted_app_25 ctl_adbd_prop:file { map };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { map };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { open };
+dontaudit untrusted_app_25 ctl_adbd_prop:file { map };
+dontaudit untrusted_app_25 ctl_adbd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { map };
+dontaudit untrusted_app_25 ctl_bootanim_prop:file { map };
+dontaudit untrusted_app_25 ctl_bootanim_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_bootanim_prop:file { open };
+dontaudit untrusted_app_25 ctl_apexd_prop:file { getattr };
+# b/178753151
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { open };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { map };
+dontaudit untrusted_app_25 ctl_console_prop:file { open };
+dontaudit untrusted_app_25 ctl_console_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_console_prop:file { map };
+dontaudit untrusted_app_25 ctl_default_prop:file { open };
+dontaudit untrusted_app_25 ctl_default_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { open };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_bugreport_prop:file { map };
+dontaudit untrusted_app_25 ctl_console_prop:file { open };
+dontaudit untrusted_app_25 ctl_console_prop:file { getattr };
+# b/179310875
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { map };
+dontaudit untrusted_app_25 ctl_fuse_prop:file { open };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { map };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { open };
+dontaudit untrusted_app_25 ctl_default_prop:file { map };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { open };
+dontaudit untrusted_app_25 ctl_default_prop:file { map };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { open };
+dontaudit untrusted_app_25 ctl_fuse_prop:file { map };
+dontaudit untrusted_app_25 ctl_fuse_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_fuse_prop:file { open };
+dontaudit untrusted_app_25 ctl_dumpstate_prop:file { getattr };
+# b/179437293
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
+# b/179437737
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_start_prop:file { map };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_gsid_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_restart_prop:file { map };
+# b/180963328
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { map };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { open };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { map };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { map };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { getattr };
+dontaudit untrusted_app_25 ctl_mdnsd_prop:file { open };
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { map };
+dontaudit untrusted_app_25 ctl_interface_stop_prop:file { getattr };
+# b/180963587
+dontaudit untrusted_app_25 property_type:file *;

tracking_denials/update_engine.te

@@ -0,0 +1,5 @@
+# b/174961421
+dontaudit update_engine dumpstate:fifo_file write ;
+dontaudit update_engine dumpstate:fifo_file write ;
+dontaudit update_engine dumpstate:fd use ;
+dontaudit update_engine dumpstate:fd use ;

tracking_denials/vendor_init.te

@@ -0,0 +1,20 @@
+# b/176528556
+dontaudit vendor_init tmpfs:dir { add_name write };
+# b/176528557
+dontaudit vendor_init debugfs_trace_marker:file { getattr };
+# b/177186257
+dontaudit vendor_init system_data_file:dir { open ioctl read };
+# b/174443175
+dontaudit vendor_init vendor_power_prop:property_service { set };
+# b/177386448
+dontaudit vendor_init device:file { create };
+dontaudit vendor_init device:file { create };
+# b/178980032
+dontaudit vendor_init unlabeled:dir { setattr };
+dontaudit vendor_init unlabeled:dir { read };
+dontaudit vendor_init unlabeled:dir { search };
+dontaudit vendor_init unlabeled:dir { search };
+dontaudit vendor_init unlabeled:dir { open };
+dontaudit vendor_init unlabeled:dir { read };
+dontaudit vendor_init unlabeled:dir { setattr };
+dontaudit vendor_init unlabeled:dir { open };

tracking_denials/vendor_telephony_app.te

@@ -0,0 +1,21 @@
+# b/174961423
+dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file open ;
+dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file read ;
+dontaudit vendor_telephony_app system_app_data_file:dir search ;
+dontaudit vendor_telephony_app system_app_data_file:dir getattr ;
+dontaudit vendor_telephony_app system_data_file:dir search ;
+# b/176868380
+dontaudit vendor_telephony_app user_profile_root_file:dir search ;
+dontaudit vendor_telephony_app user_profile_root_file:dir search ;
+dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file getattr ;
+dontaudit vendor_telephony_app vendor_persist_sys_default_prop:file map ;
+dontaudit vendor_telephony_app vendor_slog_file:dir search ;
+# b/177176900
+dontaudit vendor_telephony_app vendor_rild_prop:file getattr ;
+dontaudit vendor_telephony_app vendor_rild_prop:file open ;
+dontaudit vendor_telephony_app vendor_rild_prop:file read ;
+dontaudit vendor_telephony_app vendor_rild_prop:file map ;
+# b/179437464
+dontaudit vendor_telephony_app activity_service:service_manager { find };
+dontaudit vendor_telephony_app thermal_service:service_manager { find };
+dontaudit vendor_telephony_app tethering_service:service_manager { find };

usf/file.te

@@ -0,0 +1,12 @@
+#
+# USF file SELinux type enforcements.
+#
+
+# Declare the sensor registry persist file type. By convention, persist file
+# types begin with "persist_".
+type persist_sensor_reg_file, file_type, vendor_persist_type;
+
+# Declare the sensor registry data file type. By convention, data file types
+# end with "data_file".
+type sensor_reg_data_file, file_type, data_file_type;
+

usf/file_contexts

@@ -0,0 +1,10 @@
+#
+# USF SELinux file security contexts.
+#
+
+# Sensor registry persist files.
+/mnt/vendor/persist/sensors/registry(/.*)? u:object_r:persist_sensor_reg_file:s0
+
+# Sensor registry data files.
+/data/vendor/sensors/registry(/.*)? u:object_r:sensor_reg_data_file:s0
+

usf/sensor_hal.te

@@ -0,0 +1,22 @@
+#
+# USF sensor HAL SELinux type enforcements.
+#
+
+# Allow reading of sensor registry persist files.
+allow hal_sensors_default persist_file:dir search;
+allow hal_sensors_default mnt_vendor_file:dir search;
+r_dir_file(hal_sensors_default, persist_sensor_reg_file)
+
+# Allow creation and writing of sensor registry data files.
+allow hal_sensors_default sensor_reg_data_file:dir rw_dir_perms;
+allow hal_sensors_default sensor_reg_data_file:file create_file_perms;
+
+# Allow access to the AoC communication driver.
+allow hal_sensors_default aoc_device:chr_file rw_file_perms;
+
+# Allow access to the AoC clock and kernel boot time sys FS node. This is needed
+# to synchronize the AP and AoC clock timestamps.
+allow hal_sensors_default sysfs_aoc_boottime:file rw_file_perms;
+
+# Allow create thread to watch AOC's device.
+allow hal_sensors_default device:dir r_dir_perms;

whitechapel/vendor/google/abox.te

@@ -0,0 +1,4 @@
+type abox, domain;
+type abox_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(abox)
+

whitechapel/vendor/google/aocd.te

@@ -0,0 +1,14 @@
+type aocd, domain;
+type aocd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(aocd)
+
+# access persist files
+allow aocd mnt_vendor_file:dir search;
+allow aocd persist_file:dir search;
+
+# sysfs operations
+allow aocd sysfs_aoc:dir search;
+allow aocd sysfs_aoc_firmware:file w_file_perms;
+
+# dev operations
+allow aocd aoc_device:chr_file r_file_perms;

whitechapel/vendor/google/aocdump.te

@@ -0,0 +1,16 @@
+type aocdump, domain;
+type aocdump_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(aocdump)
+
+userdebug_or_eng(`
+    # Permit communication with AoC
+    allow aocdump aoc_device:chr_file rw_file_perms;
+
+    allow aocdump radio_vendor_data_file:dir rw_dir_perms;
+    allow aocdump radio_vendor_data_file:file create_file_perms;
+    set_prop(aocdump, vendor_audio_prop);
+
+    allow aocdump self:unix_stream_socket create_stream_socket_perms;
+    allow aocdump property_socket:sock_file { write };
+    allow aocdump audio_vendor_data_file:sock_file { create unlink };
+')

whitechapel/vendor/google/attributes

@@ -0,0 +1 @@
+attribute vendor_persist_type;

whitechapel/vendor/google/bipchmgr.te

@@ -0,0 +1,9 @@
+type bipchmgr, domain;
+type bipchmgr_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(bipchmgr)
+
+get_prop(bipchmgr, hwservicemanager_prop);
+
+allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find;
+hwbinder_use(bipchmgr)
+binder_call(bipchmgr, rild)

whitechapel/vendor/google/bootanim.te

@@ -0,0 +1,5 @@
+# TODO(b/62954877). On Android Wear, bootanim reads the time
+# during boot to display. It currently gets that time from a file
+# in /data/system. This should be moved. In the meantime, suppress
+# this denial on phones since this functionality is not used.
+dontaudit bootanim system_data_file:dir r_dir_perms;

whitechapel/vendor/google/bootdevice_sysdev.te

@@ -0,0 +1 @@
+allow bootdevice_sysdev sysfs:filesystem associate;

whitechapel/vendor/google/cbd.te

@@ -0,0 +1,44 @@
+type cbd, domain;
+type cbd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(cbd)
+
+set_prop(cbd, vendor_modem_prop)
+set_prop(cbd, vendor_cbd_prop)
+set_prop(cbd, vendor_rild_prop)
+
+allow cbd kmsg_device:chr_file rw_file_perms;
+
+allow cbd vendor_shell_exec:file execute_no_trans;
+allow cbd vendor_toolbox_exec:file execute_no_trans;
+
+# Allow cbd to access modem block device
+allow cbd block_device:dir search;
+allow cbd modem_block_device:blk_file r_file_perms;
+
+# Allow cbd to access sysfs chosen files
+allow cbd sysfs_chosen:file r_file_perms;
+allow cbd sysfs_chosen:dir r_dir_perms;
+
+allow cbd radio_device:chr_file rw_file_perms;
+
+# Allow cbd to operate with modem EFS file/dir
+allow cbd modem_efs_file:dir create_dir_perms;
+allow cbd modem_efs_file:file create_file_perms;
+
+# Allow cbd to operate with modem userdata file/dir
+allow cbd modem_userdata_file:dir create_dir_perms;
+allow cbd modem_userdata_file:file create_file_perms;
+
+# Allow cbd to access modem image file/dir
+allow cbd modem_img_file:dir r_dir_perms;
+allow cbd modem_img_file:file r_file_perms;
+
+# Allow cbd to collect crash info
+allow cbd sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+
+userdebug_or_eng(`
+  allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms;
+')
+

whitechapel/vendor/google/chre.te

@@ -0,0 +1,13 @@
+type chre, domain;
+type chre_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(chre)
+
+# Permit communication with AoC
+allow chre aoc_device:chr_file rw_file_perms;
+
+# Allow CHRE to determine AoC's current clock
+allow chre sysfs_aoc:dir search;
+allow chre sysfs_aoc_boottime:file r_file_perms;
+
+# Allow CHRE to create thread to watch AOC's device
+allow chre device:dir r_dir_perms;

whitechapel/vendor/google/device.te

@@ -0,0 +1,52 @@
+# Block Devices
+type efs_block_device, dev_type;
+type fat_block_device, dev_type;
+type modem_block_device, dev_type;
+type modem_userdata_block_device, dev_type;
+type persist_block_device, dev_type;
+type vendor_block_device, dev_type;
+type sda_block_device, dev_type;
+
+# Exynos devices
+type vendor_m2m1shot_device, dev_type;
+type vendor_gnss_device, dev_type;
+type vendor_nanohub_device, dev_type;
+type vendor_secmem_device, dev_type;
+type pktrouter_device, dev_type;
+type vendor_toe_device, dev_type;
+type custom_ab_block_device, dev_type;
+type devinfo_block_device, dev_type;
+type tui_device, dev_type;
+
+# usbpd
+type logbuffer_device, dev_type;
+
+# EdgeTPU device (DarwiNN)
+type edgetpu_device, dev_type, mlstrustedobject;
+
+#cpuctl
+type cpuctl_device, dev_type;
+
+# Bt Wifi Coexistence device
+type wb_coexistence_dev, dev_type;
+
+# LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL
+type lwis_device, dev_type;
+
+# sensor direct DMA-BUF heap
+type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type;
+
+#faceauth DMA-BUF heaps
+type faceauth_heap_device, dmabuf_heap_device_type, dev_type;
+
+#vframe-secure DMA-BUF heap
+type vframe_heap_device, dmabuf_heap_device_type, dev_type;
+
+#vscaler-secure DMA-BUF heap
+type vscaler_heap_device, dmabuf_heap_device_type, dev_type;
+
+# subsystem-coredump
+type sscoredump_device, dev_type;
+
+# AOC device
+type aoc_device, dev_type;

whitechapel/vendor/google/dmd.te

@@ -0,0 +1,29 @@
+type dmd, domain;
+type dmd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(dmd)
+
+# Grant to access serial device for external logging tool
+allow dmd serial_device:chr_file rw_file_perms;
+
+# Grant to access radio device
+allow dmd radio_device:chr_file rw_file_perms;
+
+# Grant to access slog dir/file
+allow dmd vendor_slog_file:dir create_dir_perms;
+allow dmd vendor_slog_file:file create_file_perms;
+
+# Grant to access tcp socket
+allow dmd node:tcp_socket node_bind;
+allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind };
+
+# Grant to access log related properties
+set_prop(dmd, vendor_diag_prop)
+set_prop(dmd, vendor_slog_prop)
+set_prop(dmd, vendor_modem_prop)
+
+get_prop(dmd, vendor_persist_config_default_prop)
+
+# Grant to access hwservice manager
+get_prop(dmd, hwservicemanager_prop)
+add_hwservice(dmd, hal_vendor_oem_hwservice)
+binder_call(dmd, hwservicemanager)

whitechapel/vendor/google/domain.te

@@ -0,0 +1 @@
+allow {domain -appdomain -rs} sysfs_vendor_sched:file w_file_perms;

whitechapel/vendor/google/dumpstate.te

@@ -0,0 +1,4 @@
+dump_hal(hal_telephony)
+
+allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
+allow dumpstate persist_file:dir r_dir_perms;

whitechapel/vendor/google/edgetpu_logging.te

@@ -0,0 +1,6 @@
+type edgetpu_logging, domain;
+type edgetpu_logging_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(edgetpu_logging)
+
+# The logging service accesses /dev/abrolhos
+allow edgetpu_logging edgetpu_device:chr_file rw_file_perms;

whitechapel/vendor/google/edgetpu_service.te

@@ -0,0 +1,28 @@
+# EdgeTPU server process which runs the EdgeTPU binder service.
+type edgetpu_server, coredomain, domain;
+type edgetpu_server_exec, exec_type, system_file_type, file_type;
+init_daemon_domain(edgetpu_server, edgetpu_server_exec)
+
+# The server will use binder calls.
+binder_use(edgetpu_server);
+
+# The server will serve a binder service.
+binder_service(edgetpu_server);
+
+# EdgeTPU binder service type declaration.
+type edgetpu_service, service_manager_type;
+
+# EdgeTPU server to register the service to service_manager.
+add_service(edgetpu_server, edgetpu_service);
+
+# EdgeTPU service needs to access /dev/abrolhos.
+allow edgetpu_server edgetpu_device:chr_file rw_file_perms;
+allow edgetpu_server sysfs_edgetpu:dir r_dir_perms;
+allow edgetpu_server sysfs_edgetpu:file rw_file_perms;
+
+# Applications are not allowed to open the EdgeTPU device directly.
+neverallow appdomain edgetpu_device:chr_file { open };
+
+# Allow EdgeTPU service access to its data files.
+allow edgetpu_server edgetpu_service_data_file:file create_file_perms;
+allow edgetpu_server edgetpu_service_data_file:dir rw_dir_perms;

whitechapel/vendor/google/exo_camera_injection/dumpstate.te

@@ -0,0 +1,2 @@
+# For collecting bugreports.
+dump_hal(hal_camera)

whitechapel/vendor/google/exo_camera_injection/file_contexts

@@ -0,0 +1 @@
+/vendor/bin/hw/vendor\.google\.exo_camera_injection@1\.0-service  u:object_r:hal_exo_camera_injection_exec:s0

whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te

@@ -0,0 +1,10 @@
+# TODO(b/180558115): It will moved to pixel-sepolicy after pixel 6 launches.
+type hal_exo_camera_injection, domain;
+hal_server_domain(hal_exo_camera_injection, hal_camera)
+
+type hal_exo_camera_injection_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_exo_camera_injection)
+
+hwbinder_use(hal_exo_camera_injection)
+add_hwservice(hal_exo_camera_injection, hal_exo_camera_injection_hwservice)
+allow hal_exo_camera_injection hal_graphics_mapper_hwservice:hwservice_manager find;

whitechapel/vendor/google/exo_camera_injection/hwservice.te

@@ -0,0 +1 @@
+type hal_exo_camera_injection_hwservice, hwservice_manager_type;

whitechapel/vendor/google/exo_camera_injection/hwservice_contexts

@@ -0,0 +1 @@
+vendor.google.exo_camera_injection::IExoCameraInjection         u:object_r:hal_exo_camera_injection_hwservice:s0

whitechapel/vendor/google/exo_camera_injection/platform_app.te

@@ -0,0 +1,3 @@
+# Allow exo app to find and bind exo camera injection hal.
+allow platform_app hal_exo_camera_injection_hwservice:hwservice_manager find;
+binder_call(platform_app, hal_exo_camera_injection)

whitechapel/vendor/google/file.te

@@ -0,0 +1,177 @@
+# Exynos Data Files
+#type vendor_data_file, file_type, data_file_type;
+type vendor_cbd_boot_file, file_type, data_file_type;
+type vendor_media_data_file, file_type, data_file_type;
+
+# Exynos Log Files
+type vendor_log_file, file_type, data_file_type;
+type vendor_abox_log_file, file_type, data_file_type;
+type vendor_cbd_log_file, file_type, data_file_type;
+type vendor_dmd_log_file, file_type, data_file_type;
+type vendor_rfsd_log_file, file_type, data_file_type;
+type vendor_dump_log_file, file_type, data_file_type;
+type vendor_rild_log_file, file_type, data_file_type;
+type vendor_sced_log_file, file_type, data_file_type;
+type vendor_slog_file, file_type, data_file_type, mlstrustedobject;
+type vendor_telephony_log_file, file_type, data_file_type;
+type vendor_vcd_log_file, file_type, data_file_type;
+
+# app data files
+type vendor_test_data_file, file_type, data_file_type;
+type vendor_telephony_data_file, file_type, data_file_type;
+type vendor_ims_data_file, file_type, data_file_type;
+type vendor_misc_data_file, file_type, data_file_type;
+type vendor_rpmbmock_data_file, file_type, data_file_type;
+
+# Exynos debugfs
+type vendor_abox_debugfs, fs_type, debugfs_type;
+type vendor_ion_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_dmabuf_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_mali_debugfs, fs_type, debugfs_type;
+type vendor_dri_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_pm_genpd_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_regmap_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_usb_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_maxfg_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_charger_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_votable_debugfs, fs_type, debugfs_type, sysfs_type;
+type vendor_battery_debugfs, fs_type, debugfs_type, sysfs_type;
+
+# Exynos sysfs
+type sysfs_exynos_bts, sysfs_type, fs_type;
+type sysfs_exynos_bts_stats, sysfs_type, fs_type;
+
+# Exynos Firmware
+type vendor_fw_file, vendor_file_type, file_type;
+
+# ACPM
+type sysfs_acpm_stats, sysfs_type, fs_type;
+
+# Vendor tools
+type vendor_usf_stats, vendor_file_type, file_type;
+type vendor_dumpsys, vendor_file_type, file_type;
+
+# Sensors
+type nanohub_lock_file, file_type, data_file_type;
+type sensor_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+type sensors_cal_file, file_type;
+type sysfs_nanoapp_cmd, sysfs_type, fs_type;
+
+# CHRE
+type chre_socket, file_type;
+
+# IOMMU
+type sysfs_iommu, sysfs_type, fs_type;
+
+type sysfs_devicetree, sysfs_type, fs_type;
+type sysfs_mem, sysfs_type, fs_type;
+type sysfs_sscoredump_level, sysfs_type, fs_type;
+
+# WiFi
+type sysfs_wifi, sysfs_type, fs_type;
+
+# Widevine DRM
+type mediadrm_vendor_data_file, file_type, data_file_type;
+
+# Subsystem coredump
+type sscoredump_vendor_data_coredump_file, file_type, data_file_type, mlstrustedobject;
+type sscoredump_vendor_data_crashinfo_file, file_type, data_file_type, mlstrustedobject;
+
+# Storage Health HAL
+type sysfs_scsi_devices_0000, sysfs_type, fs_type;
+type debugfs_f2fs, debugfs_type, fs_type;
+type proc_f2fs, proc_type, fs_type;
+
+type bootdevice_sysdev, dev_type;
+
+# ZRam
+type per_boot_file, file_type, data_file_type, core_data_file_type;
+
+# Touch
+type proc_touch, proc_type, fs_type, mlstrustedobject;
+type sysfs_touch, sysfs_type, fs_type;
+
+# AOC
+type sysfs_aoc_boottime, sysfs_type, fs_type;
+type sysfs_aoc_firmware, sysfs_type, fs_type;
+type sysfs_aoc, sysfs_type, fs_type;
+
+# Audio
+type persist_audio_file, file_type , vendor_persist_type;
+type audio_vendor_data_file, file_type, data_file_type;
+type aoc_audio_file, file_type, vendor_file_type;
+
+# Radio
+type radio_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+
+# RILD
+type rild_vendor_data_file, file_type, data_file_type;
+
+# Modem
+type modem_stat_data_file, file_type, data_file_type;
+type modem_efs_file, file_type;
+type modem_img_file, file_type;
+type modem_userdata_file, file_type;
+type sysfs_modem, sysfs_type, fs_type;
+
+# Wireless
+type sysfs_wlc, sysfs_type, fs_type;
+
+# Kernel modules
+type vendor_kernel_modules, vendor_file_type, file_type;
+
+# Camera
+type persist_camera_file, file_type;
+type vendor_camera_tuning_file, vendor_file_type, file_type;
+type vendor_camera_data_file, file_type, data_file_type;
+
+# EdgeTPU device (DarwiNN)
+type hal_neuralnetworks_darwinn_data_file, file_type, data_file_type;
+
+# EdgeTPU
+type edgetpu_service_data_file, file_type, data_file_type, core_data_file_type;
+type sysfs_edgetpu, sysfs_type, fs_type;
+
+# Vendor sched files
+type sysfs_vendor_sched, sysfs_type, fs_type;
+
+# GPS
+type vendor_gps_file, file_type, data_file_type;
+userdebug_or_eng(`
+    typeattribute vendor_gps_file mlstrustedobject;
+')
+type sysfs_gps, sysfs_type, fs_type;
+
+# Display
+type sysfs_display, sysfs_type, fs_type;
+
+# Backlight
+type sysfs_backlight, sysfs_type, fs_type;
+
+# Charger
+type sysfs_chargelevel, sysfs_type, fs_type;
+
+# ODPM
+type odpm_config_file, file_type, data_file_type;
+type sysfs_odpm, sysfs_type, fs_type;
+
+# Chosen
+type sysfs_chosen, sysfs_type, fs_type;
+
+type sysfs_chip_id, sysfs_type, fs_type;
+type sysfs_spi, sysfs_type, fs_type;
+
+# subsystem-coredump
+type sscoredump_sysfs_level, sysfs_type, fs_type;
+
+# Battery
+type persist_battery_file, file_type, vendor_persist_type;
+
+# CPU
+type sysfs_cpu, sysfs_type, fs_type;
+
+# Memory
+type sysfs_memory, sysfs_type, fs_type;
+
+# bcmdhd (Broadcom FullMAC wireless cards support)
+type sysfs_bcmdhd, sysfs_type, fs_type;

whitechapel/vendor/google/file_contexts

@@ -0,0 +1,397 @@
+#
+# Exynos HAL
+#
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.4-service\.widevine                    u:object_r:hal_drm_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@1\.3-service\.clearkey                    u:object_r:hal_drm_clearkey_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32                            u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service  u:object_r:hal_vendor_hwcservice_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service               u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service         u:object_r:hal_configstore_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.3-service\.gs101                       u:object_r:hal_usb_impl_exec:s0
+/(vendor|system/vendor)/lib(64)?/libion_exynos\.so                                              u:object_r:same_process_hal_file:s0
+
+/(vendor|system/vendor)/lib(64)?/libOpenCL\.so                                                  u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libOpenCL-pixel\.so                                            u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libdmabufheap\.so                                              u:object_r:same_process_hal_file:s0
+
+/vendor/bin/usf_stats                                                                           u:object_r:vendor_usf_stats:s0
+/vendor/bin/dumpsys                                                                             u:object_r:vendor_dumpsys:s0
+
+#
+# HALs
+#
+/(vendor|system/vendor)/bin/hw/android\.hardware\.boot@1\.[0-2]-service-gs101                   u:object_r:hal_bootctl_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@1\.1-service-brcm                        u:object_r:hal_gnss_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@2\.0-service-brcm                        u:object_r:hal_gnss_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.gnss@[0-9]\.[0-9]-service-brcm                u:object_r:hal_gnss_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate@1\.0-service\.gs101                 u:object_r:hal_dumpstate_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101              u:object_r:hal_power_stats_default_exec:s0
+# Wireless charger HAL
+/(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.2-service-vendor             u:object_r:hal_wlc_exec:s0
+
+# Vendor Firmwares
+/(vendor|system/vendor)/firmware(/.*)?                        u:object_r:vendor_fw_file:s0
+
+#
+# Exynos Block Devices
+#
+/dev/block/platform/14700000\.ufs/by-name/cache               u:object_r:cache_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/efs                 u:object_r:efs_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/efs_backup          u:object_r:efs_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/modem_userdata      u:object_r:modem_userdata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/fat                 u:object_r:fat_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/modem_[ab]          u:object_r:modem_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/modem               u:object_r:modem_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/persist             u:object_r:persist_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/system              u:object_r:system_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/userdata            u:object_r:userdata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vendor              u:object_r:vendor_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/frp                 u:object_r:frp_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/misc                u:object_r:misc_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/devinfo             u:object_r:devinfo_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/abl_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/acpm_test_[ab]      u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl1_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl2_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl31_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/boot_[ab]           u:object_r:boot_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab]     u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dtb_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/ect_test_[ab]       u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/gsa_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/hypervisor_[ab]     u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/keystorage_[ab]     u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/metadata            u:object_r:metadata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/pbl_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/reclaim_[ab]        u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/super               u:object_r:super_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab]         u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab]  u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab]    u:object_r:custom_ab_block_device:s0
+/dev/block/sda                                                u:object_r:sda_block_device:s0
+/dev/sys/block/bootdevice(/.*)?                               u:object_r:bootdevice_sysdev:s0
+
+#
+# Exynos Devices
+#
+/dev/gnss_ipc                  u:object_r:vendor_gnss_device:s0
+/dev/bbd_control               u:object_r:vendor_gnss_device:s0
+/dev/ttyBCM                    u:object_r:vendor_gnss_device:s0
+/dev/nanohub                   u:object_r:vendor_nanohub_device:s0
+/dev/nanohub_comms             u:object_r:vendor_nanohub_device:s0
+/dev/m2m1shot_scaler0          u:object_r:vendor_m2m1shot_device:s0
+/dev/radio0                    u:object_r:radio_device:s0
+/dev/dri/card0                 u:object_r:graphics_device:s0
+/dev/fimg2d                    u:object_r:graphics_device:s0
+/dev/g2d                       u:object_r:graphics_device:s0
+/dev/tsmux                     u:object_r:video_device:s0
+/dev/repeater                  u:object_r:video_device:s0
+/dev/scsc_h4_0                 u:object_r:radio_device:s0
+/dev/umts_boot0                u:object_r:radio_device:s0
+/dev/tui-driver                u:object_r:tui_device:s0
+/dev/logbuffer_usbpd           u:object_r:logbuffer_device:s0
+/dev/logbuffer_ssoc            u:object_r:logbuffer_device:s0
+/dev/logbuffer_wireless        u:object_r:logbuffer_device:s0
+/dev/logbuffer_ttf             u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxq            u:object_r:logbuffer_device:s0
+/dev/logbuffer_rtx             u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg           u:object_r:logbuffer_device:s0
+
+# DM tools device
+/dev/umts_dm0                  u:object_r:radio_device:s0
+/dev/umts_router               u:object_r:radio_device:s0
+
+# OEM IPC device
+/dev/oem_ipc[0-7]              u:object_r:radio_device:s0
+
+# SIPC RIL device
+/dev/umts_ipc0                 u:object_r:radio_device:s0
+/dev/umts_ipc1                 u:object_r:radio_device:s0
+/dev/umts_rfs0                 u:object_r:radio_device:s0
+/dev/ttyGS[0-3]                u:object_r:serial_device:s0
+/dev/watchdog0                 u:object_r:watchdog_device:s0
+
+# GPU device
+/dev/mali0                     u:object_r:gpu_device:s0
+/dev/s5p-smem                  u:object_r:vendor_secmem_device:s0
+/dev/umts_wfc[01]                 u:object_r:pktrouter_device:s0
+
+#
+# Exynos Daemon Exec
+#
+/(vendor|system/vendor)/bin/cbd                u:object_r:cbd_exec:s0
+/(vendor|system/vendor)/bin/dmd                u:object_r:dmd_exec:s0
+/(vendor|system/vendor)/bin/hw/scd             u:object_r:scd_exec:s0
+/(vendor|system/vendor)/bin/hw/gpsd            u:object_r:gpsd_exec:s0
+/(vendor|system/vendor)/bin/hw/lhd             u:object_r:lhd_exec:s0
+/(vendor|system/vendor)/bin/hw/rild_exynos     u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/main_abox          u:object_r:abox_exec:s0
+/(vendor|system/vendor)/bin/rfsd               u:object_r:rfsd_exec:s0
+/(vendor|system/vendor)/bin/rpmbd              u:object_r:rpmbd_exec:s0
+/(vendor|system/vendor)/bin/sced               u:object_r:sced_exec:s0
+/(vendor|system/vendor)/bin/vcd                u:object_r:vcd_exec:s0
+/(vendor|system/vendor)/bin/bipchmgr           u:object_r:bipchmgr_exec:s0
+
+# WFC
+/(vendor|system/vendor)/bin/wfc-pkt-router     u:object_r:pktrouter_exec:s0
+
+#
+# Exynos Data Files
+#
+# gnss/gps data/log files
+/data/vendor/gps(/.*)?       u:object_r:vendor_gps_file:s0
+
+#
+# Exynos Log Files
+#
+/data/vendor/log(/.*)?       u:object_r:vendor_log_file:s0
+/data/vendor/log/abox(/.*)?  u:object_r:vendor_abox_log_file:s0
+/data/vendor/log/cbd(/.*)?   u:object_r:vendor_cbd_log_file:s0
+/data/vendor/log/dmd(/.*)?   u:object_r:vendor_dmd_log_file:s0
+/data/vendor/log/rfsd(/.*)?  u:object_r:vendor_rfsd_log_file:s0
+/data/vendor/log/dump(/.*)?  u:object_r:vendor_dump_log_file:s0
+/data/vendor/log/rild(/.*)?  u:object_r:vendor_rild_log_file:s0
+/data/vendor/log/sced(/.*)?  u:object_r:vendor_sced_log_file:s0
+/data/vendor/log/slog(/.*)?  u:object_r:vendor_slog_file:s0
+/data/vendor/slog(/.*)?      u:object_r:vendor_slog_file:s0
+/data/vendor/log/vcd(/.*)?   u:object_r:vendor_vcd_log_file:s0
+
+/persist/sensorcal\.json     u:object_r:sensors_cal_file:s0
+
+# data files
+/data/vendor/mediadrm(/.*)?  u:object_r:mediadrm_vendor_data_file:s0
+
+# Camera
+/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google  u:object_r:hal_camera_default_exec:s0
+/vendor/lib64/camera                                                    u:object_r:vendor_camera_tuning_file:s0
+/vendor/lib64/camera/ghawb_para_lut\.bin                                u:object_r:vendor_camera_tuning_file:s0
+/vendor/lib64/camera/slider_.*\.binarypb                                u:object_r:vendor_camera_tuning_file:s0
+/vendor/bin/rlsservice                                                  u:object_r:rlsservice_exec:s0
+/mnt/vendor/persist/camera(/.*)?                                        u:object_r:persist_camera_file:s0
+/data/vendor/camera(/.*)?                                               u:object_r:vendor_camera_data_file:s0
+
+/dev/lwis-act0                                                          u:object_r:lwis_device:s0
+/dev/lwis-act1                                                          u:object_r:lwis_device:s0
+/dev/lwis-act-ak7377                                                    u:object_r:lwis_device:s0
+/dev/lwis-act-sem1215sa                                                 u:object_r:lwis_device:s0
+/dev/lwis-csi                                                           u:object_r:lwis_device:s0
+/dev/lwis-dpm                                                           u:object_r:lwis_device:s0
+/dev/lwis-eeprom0                                                       u:object_r:lwis_device:s0
+/dev/lwis-eeprom1                                                       u:object_r:lwis_device:s0
+/dev/lwis-eeprom2                                                       u:object_r:lwis_device:s0
+/dev/lwis-eeprom-lc898128                                               u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64s                                                u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x                                                u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x-imx386                                         u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x-imx663                                         u:object_r:lwis_device:s0
+/dev/lwis-eeprom-sem1215sa                                              u:object_r:lwis_device:s0
+/dev/lwis-flash0                                                        u:object_r:lwis_device:s0
+/dev/lwis-flash-lm3644                                                  u:object_r:lwis_device:s0
+/dev/lwis-g3aa                                                          u:object_r:lwis_device:s0
+/dev/lwis-gdc0                                                          u:object_r:lwis_device:s0
+/dev/lwis-gdc1                                                          u:object_r:lwis_device:s0
+/dev/lwis-gtnr-align                                                    u:object_r:lwis_device:s0
+/dev/lwis-gtnr-merge                                                    u:object_r:lwis_device:s0
+/dev/lwis-ipp                                                           u:object_r:lwis_device:s0
+/dev/lwis-itp                                                           u:object_r:lwis_device:s0
+/dev/lwis-mcsc                                                          u:object_r:lwis_device:s0
+/dev/lwis-ois-lc898128                                                  u:object_r:lwis_device:s0
+/dev/lwis-ois-sem1215sa                                                 u:object_r:lwis_device:s0
+/dev/lwis-pdp                                                           u:object_r:lwis_device:s0
+/dev/lwis-scsc                                                          u:object_r:lwis_device:s0
+/dev/lwis-sensor0                                                       u:object_r:lwis_device:s0
+/dev/lwis-sensor1                                                       u:object_r:lwis_device:s0
+/dev/lwis-sensor2                                                       u:object_r:lwis_device:s0
+/dev/lwis-sensor-gn1                                                    u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx355                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx386                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx586                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx663                                                 u:object_r:lwis_device:s0
+/dev/lwis-slc                                                           u:object_r:lwis_device:s0
+/dev/lwis-top                                                           u:object_r:lwis_device:s0
+/dev/lwis-votf                                                          u:object_r:lwis_device:s0
+
+# VIDEO
+/vendor/bin/hw/samsung\.hardware\.media\.c2@1\.0-service                u:object_r:mediacodec_exec:s0
+/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service                 u:object_r:mediacodec_exec:s0
+/data/vendor/media(/.*)?                                                u:object_r:vendor_media_data_file:s0
+
+# thermal sysfs files
+/sys/class/thermal(/.*)?               u:object_r:sysfs_thermal:s0
+/sys/devices/virtual/thermal(/.*)?     u:object_r:sysfs_thermal:s0
+
+
+# IMS VoWiFi
+/data/vendor/misc(/.*)?                u:object_r:vendor_misc_data_file:s0
+/data/vendor/VoWiFi(/.*)?              u:object_r:vendor_ims_data_file:s0
+
+# Sensors
+/data/vendor/sensor(/.*)?              u:object_r:sensor_vendor_data_file:s0
+/dev/acd-com.google.usf                u:object_r:aoc_device:s0
+/dev/acd-logging                       u:object_r:aoc_device:s0
+/dev/aoc                               u:object_r:aoc_device:s0
+
+# Contexthub
+/vendor/bin/hw/android\.hardware\.contexthub@1\.2-service\.small_fragments  u:object_r:hal_contexthub_default_exec:s0
+/(vendor|system/vendor)/bin/chre                                            u:object_r:chre_exec:s0
+/dev/socket/chre                                                            u:object_r:chre_socket:s0
+
+# Modem logging
+/vendor/bin/modem_logging_control   u:object_r:modem_logging_control_exec:s0
+
+# Audio logging
+/vendor/bin/aocdump                 u:object_r:aocdump_exec:s0
+
+# modem_svc_sit files
+/vendor/bin/modem_svc_sit           u:object_r:modem_svc_sit_exec:s0
+/data/vendor/modem_stat/debug\.txt  u:object_r:modem_stat_data_file:s0
+
+# modem mnt files
+/mnt/vendor/efs(/.*)?                                         u:object_r:modem_efs_file:s0
+/mnt/vendor/efs_backup(/.*)?                                  u:object_r:modem_efs_file:s0
+/mnt/vendor/modem_img(/.*)?                                   u:object_r:modem_img_file:s0
+/mnt/vendor/modem_userdata(/.*)?                              u:object_r:modem_userdata_file:s0
+
+# Subsystem coredump
+/vendor/bin/sscoredump                         u:object_r:sscoredump_exec:s0
+/data/vendor/ssrdump(/.*)?                     u:object_r:sscoredump_vendor_data_crashinfo_file:s0
+/data/vendor/ssrdump/coredump(/.*)?            u:object_r:sscoredump_vendor_data_coredump_file:s0
+/dev/sscd_.*                                   u:object_r:sscoredump_device:s0
+
+# Kernel modules related
+/vendor/bin/init\.insmod\.sh    u:object_r:init-insmod-sh_exec:s0
+
+# NFC
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc@1\.2-service\.st                u:object_r:hal_nfc_default_exec:s0
+/dev/st21nfc                                                                          u:object_r:nfc_device:s0
+/data/nfc(/.*)?                                                                       u:object_r:nfc_data_file:s0
+
+# SecureElement
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service\.st     u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto     u:object_r:hal_secure_element_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2     u:object_r:hal_secure_element_default_exec:s0
+/dev/st54j_se                                                                         u:object_r:secure_element_device:s0
+/dev/st54spi                                                                          u:object_r:secure_element_device:s0
+/dev/st33spi                                                                          u:object_r:secure_element_device:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service    u:object_r:hal_secure_element_default_exec:s0
+
+# Bluetooth
+/(vendor|system/vendor)/bin/hw/android\.hardware\.bluetooth@1\.1-service\.bcmbtlinux    u:object_r:hal_bluetooth_btlinux_exec:s0
+/dev/wbrc                           u:object_r:wb_coexistence_dev:s0
+/dev/ttySAC16                       u:object_r:hci_attach_dev:s0
+
+# Audio
+/mnt/vendor/persist/audio(/.*)?     u:object_r:persist_audio_file:s0
+/data/vendor/audio(/.*)?            u:object_r:audio_vendor_data_file:s0
+/vendor/etc/aoc(/.*)?               u:object_r:aoc_audio_file:s0
+/dev/acd-audio_output_tuning        u:object_r:aoc_device:s0
+/dev/acd-audio_bulk_tx              u:object_r:aoc_device:s0
+/dev/acd-audio_bulk_rx              u:object_r:aoc_device:s0
+/dev/acd-audio_input_tuning         u:object_r:aoc_device:s0
+/dev/acd-audio_input_bulk_tx        u:object_r:aoc_device:s0
+/dev/acd-audio_input_bulk_rx        u:object_r:aoc_device:s0
+/dev/acd-sound_trigger              u:object_r:aoc_device:s0
+/dev/acd-hotword_notification       u:object_r:aoc_device:s0
+/dev/acd-hotword_pcm                u:object_r:aoc_device:s0
+/dev/acd-ambient_pcm                u:object_r:aoc_device:s0
+/dev/acd-model_data                 u:object_r:aoc_device:s0
+/dev/acd-debug                      u:object_r:aoc_device:s0
+/dev/acd-audio_tap[0-9]*            u:object_r:aoc_device:s0
+
+# Trusty
+/vendor/bin/securedpud.slider        u:object_r:securedpud_slider_exec:s0
+/vendor/bin/storageproxyd            u:object_r:tee_exec:s0
+/vendor/bin/trusty_apploader         u:object_r:trusty_apploader_exec:s0
+/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0
+/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty                 u:object_r:hal_keymaster_default_exec:s0
+/vendor/bin/hw/android\.hardware\.confirmationui@1\.0-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
+/dev/trusty-ipc-dev0                 u:object_r:tee_device:s0
+/data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
+/mnt/vendor/persist/data/ss(/.*)?    u:object_r:tee_data_file:s0
+/dev/sg1                             u:object_r:sg_device:s0
+
+# Battery
+/mnt/vendor/persist/battery(/.*)?    u:object_r:persist_battery_file:s0
+
+# AoC file contexts.
+/vendor/bin/aocd   u:object_r:aocd_exec:s0
+
+# NeuralNetworks file contexts
+/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.2-service-armnn   u:object_r:hal_neuralnetworks_armnn_exec:s0
+/vendor/bin/hw/android\.hardware\.neuralnetworks@1\.3-service-darwinn u:object_r:hal_neuralnetworks_darwinn_exec:s0
+
+# GRIL
+/vendor/bin/hw/vendor\.google\.radioext@1\.0-service                 u:object_r:hal_radioext_default_exec:s0
+
+# Radio files.
+/data/vendor/radio(/.*)?                                                    u:object_r:radio_vendor_data_file:s0
+
+# RILD files
+/data/vendor/rild(/.*)?                                                     u:object_r:rild_vendor_data_file:s0
+
+# Citadel StrongBox
+/dev/gsc0                                                                   u:object_r:citadel_device:s0
+
+# EdgeTPU device (DarwiNN)
+/dev/abrolhos                      u:object_r:edgetpu_device:s0
+/vendor/bin/hw/android\.hardware\.edgetpu\.logging@service-edgetpu-logging u:object_r:edgetpu_logging_exec:s0
+/system_ext/bin/hw/vendor\.google\.edgetpu@1\.0-service u:object_r:edgetpu_server_exec:s0
+/vendor/lib64/libedgetpu_darwinn2\.so u:object_r:same_process_hal_file:s0
+/data/vendor/hal_neuralnetworks_darwinn(/.*)?           u:object_r:hal_neuralnetworks_darwinn_data_file:s0
+
+# EdgeTPU data file
+/data/edgetpu(/.*)?                                                         u:object_r:edgetpu_service_data_file:s0
+
+# Tetheroffload Service
+/dev/dit2                      u:object_r:vendor_toe_device:s0
+/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.0-service     u:object_r:hal_tetheroffload_default_exec:s0
+
+# pixelstats binary
+/vendor/bin/pixelstats-vendor           u:object_r:pixelstats_vendor_exec:s0
+
+# Vendor_kernel_modules
+/vendor/lib/modules/.*\.ko                                                    u:object_r:vendor_kernel_modules:s0
+
+# Display
+/vendor/lib(64)?/libion_google\.so                                               u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libdrm\.so                                                      u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/gralloc\.gs101\.so                                           u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/vulkan\.gs101\.so                                            u:object_r:same_process_hal_file:s0
+
+# Fingerprint
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix        u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc           u:object_r:hal_fingerprint_default_exec:s0
+
+# ECC List
+/vendor/bin/init\.radio\.sh     u:object_r:init_radio_exec:s0
+
+# Zram
+/data/per_boot(/.*)?                                                          u:object_r:per_boot_file:s0
+
+# cpuctl
+/dev/cpuctl(/.*)?	                                                      u:object_r:cpuctl_device:s0
+
+# ODPM
+/data/vendor/powerstats(/.*)?                                              u:object_r:odpm_config_file:s0
+
+# sensor direct DMA-BUF heap
+/dev/dma_heap/sensor_direct_heap                                               u:object_r:sensor_direct_heap_device:s0
+
+# Console
+/dev/ttySAC0                                                                   u:object_r:tty_device:s0
+
+# faceauth DMA-BUF heaps
+/dev/dma_heap/faceauth_tpu-secure                                              u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/faimg-secure                                                     u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/famodel-secure                                                   u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/faprev-secure                                                    u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/farawimg-secure                                                  u:object_r:faceauth_heap_device:s0
+
+# vframe-secure DMA-BUF heap
+/dev/dma_heap/vframe-secure                                                    u:object_r:vframe_heap_device:s0
+
+# vscaler-secure DMA-BUF heap
+/dev/dma_heap/vscaler-secure                                                   u:object_r:vscaler_heap_device:s0

whitechapel/vendor/google/fsck.te

@@ -0,0 +1,3 @@
+allow fsck persist_block_device:blk_file rw_file_perms;
+allow fsck efs_block_device:blk_file rw_file_perms;
+allow fsck modem_userdata_block_device:blk_file rw_file_perms;

whitechapel/vendor/google/genfs_contexts

@@ -0,0 +1,178 @@
+# AOC
+genfscon sysfs /devices/platform/19000000.aoc/aoc_clock_and_kernel_boottime u:object_r:sysfs_aoc_boottime:s0
+genfscon sysfs /devices/platform/19000000.aoc/firmware                      u:object_r:sysfs_aoc_firmware:s0
+genfscon sysfs /devices/platform/19000000.aoc                               u:object_r:sysfs_aoc:s0
+
+# WiFi
+genfscon sysfs /wifi                                                        u:object_r:sysfs_wifi:s0
+# Battery
+genfscon sysfs /devices/platform/google,battery/power_supply/battery            u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply                        u:object_r:sysfs_batteryinfo:s0
+
+#   Slider
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-8/8-0050/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/7-003c                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10d10000.hsi2c/i2c-7/7-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+#   Whitefin
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply       u:object_r:sysfs_batteryinfo:s0
+#   R4 / P7 LunchBox
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-6/6-0025/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-5/5-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+#   O6
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025                    u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c                    u:object_r:sysfs_wlc:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply       u:object_r:sysfs_batteryinfo:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply       u:object_r:sysfs_batteryinfo:s0
+
+# Storage
+genfscon debugfs /f2fs                                u:object_r:debugfs_f2fs:s0
+genfscon proc /fs/f2fs                                u:object_r:proc_f2fs:s0
+genfscon proc /sys/vm/swappiness                      u:object_r:proc_dirty:s0
+genfscon sysfs /devices/platform/14700000.ufs/slowio_read_cnt           u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/slowio_write_cnt          u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/slowio_unmap_cnt          u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/slowio_sync_cnt           u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/manual_gc                 u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/io_stats                  u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/req_stats                 u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/err_stats                 u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/device_descriptor         u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/clkgate_enable            u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/hibern8_on_idle_enable    u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/health_descriptor         u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/host0/target0:0:0/0:0:0:  u:object_r:sysfs_scsi_devices_0000:s0
+genfscon sysfs /devices/platform/14700000.ufs/ufs_stats                 u:object_r:sysfs_scsi_devices_0000:s0
+
+# Vibrator
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-005a            u:object_r:sysfs_vibrator:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043            u:object_r:sysfs_vibrator:s0
+
+# System_suspend
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/main-charger/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/cpif/wakeup/wakeup                                           u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm/wakeup                          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/usb/wakeup          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/wakeup/wakeup              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,battery/power_supply/battery/wakeup                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/gpio_keys/wakeup/wakeup                                      u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-7/7-002f/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/rtc/rtc0/alarmtimer.1.auto/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d40000.spi/spi_master/spi11/spi11.0/wakeup/wakeup          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/11110000.usb/wakeup/wakeup                                   u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/s2mpg10-rtc/wakeup/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /sys/devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0036/power_supply/maxfg/wakeup        u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0050/power_supply/tcpm-source-psy-5-0050/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10960000.hsi2c/i2c-3/3-0008/wakeup/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-6/6-001f/wakeup/wakeup             u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/19000000.aoc/usb_control/wakeup/wakeup                       u:object_r:sysfs_wakeup:s0
+
+# Touch
+genfscon sysfs /class/spi_master/spi11/spi11.0                                  u:object_r:sysfs_touch:s0
+genfscon proc  /fts/driver_test                                                 u:object_r:proc_touch:s0
+genfscon sysfs /devices/virtual/sec/tsp                                         u:object_r:sysfs_touch:s0
+
+# EdgeTPU
+genfscon sysfs /class/edgetpu                                                   u:object_r:sysfs_edgetpu:s0
+
+# Vendor sched files
+genfscon sysfs /kernel/vendor_sched/clear_prefer_high_cap                      u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/set_prefer_high_cap                        u:object_r:sysfs_vendor_sched:s0
+genfscon sysfs /kernel/vendor_sched/prefer_high_cap_enable                     u:object_r:sysfs_vendor_sched:s0
+
+# GPS
+genfscon sysfs /devices/platform/10940000.spi/spi_master/spi5/spi5.0/nstandby   u:object_r:sysfs_gps:s0
+
+# Display
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/gamma       u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/gamma       u:object_r:sysfs_display:s0
+
+# Modem
+genfscon sysfs /devices/platform/cp-tm1/cp_temp                                u:object_r:sysfs_modem:s0
+
+# Bluetooth
+genfscon sysfs /devices/platform/175b0000.serial/serial0/serial0-0/bluetooth/hci0/rfkill0/state u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill0/state                             u:object_r:sysfs_bluetooth_writable:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/rfkill/rfkill2/state                             u:object_r:sysfs_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/lpm                                                              u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/btwrite                                                          u:object_r:proc_bluetooth_writable:s0
+genfscon proc /bluetooth/sleep/btwake                                                           u:object_r:proc_bluetooth_writable:s0
+
+# ODPM
+genfscon sysfs /devices/platform/acpm_mfd_bus@17500000/i2c-7/7-001f/s2mpg10-meter/s2mpg10-odpm/iio:device0/enabled_rails u:object_r:sysfs_odpm:s0
+genfscon sysfs /devices/platform/acpm_mfd_bus@17510000/i2c-8/8-002f/s2mpg11-meter/s2mpg11-odpm/iio:device1/enabled_rails u:object_r:sysfs_odpm:s0
+
+# Chosen
+genfscon sysfs /firmware/devicetree/base/chosen                                u:object_r:sysfs_chosen:s0
+
+genfscon sysfs /devices/system/chip-id/ap_hw_tune_str  u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/evt_ver         u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/lot_id          u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/product_id      u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/revision        u:object_r:sysfs_chip_id:s0
+genfscon sysfs /devices/system/chip-id/raw_str         u:object_r:sysfs_chip_id:s0
+
+# system_suspend wakeup nodes
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/power_supply/wireless/wakeup               u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-003c/wakeup/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0001:00/0001:00:00.0/0001:01:00.0/wakeup/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply/tcpm-source-psy-5-0025/wakeup u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0069/power_supply/dc/wakeup                     u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/wakeup/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0057/power_supply/pca9468-mains/wakeup          u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0043/wakeup/wakeup                              u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/10d50000.hsi2c/i2c-5/5-0025/power_supply/usb/wakeup                    u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/14520000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/wakeup/wakeup       u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/google,cpm/power_supply/gcpm_pps/wakeup                                u:object_r:sysfs_wakeup:s0
+genfscon sysfs /devices/platform/odm/odm:btbcm/wakeup/wakeup                                            u:object_r:sysfs_wakeup:s0
+
+# subsystem-coredump
+genfscon sysfs /class/sscoredump/level                                                                  u:object_r:sscoredump_sysfs_level:s0
+
+# ACPM
+genfscon sysfs /devices/platform/1742048c.acpm_stats                                                    u:object_r:sysfs_acpm_stats:s0
+
+genfscon sysfs /devices/platform/10d40000.spi/spi_master                                                u:object_r:sysfs_spi:s0
+
+# Exynos
+genfscon sysfs /devices/platform/exynos-bts                                                             u:object_r:sysfs_exynos_bts:s0
+genfscon sysfs /devices/platform/exynos-bts/bts_stats                                                   u:object_r:sysfs_exynos_bts_stats:s0
+
+# CPU
+genfscon sysfs /devices/platform/17000010.devfreq_mif/devfreq/17000010.devfreq_mif/time_in_state        u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/cpupm/cpupm/time_in_state                                              u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000030.devfreq_intcam/devfreq/17000030.devfreq_intcam/time_in_state  u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000020.devfreq_int/devfreq/17000020.devfreq_int/time_in_state        u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000040.devfreq_disp/devfreq/17000040.devfreq_disp/time_in_state      u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000050.devfreq_cam/devfreq/17000050.devfreq_cam/time_in_state        u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/1c500000.mali/time_in_state                                            u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000080.devfreq_bo/devfreq/17000080.devfreq_bo/time_in_state          u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000060.devfreq_tnr/devfreq/17000060.devfreq_tnr/time_in_state        u:object_r:sysfs_cpu:s0
+genfscon sysfs /devices/platform/17000070.devfreq_mfc/devfreq/17000070.devfreq_mfc/time_in_state        u:object_r:sysfs_cpu:s0
+
+# nvmem (Non Volatile Memory layer)
+genfscon sysfs /devices/platform/10970000.hsi2c/i2c-4/4-0050/4-00500/nvmem                              u:object_r:sysfs_memory:s0
+
+# Broadcom
+genfscon sysfs /module/bcmdhd4389                                                                       u:object_r:sysfs_bcmdhd:s0
+
+# debugfs
+
+genfscon debugfs /maxfg                                                                                   u:object_r:vendor_maxfg_debugfs:s0
+genfscon debugfs /dma_buf/bufinfo                                                                         u:object_r:vendor_dmabuf_debugfs:s0
+genfscon debugfs /dri/0/crtc-                                                                             u:object_r:vendor_dri_debugfs:s0
+genfscon debugfs /ion                                                                                     u:object_r:vendor_ion_debugfs:s0
+genfscon debugfs /pm_genpd/pm_genpd_summary                                                               u:object_r:vendor_pm_genpd_debugfs:s0
+genfscon debugfs /regmap                                                                                  u:object_r:vendor_regmap_debugfs:s0
+genfscon debugfs /usb                                                                                     u:object_r:vendor_usb_debugfs:s0
+genfscon debugfs /google_charger                                                                          u:object_r:vendor_charger_debugfs:s0
+genfscon debugfs /gvotables                                                                               u:object_r:vendor_votable_debugfs:s0
+genfscon debugfs /google_battery                                                                          u:object_r:vendor_battery_debugfs:s0

whitechapel/vendor/google/gpsd.te

@@ -0,0 +1,25 @@
+type gpsd, domain;
+type gpsd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(gpsd)
+
+# Allow gpsd access PixelLogger unix socket in debug build only
+userdebug_or_eng(`
+    typeattribute gpsd mlstrustedsubject;
+    allow gpsd logger_app:unix_stream_socket connectto;
+')
+
+# Allow gpsd to obtain wakelock
+wakelock_use(gpsd)
+
+# Allow gpsd access data vendor gps files
+allow gpsd vendor_gps_file:dir create_dir_perms;
+allow gpsd vendor_gps_file:file create_file_perms;
+allow gpsd vendor_gps_file:fifo_file create_file_perms;
+
+# Allow gpsd to access rild
+binder_call(gpsd, rild);
+allow gpsd hal_exynos_rild_hwservice:hwservice_manager find;
+
+# Allow gpsd to access sensor service
+binder_call(gpsd, system_server);
+allow gpsd fwk_sensor_hwservice:hwservice_manager find;

whitechapel/vendor/google/grilservice_app.te

@@ -0,0 +1,8 @@
+type grilservice_app, domain;
+app_domain(grilservice_app)
+
+allow grilservice_app hal_radioext_hwservice:hwservice_manager find;
+allow grilservice_app hal_wifi_ext_hwservice:hwservice_manager find;
+allow grilservice_app app_api_service:service_manager find;
+binder_call(grilservice_app, hal_radioext_default)
+binder_call(grilservice_app, hal_wifi_ext)

whitechapel/vendor/google/hal_audio_default.te

@@ -0,0 +1,22 @@
+vndbinder_use(hal_audio_default)
+hwbinder_use(hal_audio_default)
+
+allow hal_audio_default audio_vendor_data_file:dir rw_dir_perms;
+allow hal_audio_default audio_vendor_data_file:file create_file_perms;
+
+r_dir_file(hal_audio_default, aoc_audio_file);
+r_dir_file(hal_audio_default, mnt_vendor_file);
+r_dir_file(hal_audio_default, persist_audio_file);
+
+allow hal_audio_default persist_file:dir search;
+allow hal_audio_default aoc_device:file rw_file_perms;
+allow hal_audio_default aoc_device:chr_file rw_file_perms;
+
+allow hal_audio_default hal_audio_ext_hwservice:hwservice_manager { find add };
+
+get_prop(hal_audio_default, vendor_audio_prop);
+
+userdebug_or_eng(`
+    allow hal_audio_default self:unix_stream_socket create_stream_socket_perms;
+    allow hal_audio_default audio_vendor_data_file:sock_file { create unlink };
+')

whitechapel/vendor/google/hal_bluetooth_btlinux.te

@@ -0,0 +1,19 @@
+add_hwservice(hal_bluetooth_btlinux, hal_bluetooth_coexistence_hwservice);
+
+allow hal_bluetooth_btlinux sysfs_bluetooth_writable:file rw_file_perms;
+allow hal_bluetooth_btlinux proc_bluetooth_writable:file rw_file_perms;
+allow hal_bluetooth_btlinux hci_attach_dev:chr_file rw_file_perms;
+allow hal_bluetooth_btlinux wb_coexistence_dev:chr_file rw_file_perms;
+
+# power stats
+vndbinder_use(hal_bluetooth_btlinux)
+allow hal_bluetooth_btlinux hal_power_stats_vendor_service:service_manager find;
+binder_call(hal_bluetooth_btlinux, hal_power_stats_default)
+
+allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+allow hal_bluetooth_btlinux sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+
+userdebug_or_eng(`
+  allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow hal_bluetooth_btlinux sscoredump_vendor_data_coredump_file:file create_file_perms;
+')

whitechapel/vendor/google/hal_bootctl_default.te

@@ -0,0 +1 @@
+allow hal_bootctl_default sda_block_device:blk_file rw_file_perms;

whitechapel/vendor/google/hal_camera_default.te

@@ -0,0 +1,36 @@
+allow hal_camera_default self:global_capability_class_set sys_nice;
+
+vndbinder_use(hal_camera_default);
+
+allow hal_camera_default vendor_camera_tuning_file:dir r_dir_perms;
+allow hal_camera_default vendor_camera_tuning_file:file r_file_perms;
+allow hal_camera_default vendor_camera_data_file:dir rw_dir_perms;
+allow hal_camera_default vendor_camera_data_file:file create_file_perms;
+allow hal_camera_default lwis_device:chr_file rw_file_perms;
+allow hal_camera_default gpu_device:chr_file rw_file_perms;
+allow hal_camera_default edgetpu_device:chr_file rw_file_perms;
+allow hal_camera_default sysfs_edgetpu:dir r_dir_perms;
+allow hal_camera_default sysfs_edgetpu:file r_file_perms;
+allow hal_camera_default sysfs_chip_id:file r_file_perms;
+
+allow hal_camera_default mnt_vendor_file:dir search;
+allow hal_camera_default persist_file:dir search;
+allow hal_camera_default persist_camera_file:dir search;
+allow hal_camera_default persist_camera_file:file r_file_perms;
+
+get_prop(hal_camera_default, vendor_camera_prop);
+get_prop(hal_camera_default, vendor_camera_debug_prop);
+
+hal_client_domain(hal_camera_default, hal_graphics_allocator);
+hal_client_domain(hal_camera_default, hal_power);
+hal_client_domain(hal_camera_default, hal_thermal);
+
+# Allow access to sensor service for sensor_listener
+binder_call(hal_camera_default, system_server);
+
+# Allow Binder calls to ECO service, needed by Entropy-Aware Filtering
+allow hal_camera_default eco_service:service_manager find;
+binder_call(hal_camera_default, mediacodec);
+
+# grant access to hal_graphics_composer
+hal_client_domain(hal_camera_default, hal_graphics_composer)

whitechapel/vendor/google/hal_confirmationui.te

@@ -0,0 +1,13 @@
+allow hal_confirmationui_default tee_device:chr_file rw_file_perms;
+
+binder_call(hal_confirmationui_default, keystore)
+
+vndbinder_use(hal_confirmationui_default)
+binder_call(hal_confirmationui_default, citadeld)
+allow hal_confirmationui_default citadeld_service:service_manager find;
+
+allow hal_confirmationui_default input_device:chr_file rw_file_perms;
+allow hal_confirmationui_default input_device:dir r_dir_perms;
+
+allow hal_confirmationui_default dmabuf_system_heap_device:chr_file r_file_perms;
+allow hal_confirmationui_default ion_device:chr_file r_file_perms;

whitechapel/vendor/google/hal_contexthub.te

@@ -0,0 +1,3 @@
+# Allow context hub HAL to communicate with daemon via socket
+allow hal_contexthub_default chre:unix_stream_socket connectto;
+allow hal_contexthub_default chre_socket:sock_file write;

whitechapel/vendor/google/hal_drm_clearkey.te

@@ -0,0 +1,5 @@
+type hal_drm_clearkey, domain;
+type hal_drm_clearkey_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(hal_drm_clearkey)
+
+hal_server_domain(hal_drm_clearkey, hal_drm)

whitechapel/vendor/google/hal_drm_default.te

@@ -0,0 +1,6 @@
+# L3
+allow hal_drm_default mediadrm_vendor_data_file:file create_file_perms;
+allow hal_drm_default mediadrm_vendor_data_file:dir create_dir_perms;
+
+# L1
+allow hal_drm_default dmabuf_system_heap_device:chr_file r_file_perms;

whitechapel/vendor/google/hal_dumpstate_default.te

@@ -0,0 +1,142 @@
+allow hal_dumpstate_default sysfs_exynos_bts:dir search;
+allow hal_dumpstate_default sysfs_exynos_bts_stats:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_bcmdhd:dir search;
+allow hal_dumpstate_default sysfs_bcmdhd:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_memory:file r_file_perms;
+allow hal_dumpstate_default sysfs_cpu:file r_file_perms;
+
+vndbinder_use(hal_dumpstate_default)
+
+allow hal_dumpstate_default vendor_gps_file:dir r_dir_perms;
+allow hal_dumpstate_default vendor_gps_file:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_wlc:dir search;
+allow hal_dumpstate_default sysfs_wlc:file r_file_perms;
+
+allow hal_dumpstate_default shell_data_file:file getattr;
+
+allow hal_dumpstate_default radio_vendor_data_file:dir create_dir_perms;
+allow hal_dumpstate_default radio_vendor_data_file:file create_file_perms;
+
+allow hal_dumpstate_default vendor_rfsd_log_file:dir r_dir_perms;
+allow hal_dumpstate_default vendor_rfsd_log_file:file r_file_perms;
+
+allow hal_dumpstate_default vendor_log_file:dir search;
+
+allow hal_dumpstate_default vendor_usf_stats:file execute_no_trans;
+allow hal_dumpstate_default vendor_dumpsys:file execute_no_trans;
+
+allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:dir r_dir_perms;
+allow hal_dumpstate_default sscoredump_vendor_data_crashinfo_file:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_acpm_stats:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_acpm_stats:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_spi:dir search;
+allow hal_dumpstate_default sysfs_spi:file rw_file_perms;
+
+allow hal_dumpstate_default device:dir r_dir_perms;
+allow hal_dumpstate_default logbuffer_device:chr_file r_file_perms;
+allow hal_dumpstate_default aoc_device:chr_file rw_file_perms;
+
+allow hal_dumpstate_default sysfs_wifi:dir search;
+allow hal_dumpstate_default sysfs_wifi:file r_file_perms;
+
+allow hal_dumpstate_default sysfs_thermal:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_thermal:file r_file_perms;
+allow hal_dumpstate_default sysfs_thermal:lnk_file read;
+
+allow hal_dumpstate_default modem_efs_file:dir search;
+allow hal_dumpstate_default modem_efs_file:file r_file_perms;
+allow hal_dumpstate_default modem_stat_data_file:file r_file_perms;
+
+allow hal_dumpstate_default block_device:dir r_dir_perms;
+
+allow hal_dumpstate_default proc_f2fs:dir r_dir_perms;
+allow hal_dumpstate_default proc_f2fs:file r_file_perms;
+allow hal_dumpstate_default proc_touch:file rw_file_perms;
+
+allow hal_dumpstate_default sysfs_batteryinfo:dir search;
+allow hal_dumpstate_default sysfs_batteryinfo:file r_file_perms;
+allow hal_dumpstate_default sysfs_chip_id:file r_file_perms;
+
+allow hal_dumpstate_default vendor_toolbox_exec:file execute_no_trans;
+allow hal_dumpstate_default vendor_shell_exec:file execute_no_trans;
+
+allow hal_dumpstate_default debugfs_f2fs:dir r_dir_perms;
+allow hal_dumpstate_default debugfs_f2fs:file r_file_perms;
+allow hal_dumpstate_default sysfs_scsi_devices_0000:dir r_dir_perms;
+allow hal_dumpstate_default sysfs_scsi_devices_0000:file r_file_perms;
+
+userdebug_or_eng(`
+  allow hal_dumpstate_default mnt_vendor_file:dir search;
+  allow hal_dumpstate_default ramdump_vendor_mnt_file:dir search;
+  allow hal_dumpstate_default ramdump_vendor_mnt_file:file r_file_perms;
+')
+
+get_prop(hal_dumpstate_default, boottime_public_prop)
+get_prop(hal_dumpstate_default, vendor_gps_prop)
+get_prop(hal_dumpstate_default, vendor_persist_sys_modem_prop)
+get_prop(hal_dumpstate_default, vendor_rild_prop)
+
+userdebug_or_eng(`
+  allow hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_ion_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_dri_debugfs:file r_file_perms;
+  allow hal_dumpstate_default vendor_dri_debugfs:dir search;
+
+  allow hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_usb_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_maxfg_debugfs:dir search;
+  allow hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_charger_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_battery_debugfs:file r_file_perms;
+
+  allow hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms;
+  allow hal_dumpstate_default vendor_votable_debugfs:file r_file_perms;
+')
+
+dontaudit hal_dumpstate_default vendor_ion_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_ion_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_dri_debugfs:file r_file_perms;
+dontaudit hal_dumpstate_default vendor_dri_debugfs:dir search;
+
+dontaudit hal_dumpstate_default vendor_pm_genpd_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_usb_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_usb_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_dmabuf_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_regmap_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_regmap_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_maxfg_debugfs:dir search;
+dontaudit hal_dumpstate_default vendor_maxfg_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_charger_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_charger_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_battery_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_battery_debugfs:file r_file_perms;
+
+dontaudit hal_dumpstate_default vendor_votable_debugfs:dir r_dir_perms;
+dontaudit hal_dumpstate_default vendor_votable_debugfs:file r_file_perms;

whitechapel/vendor/google/hal_gnss_default.te

@@ -0,0 +1,4 @@
+# Allow hal_gnss_default access data vendor gps files
+allow hal_gnss_default vendor_gps_file:dir create_dir_perms;
+allow hal_gnss_default vendor_gps_file:file create_file_perms;
+allow hal_gnss_default vendor_gps_file:fifo_file create_file_perms;