gs101: Rework sepolicy

TODO: Automatically handle the following:
* certs/mac_permissions.xml/keys.conf

Change-Id: Idb0636bce2392beb720e420055a7bcb838725a18

BoardConfig-common.mk

@@ -208,7 +208,26 @@ $(error vendor_dlkm.modules.load not found or empty)
 endif
 BOARD_VENDOR_KERNEL_MODULES += $(KERNEL_MODULES)
 
-include device/google/gs101/sepolicy/gs101-sepolicy.mk
+# SEPolicy
+BOARD_VENDOR_SEPOLICY_DIRS += \
+    hardware/google/pixel-sepolicy/googlebattery \
+    hardware/google/pixel-sepolicy/input \
+    hardware/google/pixel-sepolicy/powerstats \
+    device/google/gs101/sepolicy/certificates \
+    device/google/gs101/sepolicy/recovery \
+    device/google/gs101/sepolicy/vendor
+
+PRODUCT_PRIVATE_SEPOLICY_DIRS += \
+    device/google/gs101/sepolicy/product/private
+
+PRODUCT_PUBLIC_SEPOLICY_DIRS += \
+    device/google/gs101/sepolicy/product/public
+
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += \
+    device/google/gs101/sepolicy/system_ext/private
+
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += \
+    device/google/gs101/sepolicy/system_ext/public
 
 # Battery options
 BOARD_KERNEL_CMDLINE += at24.write_timeout=100

sepolicy/OWNERS

@@ -1,4 +0,0 @@
-include device/google/gs-common:/sepolicy/OWNERS
-
-adamshih@google.com
-

sepolicy/certificates/keys.conf

@@ -0,0 +1,11 @@
+[@CAMERASERVICES]
+ALL : device/google/gs101/sepolicy/certificates/certs/com_google_android_apps_camera_services.x509.pem
+
+[@MDS]
+ALL : device/google/gs101/sepolicy/certificates/certs/com_google_mds.x509.pem
+
+[@UWB]
+ALL : device/google/gs101/sepolicy/certificates/certs/com_qorvo_uwb.x509.pem
+
+[@EUICCSUPPORTPIXEL]
+ALL : device/google/gs101/sepolicy/certificates/certs/EuiccSupportPixel.x509.pem

sepolicy/certificates/mac_permissions.xml

@@ -1,8 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <policy>
-
 <!--
-
     * A signature is a hex encoded X.509 certificate or a tag defined in
       keys.conf and is required for each signer tag.
     * A signer tag may contain a seinfo tag and multiple package stanzas.
@@ -21,6 +19,9 @@
       - The default tag is consulted last if needed.
 -->
     <!-- google apps key -->
+    <signer signature="@CAMERASERVICES" >
+        <seinfo value="CameraServices" />
+    </signer>
     <signer signature="@MDS" >
         <seinfo value="mds" />
     </signer>
@@ -30,7 +31,4 @@
     <signer signature="@EUICCSUPPORTPIXEL" >
         <seinfo value="EuiccSupportPixel" />
     </signer>
-    <signer signature="@CAMERASERVICES" >
-      <seinfo value="CameraServices" />
-    </signer>
 </policy>

sepolicy/confirmationui/device.te

@@ -1 +0,0 @@
-type tui_device, dev_type;

sepolicy/confirmationui/file_contexts

@@ -1,4 +0,0 @@
-/vendor/bin/securedpud\.slider                                                   u:object_r:securedpud_slider_exec:s0
-/vendor/bin/hw/android\.hardware\.confirmationui-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
-
-/dev/tui-driver                                                                  u:object_r:tui_device:s0

sepolicy/confirmationui/hal_confirmationui.te

@@ -1,13 +0,0 @@
-allow hal_confirmationui_default tee_device:chr_file rw_file_perms;
-
-binder_call(hal_confirmationui_default, keystore)
-
-vndbinder_use(hal_confirmationui_default)
-binder_call(hal_confirmationui_default, citadeld)
-allow hal_confirmationui_default citadeld_service:service_manager find;
-
-allow hal_confirmationui_default input_device:chr_file rw_file_perms;
-allow hal_confirmationui_default input_device:dir r_dir_perms;
-
-allow hal_confirmationui_default dmabuf_system_heap_device:chr_file r_file_perms;
-allow hal_confirmationui_default ion_device:chr_file r_file_perms;

sepolicy/confirmationui/securedpud.slider.te

@@ -1,11 +0,0 @@
-type securedpud_slider, domain;
-type securedpud_slider_exec, exec_type, vendor_file_type, file_type;
-
-init_daemon_domain(securedpud_slider)
-
-wakelock_use(securedpud_slider)
-
-allow securedpud_slider dmabuf_heap_device:chr_file r_file_perms;
-allow securedpud_slider ion_device:chr_file r_file_perms;
-allow securedpud_slider tee_device:chr_file rw_file_perms;
-allow securedpud_slider tui_device:chr_file rw_file_perms;

sepolicy/display/common/file.te

@@ -1 +0,0 @@
-type persist_display_file, file_type, vendor_persist_type;

sepolicy/display/common/file_contexts

@@ -1 +0,0 @@
-/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0

sepolicy/display/gs101/genfs_contexts

@@ -1,20 +0,0 @@
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight                 u:object_r:sysfs_leds:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name                u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number             u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/refresh_rate              u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/power_state               u:object_r:sysfs_display:s0
-genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2C0000/panel@0/compatible                 u:object_r:sysfs_display:s0
-
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight                 u:object_r:sysfs_leds:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name                u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number             u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/refresh_rate              u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/power_state               u:object_r:sysfs_display:s0
-genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible                 u:object_r:sysfs_display:s0
-
-genfscon sysfs /module/drm/parameters/vblankoffdelay                                           u:object_r:sysfs_display:s0
-
-genfscon sysfs /devices/platform/1c300000.drmdecon/dqe0/atc                                     u:object_r:sysfs_display:s0
-genfscon sysfs /devices/platform/1c300000.drmdecon/early_wakeup                                u:object_r:sysfs_display:s0
-
-genfscon sysfs /devices/platform/exynos-drm/tui_status                                         u:object_r:sysfs_display:s0

sepolicy/gs101-sepolicy.mk

@@ -1,94 +0,0 @@
-# ConnectivityThermalPowerManager
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/connectivity_thermal_power_manager
-
-# twoshay
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/input
-
-# google_battery service
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/googlebattery
-
-# sepolicy that are shared among devices using whitechapel
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs101/sepolicy/whitechapel/vendor/google
-
-# unresolved SELinux error log with bug tracking
-BOARD_SEPOLICY_DIRS += device/google/gs101/sepolicy/tracking_denials
-
-PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs101/sepolicy/private
-
-# Display
-BOARD_SEPOLICY_DIRS += device/google/gs101/sepolicy/display/common
-BOARD_SEPOLICY_DIRS += device/google/gs101/sepolicy/display/gs101
-
-# system_ext
-SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs101/sepolicy/system_ext/public
-SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs101/sepolicy/system_ext/private
-
-#
-# Pixel-wide
-#
-#   PowerStats HAL
-BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
-
-# Public
-PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101/sepolicy/public
-
-# Health HAL
-BOARD_SEPOLICY_DIRS += device/google/gs101/sepolicy/health
-
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs101/sepolicy/modem/user
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs101/sepolicy/telephony/user/
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs101/sepolicy/trusty_metricsd
-
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/aoc/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/common
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/audio/sepolicy/hidl
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/battery_mitigation/sepolicy/vendor
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/bcmbt/dump/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/bootctrl/sepolicy/aidl
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/vendor
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/chre/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/dauntless/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/display/sepolicy/exynos
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/edgetpu/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/fingerprint/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gear/dumpstate/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gps/brcm/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gps/dump/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gpu/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/gxp/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/insmod/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mediacodec/common/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/mediacodec/samsung/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/misc_writer
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/modem/dump_modemlog/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/modem/modem_svc_sit/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/nfc/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/performance/experiments/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/performance/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/pixel_metrics/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/pixel_ril/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/radio/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/ramdump_and_coredump/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/sensors/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/soc/sepolicy/freq
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/soc/sepolicy/soc
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/storage/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/storage/sepolicy/tracking_denials
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/telephony/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/thermal/sepolicy/dump
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/thermal/sepolicy/thermal_hal
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/touch/twoshay/sepolicy
-BOARD_VENDOR_SEPOLICY_DIRS += device/google/gs-common/trusty/sepolicy
-
-PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/product/public
-PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/camera/sepolicy/product/private
-
-PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/betterbug/sepolicy/product/public
-PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/betterbug/sepolicy/product/private
-
-SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/battery_mitigation/sepolicy/system_ext/private
-SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs-common/battery_mitigation/sepolicy/system_ext/public
-
-SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/gs_watchdogd/sepolicy
-
-SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs-common/sota_app/sepolicy/system_ext

sepolicy/health/file_contexts

@@ -1 +0,0 @@
-/vendor/bin/hw/android\.hardware\.health-service\.gs101  u:object_r:hal_health_default_exec:s0

sepolicy/modem/user/file.te

@@ -1 +0,0 @@
-type vendor_slog_file, file_type, data_file_type, mlstrustedobject;

sepolicy/modem/user/file_contexts

@@ -1,2 +0,0 @@
-/data/vendor/slog(/.*)?      u:object_r:vendor_slog_file:s0
-/vendor/bin/dmd              u:object_r:dmd_exec:s0

sepolicy/modem/user/property.te

@@ -1,3 +0,0 @@
-vendor_internal_prop(vendor_diag_prop)
-vendor_internal_prop(vendor_slog_prop)
-vendor_internal_prop(vendor_modem_prop)

sepolicy/modem/user/property_contexts

@@ -1,14 +0,0 @@
-# for dmd
-persist.vendor.sys.dm.       u:object_r:vendor_diag_prop:s0
-persist.vendor.sys.diag.     u:object_r:vendor_diag_prop:s0
-vendor.sys.dmd.              u:object_r:vendor_diag_prop:s0
-vendor.sys.diag.             u:object_r:vendor_diag_prop:s0
-
-# for modem
-persist.vendor.modem.        u:object_r:vendor_modem_prop:s0
-vendor.modem.                u:object_r:vendor_modem_prop:s0
-vendor.sys.modem.            u:object_r:vendor_modem_prop:s0
-ro.vendor.sys.modem.         u:object_r:vendor_modem_prop:s0
-vendor.sys.exynos.modempath  u:object_r:vendor_modem_prop:s0
-persist.vendor.sys.modem.    u:object_r:vendor_modem_prop:s0
-

sepolicy/modem/userdebug/file_contexts

@@ -1 +0,0 @@
-/vendor/bin/vcd                u:object_r:vcd_exec:s0

sepolicy/modem/userdebug/vcd.te

@@ -1,11 +0,0 @@
-type vcd, domain;
-type vcd_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(vcd)
-
-get_prop(vcd, vendor_rild_prop);
-get_prop(vcd, vendor_persist_config_default_prop);
-
-allow vcd serial_device:chr_file rw_file_perms;
-allow vcd radio_device:chr_file rw_file_perms;
-allow vcd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
-allow vcd node:tcp_socket node_bind;

sepolicy/private/gmscore_app.te

@@ -1,3 +0,0 @@
-# b/177389198
-dontaudit gmscore_app adbd_prop:file *;
-dontaudit gmscore_app proc_vendor_sched:file write;

sepolicy/private/hal_dumpstate_default.te

@@ -1,2 +0,0 @@
-# b/176868217
-dontaudit hal_dumpstate adbd_prop:file *;

sepolicy/private/incidentd.te

@@ -1,14 +0,0 @@
-# b/174961589
-dontaudit incidentd adbd_config_prop:file open ;
-dontaudit incidentd adbd_prop:file getattr ;
-dontaudit incidentd adbd_prop:file open ;
-dontaudit incidentd adbd_config_prop:file open ;
-dontaudit incidentd adbd_config_prop:file getattr ;
-dontaudit incidentd adbd_config_prop:file map ;
-dontaudit incidentd adbd_prop:file open ;
-dontaudit incidentd adbd_prop:file getattr ;
-dontaudit incidentd adbd_prop:file map ;
-dontaudit incidentd apexd_prop:file open ;
-dontaudit incidentd adbd_config_prop:file getattr ;
-dontaudit incidentd adbd_config_prop:file map ;
-dontaudit incidentd adbd_prop:file map ;

sepolicy/private/lpdumpd.te

@@ -1,7 +0,0 @@
-# b/177176997
-dontaudit lpdumpd block_device:blk_file getattr ;
-dontaudit lpdumpd block_device:blk_file getattr ;
-dontaudit lpdumpd block_device:blk_file read ;
-dontaudit lpdumpd block_device:blk_file getattr ;
-dontaudit lpdumpd block_device:blk_file read ;
-dontaudit lpdumpd block_device:blk_file read ;

sepolicy/private/priv_app.te

@@ -1,20 +0,0 @@
-# b/178433525
-dontaudit priv_app adbd_prop:file { map };
-dontaudit priv_app adbd_prop:file { getattr };
-dontaudit priv_app adbd_prop:file { open };
-dontaudit priv_app ab_update_gki_prop:file { map };
-dontaudit priv_app ab_update_gki_prop:file { getattr };
-dontaudit priv_app ab_update_gki_prop:file { open };
-dontaudit priv_app aac_drc_prop:file { map };
-dontaudit priv_app aac_drc_prop:file { getattr };
-dontaudit priv_app aac_drc_prop:file { open };
-dontaudit priv_app adbd_prop:file { map };
-dontaudit priv_app aac_drc_prop:file { open };
-dontaudit priv_app aac_drc_prop:file { getattr };
-dontaudit priv_app aac_drc_prop:file { map };
-dontaudit priv_app ab_update_gki_prop:file { open };
-dontaudit priv_app ab_update_gki_prop:file { getattr };
-dontaudit priv_app ab_update_gki_prop:file { map };
-dontaudit priv_app adbd_prop:file { open };
-dontaudit priv_app adbd_prop:file { getattr };
-dontaudit priv_app proc_vendor_sched:file write;

sepolicy/private/service_contexts

@@ -1 +0,0 @@
-telephony.oem.oemrilhook        u:object_r:radio_service:s0

sepolicy/private/untrusted_app_25.te

@@ -1,2 +0,0 @@
-# b/177389321
-dontaudit untrusted_app_25 adbd_prop:file *;

sepolicy/private/wait_for_keymaster.te

@@ -1,2 +0,0 @@
-# b/188114822
-dontaudit wait_for_keymaster servicemanager:binder transfer;

sepolicy/product/private/pbcs_app.te

@@ -0,0 +1,12 @@
+typeattribute vendor_pbcs_app coredomain;
+
+add_service(vendor_pbcs_app, camera_binder_service)
+add_service(vendor_pbcs_app, camera_cameraidremapper_service)
+add_service(vendor_pbcs_app, camera_lyricconfigprovider_service)
+
+app_domain(vendor_pbcs_app)
+
+allow vendor_pbcs_app app_api_service:service_manager find;
+allow vendor_pbcs_app cameraserver_service:service_manager find;
+
+dontaudit vendor_pbcs_app system_app_data_file:dir *;

sepolicy/product/private/pcs_app.te

@@ -0,0 +1,31 @@
+typeattribute vendor_pcs_app coredomain;
+
+app_domain(vendor_pcs_app)
+
+bluetooth_domain(vendor_pcs_app)
+
+net_domain(vendor_pcs_app)
+
+r_dir_file(vendor_pcs_app, preloads_data_file)
+r_dir_file(vendor_pcs_app, preloads_media_file)
+
+allow vendor_pcs_app app_api_service:service_manager find;
+allow vendor_pcs_app audioserver_service:service_manager find;
+allow vendor_pcs_app cache_file:dir create_dir_perms;
+allow vendor_pcs_app cache_file:file create_file_perms;
+allow vendor_pcs_app cache_file:lnk_file r_file_perms;
+allow vendor_pcs_app cache_recovery_file:dir create_dir_perms;
+allow vendor_pcs_app cache_recovery_file:file create_file_perms;
+allow vendor_pcs_app camera_cameraidremapper_service:service_manager find;
+allow vendor_pcs_app camera_lyricconfigprovider_service:service_manager find;
+allow vendor_pcs_app cameraserver_service:service_manager find;
+allow vendor_pcs_app drmserver_service:service_manager find;
+allow vendor_pcs_app media_rw_data_file:dir create_dir_perms;
+allow vendor_pcs_app media_rw_data_file:file create_file_perms;
+allow vendor_pcs_app mediametrics_service:service_manager find;
+allow vendor_pcs_app mediaserver_service:service_manager find;
+allow vendor_pcs_app nfc_service:service_manager find;
+allow vendor_pcs_app radio_service:service_manager find;
+
+dontaudit vendor_pcs_app device:dir read;
+dontaudit vendor_pcs_app usb_device:dir { open read search };

sepolicy/product/private/permissioncontroller_app.te

@@ -1,3 +1,2 @@
 allow permissioncontroller_app proc_vendor_sched:dir r_dir_perms;
 allow permissioncontroller_app proc_vendor_sched:file w_file_perms;
-

sepolicy/product/private/seapp_contexts

@@ -0,0 +1,4 @@
+user=_app seinfo=CameraServices name=com.google.android.apps.camera.services domain=vendor_pcs_app type=app_data_file levelFrom=all
+user=_app seinfo=CameraServices name=com.google.android.apps.camera.services:* domain=vendor_pcs_app type=app_data_file levelFrom=all
+user=system seinfo=platform name=com.google.pixel.camera.services domain=vendor_pbcs_app type=system_app_data_file levelFrom=all
+user=system seinfo=platform name=com.google.pixel.camera.services:* domain=vendor_pbcs_app type=system_app_data_file levelFrom=all

sepolicy/product/private/service_contexts

@@ -0,0 +1,4 @@
+com.google.pixel.camera.services.binder.IServiceBinder/default u:object_r:camera_binder_service:s0
+com.google.pixel.camera.services.cameraidremapper.ICameraIdRemapper/default u:object_r:camera_cameraidremapper_service:s0
+com.google.pixel.camera.services.lyricconfigprovider.ILyricConfigProvider/default u:object_r:camera_lyricconfigprovider_service:s0
+telephony.oem.oemrilhook u:object_r:radio_service:s0

sepolicy/product/public/pbcs_app.te

@@ -0,0 +1 @@
+type vendor_pbcs_app, domain;

sepolicy/product/public/pcs_app.te

@@ -0,0 +1 @@
+type vendor_pcs_app, domain;

sepolicy/product/public/service.te

@@ -0,0 +1,3 @@
+type camera_binder_service, hal_service_type, protected_service, service_manager_type;
+type camera_cameraidremapper_service, hal_service_type, protected_service, service_manager_type;
+type camera_lyricconfigprovider_service, hal_service_type, protected_service, service_manager_type;

sepolicy/recovery/fastbootd.te

@@ -0,0 +1,8 @@
+recovery_only(`
+  allow fastbootd citadel_device:chr_file rw_file_perms;
+  allow fastbootd custom_ab_block_device:blk_file rw_file_perms;
+  allow fastbootd devinfo_block_device:blk_file rw_file_perms;
+  allow fastbootd sda_block_device:blk_file rw_file_perms;
+  allow fastbootd st54spi_device:chr_file rw_file_perms;
+  allow fastbootd sysfs_ota:file rw_file_perms;
+')

sepolicy/recovery/hal_bootctl_default.te

@@ -0,0 +1,3 @@
+recovery_only(`
+  allow hal_bootctl_default rootfs:dir r_dir_perms;
+')

sepolicy/recovery/recovery.te

@@ -0,0 +1,7 @@
+recovery_only(`
+  allow recovery citadel_device:chr_file rw_file_perms;
+  allow recovery st54spi_device:chr_file rw_file_perms;
+  allow recovery sysfs_ota:file rw_file_perms;
+  allow recovery sysfs_scsi_devices_0000:file r_file_perms;
+  allow recovery sysfs_scsi_devices_0000:dir r_dir_perms;
+')

sepolicy/system_ext/private/bluetooth_gci.te

@@ -0,0 +1,9 @@
+init_daemon_domain(bluetooth_gci)
+
+allow bluetooth_gci bluetooth_data_file:dir ra_dir_perms;
+allow bluetooth_gci bluetooth_data_file:file create_file_perms;
+allow bluetooth_gci fuse:dir r_dir_perms;
+allow bluetooth_gci fuse:file r_file_perms;
+allow bluetooth_gci media_rw_data_file:dir ra_dir_perms;
+allow bluetooth_gci media_rw_data_file:file r_file_perms;
+allow bluetooth_gci mnt_user_file:dir search;

sepolicy/system_ext/private/con_monitor_app.te

@@ -3,5 +3,6 @@ typeattribute con_monitor_app coredomain;
 app_domain(con_monitor_app)
 
 set_prop(con_monitor_app, radio_prop)
+
 allow con_monitor_app app_api_service:service_manager find;
 allow con_monitor_app radio_service:service_manager find;

sepolicy/system_ext/private/connectivity_thermal_power_manager.te

@@ -0,0 +1,9 @@
+type connectivity_thermal_power_manager, coredomain, domain, system_suspend_internal_server;
+
+app_domain(connectivity_thermal_power_manager)
+
+hal_client_domain(connectivity_thermal_power_manager, hal_power_stats)
+
+allow connectivity_thermal_power_manager app_api_service:service_manager find;
+allow connectivity_thermal_power_manager radio_service:service_manager find;
+allow connectivity_thermal_power_manager system_api_service:service_manager find;

sepolicy/system_ext/private/dcservice_app.te

@@ -0,0 +1,16 @@
+typeattribute dcservice_app coredomain;
+
+app_domain(dcservice_app)
+
+get_prop(dcservice_app, bluetooth_lea_prop)
+
+net_domain(dcservice_app)
+
+set_prop(dcservice_app, ctl_start_prop)
+
+allow dcservice_app app_api_service:service_manager find;
+allow dcservice_app audioserver_service:service_manager find;
+allow dcservice_app nfc_service:service_manager find;
+allow dcservice_app privapp_data_file:file execute;
+allow dcservice_app privapp_data_file:lnk_file r_file_perms;
+allow dcservice_app radio_service:service_manager find;

sepolicy/system_ext/private/euicc_app.te

@@ -1,13 +1,16 @@
-type euicc_app, domain, coredomain;
+type euicc_app, coredomain, domain;
+
 app_domain(euicc_app)
-net_domain(euicc_app)
+
 bluetooth_domain(euicc_app)
 
-allow euicc_app app_api_service:service_manager find;
-allow euicc_app radio_service:service_manager find;
-allow euicc_app cameraserver_service:service_manager find;
-
-get_prop(euicc_app, camera_config_prop)
 get_prop(euicc_app, bootloader_prop)
-get_prop(euicc_app, exported_default_prop)
+get_prop(euicc_app, camera_config_prop)
 get_prop(euicc_app, esim_modem_prop)
+get_prop(euicc_app, exported_default_prop)
+
+net_domain(euicc_app)
+
+allow euicc_app app_api_service:service_manager find;
+allow euicc_app cameraserver_service:service_manager find;
+allow euicc_app radio_service:service_manager find;

sepolicy/system_ext/private/file.te

@@ -0,0 +1 @@
+type repair_mode_metadata_config_file, file_type, mlstrustedobject;

sepolicy/system_ext/private/file_contexts

@@ -0,0 +1,4 @@
+/dev/watchdog[0-9] u:object_r:watchdog_device:s0
+/metadata/repair-mode/config(/.*)? u:object_r:repair_mode_metadata_config_file:s0
+/system_ext/bin/bluetooth_gci u:object_r:bluetooth_gci_exec:s0
+/system_ext/bin/gs_watchdogd u:object_r:gs_watchdogd_exec:s0

sepolicy/system_ext/private/gs_watchdogd.te

@@ -0,0 +1,8 @@
+type gs_watchdogd, coredomain, domain;
+type gs_watchdogd_exec, exec_type, file_type, system_file_type;
+
+init_daemon_domain(gs_watchdogd)
+
+allow gs_watchdogd kmsg_device:chr_file rw_file_perms;
+allow gs_watchdogd sysfs:dir r_dir_perms;
+allow gs_watchdogd watchdog_device:chr_file rw_file_perms;

sepolicy/system_ext/private/hbmsvmanager_app.te

@@ -1,11 +1,8 @@
 typeattribute hbmsvmanager_app coredomain;
 
-app_domain(hbmsvmanager_app);
+app_domain(hbmsvmanager_app)
 
+allow hbmsvmanager_app app_api_service:service_manager find;
+allow hbmsvmanager_app cameraserver_service:service_manager find;
 allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
 allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
-
-# Standard system services
-allow hbmsvmanager_app app_api_service:service_manager find;
-
-allow hbmsvmanager_app cameraserver_service:service_manager find;

sepolicy/system_ext/private/pixelntnservice_app.te

@@ -1,5 +1,7 @@
 typeattribute pixelntnservice_app coredomain;
 
-app_domain(pixelntnservice_app);
-allow pixelntnservice_app app_api_service:service_manager find;
+app_domain(pixelntnservice_app)
+
 set_prop(pixelntnservice_app, telephony_modem_prop)
+
+allow pixelntnservice_app app_api_service:service_manager find;

sepolicy/system_ext/private/platform_app.te

@@ -1,5 +1,5 @@
-# allow systemui to set boot animation colors
-set_prop(platform_app, bootanim_system_prop);
+get_prop(platform_app, bluetooth_lea_prop)
 
-# allow systemui to access fingerprint
 hal_client_domain(platform_app, hal_fingerprint)
+
+set_prop(platform_app, bootanim_system_prop)

sepolicy/system_ext/private/property.te

@@ -1,5 +1 @@
-neverallow {
-  domain
-  -init
-  -vendor_init
-} esim_modem_prop:property_service set;
+system_internal_prop(repair_mode_init_prop)

sepolicy/system_ext/private/property_contexts

@@ -1,9 +1,5 @@
-# Fingerprint (UDFPS) GHBM/LHBM toggle
-persist.fingerprint.ghbm    u:object_r:fingerprint_ghbm_prop:s0    exact    bool
-
-# Properties for euicc
-persist.modem.esim_profiles_exist            u:object_r:esim_modem_prop:s0    exact    string
-
-# Telephony
-telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0    exact enum ntn tn
-telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool
+persist.fingerprint.ghbm u:object_r:fingerprint_ghbm_prop:s0 exact bool
+persist.modem.esim_profiles_exist u:object_r:esim_modem_prop:s0 exact string
+repair_mode.init_completed. u:object_r:repair_mode_init_prop:s0 prefix bool
+telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0 exact enum ntn tn
+telephony.ril.silent_reset u:object_r:telephony_ril_prop:s0 exact bool

sepolicy/system_ext/private/repair_mode_app.te

@@ -0,0 +1,14 @@
+type repair_mode_app, coredomain, domain;
+
+app_domain(repair_mode_app)
+
+get_prop(repair_mode_app, gsid_prop)
+
+set_prop(repair_mode_app, repair_mode_init_prop)
+
+allow repair_mode_app app_api_service:service_manager find;
+allow repair_mode_app metadata_file:dir search;
+allow repair_mode_app repair_mode_metadata_config_file:dir rw_dir_perms;
+allow repair_mode_app repair_mode_metadata_config_file:file create_file_perms;
+allow repair_mode_app repair_mode_metadata_file:dir search;
+allow repair_mode_app system_api_service:service_manager find;

sepolicy/system_ext/private/seapp_contexts

@@ -1,11 +1,8 @@
-# Domain for EuiccGoogle
-user=_app isPrivApp=true  name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
-
-# Domain for connectivity monitor
+user=_app isPrivApp=true name=com.google.android.apps.pixel.dcservice domain=dcservice_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.apps.pixel.dcservice.ui domain=dcservice_app type=privapp_data_file levelFrom=user
+user=_app isPrivApp=true name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
 user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
-
-# HbmSVManager
 user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
-
-# PixelNtnService
+user=_app seinfo=platform name=com.google.android.connectivitythermalpowermanager domain=connectivity_thermal_power_manager type=app_data_file levelFrom=all
+user=system seinfo=platform name=com.google.android.repairmode domain=repair_mode_app type=app_data_file levelFrom=user
 user=system seinfo=platform name=com.google.android.satellite domain=pixelntnservice_app type=app_data_file levelFrom=all

sepolicy/system_ext/public/bluetooth_gci.te

@@ -0,0 +1,2 @@
+type bluetooth_gci, coredomain, domain;
+type bluetooth_gci_exec, exec_type, file_type, system_file_type;

sepolicy/system_ext/public/con_monitor_app.te

@@ -1,2 +1 @@
-# ConnectivityMonitor app
 type con_monitor_app, domain;

sepolicy/system_ext/public/dcservice_app.te

@@ -0,0 +1 @@
+type dcservice_app, domain;

sepolicy/system_ext/public/property.te

@@ -1,13 +1,6 @@
-# Fingerprint (UDFPS) GHBM/LHBM toggle
-system_vendor_config_prop(fingerprint_ghbm_prop)
-
-# eSIM properties
-system_vendor_config_prop(esim_modem_prop)
-
-# Telephony
 system_public_prop(telephony_ril_prop)
+
 system_restricted_prop(telephony_modem_prop)
 
-userdebug_or_eng(`
-  set_prop(shell, telephony_ril_prop)
-')
+system_vendor_config_prop(esim_modem_prop)
+system_vendor_config_prop(fingerprint_ghbm_prop)

sepolicy/telephony/user/file_contexts

@@ -1,3 +0,0 @@
-# ECC List
-/vendor/bin/init\.radio\.sh     u:object_r:init_radio_exec:s0
-

sepolicy/tracking_denials/bluetooth.te

@@ -1,2 +0,0 @@
-# b/382362462
-dontaudit bluetooth default_android_service:service_manager { find };

sepolicy/tracking_denials/dmd.te

@@ -1,2 +0,0 @@
-#b/303391666
-dontaudit dmd servicemanager:binder { call };

sepolicy/tracking_denials/dumpstate.te

@@ -1,2 +0,0 @@
-# b/277155042
-dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };

sepolicy/trusty_metricsd/file_contexts

@@ -1 +0,0 @@
-/vendor/bin/trusty_metricsd          u:object_r:trusty_metricsd_exec:s0

sepolicy/vendor/aocd.te

@@ -0,0 +1,19 @@
+type aocd, domain;
+type aocd_exec, exec_type, file_type, vendor_file_type;
+
+get_prop(aocd, vendor_volte_mif_off)
+
+init_daemon_domain(aocd)
+
+r_dir_file(aocd, persist_aoc_file)
+
+set_prop(aocd, vendor_aoc_prop)
+set_prop(aocd, vendor_timeout_aoc_prop)
+
+allow aocd aoc_device:chr_file rw_file_perms;
+allow aocd device:dir r_dir_perms;
+allow aocd mnt_vendor_file:dir search;
+allow aocd persist_file:dir search;
+allow aocd sysfs_aoc:dir search;
+allow aocd sysfs_aoc_firmware:file w_file_perms;
+allow aocd sysfs_aoc_notifytimeout:file r_file_perms;

sepolicy/vendor/aocdump.te

@@ -0,0 +1,4 @@
+type aocdump, domain;
+type aocdump_exec, exec_type, file_type, vendor_file_type;
+
+init_daemon_domain(aocdump)

sepolicy/vendor/aocx.te

@@ -0,0 +1 @@
+type aocx, service_manager_type;

sepolicy/vendor/aocxd.te

@@ -0,0 +1,21 @@
+type aocxd, domain;
+type aocxd_exec, exec_type, file_type, vendor_file_type;
+
+add_service(aocxd, aocx)
+
+binder_call(aocxd, dcservice_app)
+
+init_daemon_domain(aocxd)
+
+set_prop(aocxd, vendor_aoc_prop)
+
+vndbinder_use(aocxd)
+
+wakelock_use(aocxd)
+
+allow aocxd aoc_device:chr_file rw_file_perms;
+allow aocxd device:dir r_dir_perms;
+allow aocxd dumpstate:fd use;
+allow aocxd dumpstate:fifo_file write;
+allow aocxd self:global_capability_class_set sys_nice;
+allow aocxd sysfs_aoc:dir search;

sepolicy/vendor/appdomain.te

@@ -0,0 +1,5 @@
+get_prop(appdomain, vendor_edgetpu_runtime_prop)
+get_prop(appdomain, vendor_hetero_runtime_prop)
+get_prop(appdomain, vendor_tflite_delegate_prop)
+
+neverallow appdomain edgetpu_device:chr_file open;

sepolicy/vendor/attributes

@@ -0,0 +1,3 @@
+hal_attribute(shared_modem_platform)
+
+attribute vendor_persist_type;

sepolicy/vendor/audio_prop_restricted.te

@@ -0,0 +1 @@
+vendor_restricted_prop(vendor_audio_prop_restricted)

sepolicy/vendor/audioserver.te

@@ -0,0 +1 @@
+allow audioserver audio_device:chr_file r_file_perms;

sepolicy/vendor/battery_mitigation.te

@@ -0,0 +1,39 @@
+type battery_mitigation, domain;
+type battery_mitigation_exec, exec_type, file_type, vendor_file_type;
+
+add_service(battery_mitigation, hal_battery_mitigation_service)
+
+binder_call(battery_mitigation, hal_audio_default)
+binder_call(battery_mitigation, servicemanager)
+
+get_prop(battery_mitigation, boot_status_prop)
+get_prop(battery_mitigation, system_boot_reason_prop)
+get_prop(battery_mitigation, vendor_brownout_reason_prop)
+
+hal_client_domain(battery_mitigation, hal_health)
+hal_client_domain(battery_mitigation, hal_thermal)
+
+init_daemon_domain(battery_mitigation)
+
+r_dir_file(battery_mitigation, sysfs_acpm_stats)
+r_dir_file(battery_mitigation, sysfs_batteryinfo)
+r_dir_file(battery_mitigation, sysfs_gpu)
+r_dir_file(battery_mitigation, sysfs_iio_devices)
+r_dir_file(battery_mitigation, sysfs_odpm)
+r_dir_file(battery_mitigation, sysfs_power_stats)
+r_dir_file(battery_mitigation, sysfs_thermal)
+r_dir_file(battery_mitigation, thermal_link_device)
+
+set_prop(battery_mitigation, vendor_brownout_br_feasible_prop)
+set_prop(battery_mitigation, vendor_mitigation_ready_prop)
+
+wakelock_use(battery_mitigation)
+
+allow battery_mitigation dumpstate:fd use;
+allow battery_mitigation dumpstate:fifo_file rw_file_perms;
+allow battery_mitigation fwk_stats_service:service_manager find;
+allow battery_mitigation mitigation_vendor_data_file:dir rw_dir_perms;
+allow battery_mitigation mitigation_vendor_data_file:file create_file_perms;
+allow battery_mitigation sysfs_bcl:dir r_dir_perms;
+allow battery_mitigation sysfs_bcl:file rw_file_perms;
+allow battery_mitigation sysfs_bcl:lnk_file r_file_perms;

sepolicy/vendor/bipchmgr.te

@@ -1,9 +1,12 @@
 type bipchmgr, domain;
-type bipchmgr_exec, vendor_file_type, exec_type, file_type;
+type bipchmgr_exec, exec_type, file_type, vendor_file_type;
+
+binder_call(bipchmgr, rild)
+
+get_prop(bipchmgr, hwservicemanager_prop)
+
+hwbinder_use(bipchmgr)
+
 init_daemon_domain(bipchmgr)
 
-get_prop(bipchmgr, hwservicemanager_prop);
-
 allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find;
-hwbinder_use(bipchmgr)
-binder_call(bipchmgr, rild)

sepolicy/vendor/bluetooth.te

@@ -1,3 +1,4 @@
 allow bluetooth proc_vendor_sched:dir search;
 allow bluetooth proc_vendor_sched:file w_file_perms;
 
+dontaudit bluetooth default_android_service:service_manager find;

sepolicy/vendor/bootanim.te

@@ -0,0 +1 @@
+dontaudit bootanim system_data_file:dir r_dir_perms;

sepolicy/vendor/bootdevice_sysdev.te

@@ -1 +1,3 @@
+type bootdevice_sysdev, dev_type;
+
 allow bootdevice_sysdev sysfs:filesystem associate;

sepolicy/vendor/bug_map

@@ -1,36 +1,40 @@
-
 battery_mitigation sysfs file b/364446534
 dump_display sysfs file b/340722772
 dump_modem sscoredump_vendor_data_coredump_file dir b/366115873
 dump_modem sscoredump_vendor_data_logcat_file dir b/366115873
-fsck modem_block_device blk_file b/397548310
 hal_camera_default aconfig_storage_metadata_file dir b/383013727
 hal_contexthub_default hal_bluetooth_service service_manager b/396573314
-hal_drm_widevine system_userdir_file dir b/401397837
+hal_fingerprint_default default_prop property_service b/215640468
 hal_power_default hal_power_default capability b/240632824
 hal_sensors_default sysfs file b/340723303
 incidentd debugfs_wakeup_sources file b/282626428
 incidentd incidentd anon_inode b/282626428
 init init capability b/379591559
+insmod-sh kmsg_debug_device chr_file b/410739268
 kernel dm_device blk_file b/315907959
 kernel kernel capability b/340722537
 kernel kernel capability b/340723030
 kernel tmpfs chr_file b/315907959
 modem_svc_sit hal_radioext_default process b/372348067
+permissioncontroller_app proc_vendor_sched file b/190671898
 pixelstats_vendor block_device dir b/369537606
-pixelstats_vendor block_device dir b/369735407
-platform_app bluetooth_lea_mode_prop file b/402594680
+pixelstats_vendor sysfs_pixel_stat dir b/422900204
+pixelstats_vendor sysfs_pixel_stat file b/422900204
 platform_app vendor_fw_file dir b/372122654
 platform_app vendor_rild_prop file b/372122654
 priv_app audio_config_prop file b/379226710
 priv_app audio_config_prop file b/379246066
 radio audio_config_prop file b/379227275
+ramdump proc_bootconfig file b/181615626
+ramdump public_vendor_default_prop file b/161103878
 ramdump ramdump capability b/369538457
-ramdump_app default_prop file b/386149238
+ramdump vendor_hw_plat_prop file b/161103878
+ramdump_app default_prop file b/386149375
 rfsd vendor_cbd_prop file b/317734418
-shell sysfs_net file b/329380904
-ssr_detector_app default_prop file b/350831964
+shell vendor_intelligence_prop file b/378120929
 surfaceflinger selinuxfs file b/313804340
+system_server build_bootimage_prop file b/413561454
+system_server system_userdir_file file b/410508703
 system_server vendor_default_prop file b/366115457
 system_server vendor_default_prop file b/366116435
 system_server vendor_default_prop file b/366116587
@@ -41,14 +45,10 @@ untrusted_app shell_test_data_file dir b/305600845
 untrusted_app system_data_root_file dir b/305600845
 untrusted_app userdebug_or_eng_prop file b/305600845
 untrusted_app_29 audio_config_prop file b/379246143
+vendor_ims_app default_prop file b/194281028
 vendor_init debugfs_trace_marker file b/340723222
 vendor_init default_prop file b/315104713
 vendor_init default_prop file b/316817111
-vendor_init default_prop property_service b/315104713
-vendor_init default_prop property_service b/366115458
-vendor_init default_prop property_service b/366116214
-vendor_init default_prop property_service b/369735133
-vendor_init default_prop property_service b/369735170
 zygote aconfig_storage_metadata_file dir b/383949055
 zygote media_config_prop file b/394433509
 zygote zygote capability b/379591519

sepolicy/vendor/cbd.te

@@ -1,65 +1,35 @@
 type cbd, domain;
-type cbd_exec, vendor_file_type, exec_type, file_type;
-init_daemon_domain(cbd)
+type cbd_exec, exec_type, file_type, vendor_file_type;
 
-set_prop(cbd, vendor_modem_prop)
-set_prop(cbd, vendor_cbd_prop)
-set_prop(cbd, vendor_rild_prop)
 get_prop(cbd, telephony_modem_prop)
 
-# Allow cbd to setuid from root to radio
-# TODO: confirming with vendor via b/182334947
-allow cbd self:capability { setgid setuid };
+init_daemon_domain(cbd)
 
-allow cbd mnt_vendor_file:dir r_dir_perms;
+r_dir_file(cbd, modem_img_file)
 
-allow cbd kmsg_device:chr_file rw_file_perms;
+set_prop(cbd, vendor_cbd_prop)
+set_prop(cbd, vendor_modem_prop)
+set_prop(cbd, vendor_rild_prop)
 
-allow cbd vendor_shell_exec:file execute_no_trans;
-allow cbd vendor_toolbox_exec:file execute_no_trans;
-
-# Allow cbd to access modem block device
 allow cbd block_device:dir search;
+allow cbd kmsg_device:chr_file rw_file_perms;
+allow cbd mnt_vendor_file:dir r_dir_perms;
 allow cbd modem_block_device:blk_file r_file_perms;
-
-# Allow cbd to access sysfs chosen files
-allow cbd sysfs_chosen:file r_file_perms;
-allow cbd sysfs_chosen:dir r_dir_perms;
-
-allow cbd radio_device:chr_file rw_file_perms;
-
-allow cbd proc_cmdline:file r_file_perms;
-
-allow cbd persist_modem_file:dir create_dir_perms;
-allow cbd persist_modem_file:file create_file_perms;
-allow cbd persist_file:dir search;
-
-allow cbd radio_vendor_data_file:dir create_dir_perms;
-allow cbd radio_vendor_data_file:file create_file_perms;
-
-# Allow cbd to operate with modem EFS file/dir
 allow cbd modem_efs_file:dir create_dir_perms;
 allow cbd modem_efs_file:file create_file_perms;
-
-# Allow cbd to operate with modem userdata file/dir
 allow cbd modem_userdata_file:dir create_dir_perms;
 allow cbd modem_userdata_file:file create_file_perms;
-
-# Allow cbd to access modem image file/dir
-allow cbd modem_img_file:dir r_dir_perms;
-allow cbd modem_img_file:file r_file_perms;
-allow cbd modem_img_file:lnk_file r_file_perms;
-
-# Allow cbd to collect crash info
+allow cbd persist_file:dir search;
+allow cbd persist_modem_file:dir create_dir_perms;
+allow cbd persist_modem_file:file create_file_perms;
+allow cbd proc_cmdline:file r_file_perms;
+allow cbd radio_device:chr_file rw_file_perms;
+allow cbd radio_vendor_data_file:dir create_dir_perms;
+allow cbd radio_vendor_data_file:file create_file_perms;
+allow cbd self:capability { setgid setuid };
 allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
 allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms;
-
-userdebug_or_eng(`
-  r_dir_file(cbd, vendor_slog_file)
-
-  allow cbd kernel:system syslog_read;
-
-  allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms;
-  allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms;
-')
-
+allow cbd sysfs_chosen:dir r_dir_perms;
+allow cbd sysfs_chosen:file r_file_perms;
+allow cbd vendor_shell_exec:file execute_no_trans;
+allow cbd vendor_toolbox_exec:file execute_no_trans;

sepolicy/vendor/cbrs_setup_app.te

@@ -0,0 +1 @@
+type cbrs_setup_app, domain;

sepolicy/vendor/cccdktimesync_app.te

@@ -1,10 +1,8 @@
 type vendor_cccdktimesync_app, domain;
+
 app_domain(vendor_cccdktimesync_app)
 
-allow vendor_cccdktimesync_app app_api_service:service_manager find;
-
 binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux)
-allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;
 
-# allow the HAL to call our registered callbacks
-binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app)
+allow vendor_cccdktimesync_app app_api_service:service_manager find;
+allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;

sepolicy/vendor/charger_vendor.te

@@ -1,10 +1,11 @@
+set_prop(charger_vendor, vendor_battery_defender_prop)
+
 allow charger_vendor mnt_vendor_file:dir search;
-allow charger_vendor sysfs_batteryinfo:file w_file_perms;
-allow charger_vendor persist_file:dir search;
 allow charger_vendor persist_battery_file:dir search;
 allow charger_vendor persist_battery_file:file rw_file_perms;
+allow charger_vendor persist_file:dir search;
+allow charger_vendor sysfs_batteryinfo:file w_file_perms;
 allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms;
 allow charger_vendor sysfs_thermal:file w_file_perms;
 allow charger_vendor sysfs_thermal:lnk_file read;
 allow charger_vendor thermal_link_device:dir search;
-set_prop(charger_vendor, vendor_battery_defender_prop)

sepolicy/vendor/chre.te

@@ -0,0 +1,20 @@
+type chre, domain;
+type chre_exec, exec_type, file_type, vendor_file_type;
+
+binder_call(chre, stats_service_server)
+
+hal_client_domain(chre, hal_graphics_allocator)
+
+init_daemon_domain(chre)
+
+wakelock_use(chre)
+
+allow chre aoc_device:chr_file rw_file_perms;
+allow chre device:dir r_dir_perms;
+allow chre fwk_stats_service:service_manager find;
+allow chre hal_graphics_mapper_hwservice:hwservice_manager find;
+allow chre hal_wifi_ext:binder { call transfer };
+allow chre hal_wifi_ext_hwservice:hwservice_manager find;
+allow chre hal_wifi_ext_service:service_manager find;
+allow chre sysfs_aoc:dir search;
+allow chre sysfs_aoc_boottime:file r_file_perms;

sepolicy/vendor/citadeld.te

@@ -0,0 +1,20 @@
+type citadeld, domain;
+type citadeld_exec, exec_type, file_type, vendor_file_type;
+type citadeld_service, vndservice_manager_type;
+
+add_service(citadeld, citadeld_service)
+
+binder_call(citadeld, system_server)
+
+binder_use(citadeld)
+
+init_daemon_domain(citadeld)
+
+set_prop(citadeld, vendor_nos_citadel_version)
+
+vndbinder_use(citadeld)
+
+allow citadeld citadel_device:chr_file rw_file_perms;
+allow citadeld fwk_stats_service:service_manager find;
+allow citadeld hal_power_stats_vendor_service:service_manager find;
+allow citadeld hal_weaver_citadel:binder call;

sepolicy/vendor/dcservice_app.te

@@ -0,0 +1,5 @@
+binder_call(dcservice_app, aocxd)
+binder_call(dcservice_app, twoshay)
+
+allow dcservice_app aocx:service_manager find;
+allow dcservice_app touch_context_service:service_manager find;

sepolicy/vendor/device.te

@@ -0,0 +1,33 @@
+type amcs_device, dev_type;
+type aoc_device, dev_type;
+type citadel_device, dev_type;
+type cpuctl_device, dev_type;
+type custom_ab_block_device, dev_type;
+type devinfo_block_device, dev_type;
+type edgetpu_device, dev_type, isolated_compute_allowed_device, mlstrustedobject;
+type efs_block_device, dev_type;
+type faceauth_heap_device, dev_type, dmabuf_heap_device_type;
+type fingerprint_device, dev_type;
+type logbuffer_device, dev_type;
+type lwis_device, dev_type;
+type mfg_data_block_device, dev_type;
+type modem_block_device, dev_type;
+type modem_userdata_block_device, dev_type;
+type persist_block_device, dev_type;
+type pktrouter_device, dev_type;
+type rls_device, dev_type;
+type sda_block_device, dev_type;
+type sensor_direct_heap_device, dev_type, dmabuf_heap_device_type;
+type sg_device, dev_type;
+type sscoredump_device, dev_type;
+type st33spi_device, dev_type;
+type st54spi_device, dev_type;
+type thermal_link_device, dev_type;
+type touch_offload_device, dev_type;
+type trusty_log_device, dev_type;
+type ufs_internal_block_device, dev_type;
+type userdata_exp_block_device, dev_type;
+type vendor_gnss_device, dev_type;
+type vendor_toe_device, dev_type;
+type vscaler_heap_device, dev_type, dmabuf_heap_device_type;
+type wb_coexistence_dev, dev_type;

sepolicy/vendor/disable-contaminant-detection-sh.te

@@ -1,7 +1,8 @@
 type disable-contaminant-detection-sh, domain;
-type disable-contaminant-detection-sh_exec, vendor_file_type, exec_type, file_type;
+type disable-contaminant-detection-sh_exec, exec_type, file_type, vendor_file_type;
+
 init_daemon_domain(disable-contaminant-detection-sh)
 
-allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans;
 allow disable-contaminant-detection-sh sysfs_batteryinfo:dir r_dir_perms;
 allow disable-contaminant-detection-sh sysfs_batteryinfo:file rw_file_perms;
+allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans;

sepolicy/vendor/dmd.te

@@ -1,29 +1,27 @@
 type dmd, domain;
-type dmd_exec, vendor_file_type, exec_type, file_type;
+type dmd_exec, exec_type, file_type, vendor_file_type;
+
+binder_call(dmd, hwservicemanager)
+binder_call(dmd, modem_diagnostic_app)
+binder_call(dmd, modem_logging_control)
+binder_call(dmd, vendor_telephony_app)
+
+get_prop(dmd, hwservicemanager_prop)
+get_prop(dmd, vendor_persist_config_default_prop)
+
 init_daemon_domain(dmd)
 
-# Grant to access serial device for external logging tool
-allow dmd serial_device:chr_file rw_file_perms;
+set_prop(dmd, vendor_diag_prop)
+set_prop(dmd, vendor_modem_prop)
+set_prop(dmd, vendor_slog_prop)
 
-# Grant to access radio device
+allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find };
+allow dmd hidl_base_hwservice:hwservice_manager add;
+allow dmd node:tcp_socket node_bind;
 allow dmd radio_device:chr_file rw_file_perms;
-
-# Grant to access slog dir/file
+allow dmd self:tcp_socket { accept create_socket_perms_no_ioctl listen };
+allow dmd serial_device:chr_file rw_file_perms;
 allow dmd vendor_slog_file:dir create_dir_perms;
 allow dmd vendor_slog_file:file create_file_perms;
 
-# Grant to access tcp socket
-allow dmd node:tcp_socket node_bind;
-allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind };
-
-# Grant to access log related properties
-set_prop(dmd, vendor_diag_prop)
-set_prop(dmd, vendor_slog_prop)
-set_prop(dmd, vendor_modem_prop)
-
-get_prop(dmd, vendor_persist_config_default_prop)
-
-# Grant to access hwservice manager
-get_prop(dmd, hwservicemanager_prop)
-
-binder_call(dmd, hwservicemanager)
+dontaudit dmd servicemanager:binder call;

sepolicy/vendor/domain.te

@@ -0,0 +1 @@
+get_prop(domain, vendor_arm_runtime_option_prop)

sepolicy/vendor/dump_aoc.te

@@ -0,0 +1,8 @@
+pixel_bugreport(dump_aoc)
+
+allow dump_aoc aoc_device:chr_file rw_file_perms;
+allow dump_aoc sysfs:dir r_dir_perms;
+allow dump_aoc sysfs_aoc:dir search;
+allow dump_aoc sysfs_aoc_dumpstate:file r_file_perms;
+allow dump_aoc vendor_shell_exec:file execute_no_trans;
+allow dump_aoc vendor_toolbox_exec:file execute_no_trans;

sepolicy/vendor/dump_bcmbt.te

@@ -0,0 +1 @@
+pixel_bugreport(dump_bcmbt)

sepolicy/vendor/dump_camera.te

@@ -0,0 +1 @@
+pixel_bugreport(dump_camera)

sepolicy/vendor/dump_devfreq.te

@@ -0,0 +1,5 @@
+pixel_bugreport(dump_devfreq)
+
+allow dump_devfreq sysfs_cpu:file r_file_perms;
+allow dump_devfreq sysfs_exynos_bts:dir r_dir_perms;
+allow dump_devfreq sysfs_exynos_bts_stats:file r_file_perms;

sepolicy/vendor/dump_exynos_display.te

@@ -0,0 +1,12 @@
+binder_call(dump_exynos_display, hal_graphics_composer_default)
+
+pixel_bugreport(dump_exynos_display)
+
+vndbinder_use(dump_exynos_display)
+
+allow dump_exynos_display sysfs_display:file r_file_perms;
+allow dump_exynos_display vendor_displaycolor_service:service_manager find;
+allow dump_exynos_display vendor_dumpsys:file execute_no_trans;
+allow dump_exynos_display vendor_shell_exec:file execute_no_trans;
+
+dontaudit dump_exynos_display sysfs:file read;

sepolicy/vendor/dump_exynos_display_userdebug.te

@@ -0,0 +1 @@
+pixel_bugreport(dump_exynos_display_userdebug)

sepolicy/vendor/dump_fingerprint.te

@@ -0,0 +1,4 @@
+pixel_bugreport(dump_fingerprint)
+
+allow dump_fingerprint fingerprint_vendor_data_file:dir r_dir_perms;
+allow dump_fingerprint fingerprint_vendor_data_file:file r_file_perms;