Add 'sepolicy/' from tag 'android-15.0.0_r1'

git-subtree-dir: sepolicy git-subtree-mainline: 569ade8120 git-subtree-split: 177403b796 Change-Id: I9398cfce20bee720d0628bf2c07b7a7efdcea111
2024-09-29 12:58:04 +03:00 · 2024-09-29 12:58:04 +03:00 · fefa0ed722
commit fefa0ed722
parent 569ade8120 177403b796
197 changed files with 3336 additions and 0 deletions
--- a/sepolicy/OWNERS
+++ b/sepolicy/OWNERS
@ -0,0 +1,4 @@
+include device/google/gs-common:/sepolicy/OWNERS
+
+adamshih@google.com
+
--- a/sepolicy/confirmationui/device.te
+++ b/sepolicy/confirmationui/device.te
@ -0,0 +1 @@
+type tui_device, dev_type;
--- a/sepolicy/confirmationui/file_contexts
+++ b/sepolicy/confirmationui/file_contexts
@ -0,0 +1,4 @@
+/vendor/bin/securedpud\.slider                                                   u:object_r:securedpud_slider_exec:s0
+/vendor/bin/hw/android\.hardware\.confirmationui-service\.trusty\.vendor    u:object_r:hal_confirmationui_default_exec:s0
+
+/dev/tui-driver                                                                  u:object_r:tui_device:s0
--- a/sepolicy/confirmationui/hal_confirmationui.te
+++ b/sepolicy/confirmationui/hal_confirmationui.te
@ -0,0 +1,13 @@
+allow hal_confirmationui_default tee_device:chr_file rw_file_perms;
+
+binder_call(hal_confirmationui_default, keystore)
+
+vndbinder_use(hal_confirmationui_default)
+binder_call(hal_confirmationui_default, citadeld)
+allow hal_confirmationui_default citadeld_service:service_manager find;
+
+allow hal_confirmationui_default input_device:chr_file rw_file_perms;
+allow hal_confirmationui_default input_device:dir r_dir_perms;
+
+allow hal_confirmationui_default dmabuf_system_heap_device:chr_file r_file_perms;
+allow hal_confirmationui_default ion_device:chr_file r_file_perms;
--- a/sepolicy/confirmationui/securedpud.slider.te
+++ b/sepolicy/confirmationui/securedpud.slider.te
@ -0,0 +1,11 @@
+type securedpud_slider, domain;
+type securedpud_slider_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(securedpud_slider)
+
+wakelock_use(securedpud_slider)
+
+allow securedpud_slider dmabuf_heap_device:chr_file r_file_perms;
+allow securedpud_slider ion_device:chr_file r_file_perms;
+allow securedpud_slider tee_device:chr_file rw_file_perms;
+allow securedpud_slider tui_device:chr_file rw_file_perms;
--- a/sepolicy/display/common/file.te
+++ b/sepolicy/display/common/file.te
@ -0,0 +1 @@
+type persist_display_file, file_type, vendor_persist_type;
--- a/sepolicy/display/common/file_contexts
+++ b/sepolicy/display/common/file_contexts
@ -0,0 +1 @@
+/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0
--- a/sepolicy/display/gs101/genfs_contexts
+++ b/sepolicy/display/gs101/genfs_contexts
@ -0,0 +1,18 @@
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/backlight                 u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/panel_name                u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/serial_number             u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2c0000.drmdsim/1c2c0000.drmdsim.0/refresh_rate              u:object_r:sysfs_display:s0
+genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2C0000/panel@0/compatible                 u:object_r:sysfs_display:s0
+
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/backlight                 u:object_r:sysfs_leds:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/panel_name                u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/serial_number             u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c2d0000.drmdsim/1c2d0000.drmdsim.0/refresh_rate              u:object_r:sysfs_display:s0
+genfscon sysfs /firmware/devicetree/base/drmdsim@0x1C2D0000/panel@0/compatible                 u:object_r:sysfs_display:s0
+
+genfscon sysfs /module/drm/parameters/vblankoffdelay                                           u:object_r:sysfs_display:s0
+
+genfscon sysfs /devices/platform/1c300000.drmdecon/dqe0/atc                                     u:object_r:sysfs_display:s0
+genfscon sysfs /devices/platform/1c300000.drmdecon/early_wakeup                                u:object_r:sysfs_display:s0
+
+genfscon sysfs /devices/platform/exynos-drm/tui_status                                         u:object_r:sysfs_display:s0
--- a/sepolicy/display/gs101/hal_graphics_composer_default.te
+++ b/sepolicy/display/gs101/hal_graphics_composer_default.te
@ -0,0 +1,46 @@
+allow hal_graphics_composer_default video_device:chr_file rw_file_perms;
+add_service(hal_graphics_composer_default, vendor_surfaceflinger_vndservice)
+hal_client_domain(hal_graphics_composer_default, hal_graphics_allocator)
+allow hal_graphics_composer_default self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+vndbinder_use(hal_graphics_composer_default)
+
+userdebug_or_eng(`
+    allow hal_graphics_composer_default vendor_log_file:dir create_dir_perms;
+
+    # For HWC/libdisplaycolor to generate calibration file.
+    allow hal_graphics_composer_default persist_display_file:file create_file_perms;
+    allow hal_graphics_composer_default persist_display_file:dir rw_dir_perms;
+')
+
+# allow HWC/libdisplaycolor to read calibration data
+allow hal_graphics_composer_default mnt_vendor_file:dir search;
+allow hal_graphics_composer_default persist_file:dir search;
+allow hal_graphics_composer_default persist_display_file:file r_file_perms;
+allow hal_graphics_composer_default persist_display_file:dir search;
+
+# allow HWC to r/w backlight
+allow hal_graphics_composer_default sysfs_leds:dir r_dir_perms;
+allow hal_graphics_composer_default sysfs_leds:file rw_file_perms;
+
+# allow HWC to get vendor_persist_sys_default_prop
+get_prop(hal_graphics_composer_default, vendor_persist_sys_default_prop)
+
+# allow HWC to get/set vendor_display_prop
+set_prop(hal_graphics_composer_default, vendor_display_prop)
+
+# allow HWC to get device_config_surface_flinger_native_boot_prop for adpf flags
+get_prop(hal_graphics_composer_default, device_config_surface_flinger_native_boot_prop)
+
+# allow HWC to access vendor_displaycolor_service
+add_service(hal_graphics_composer_default, vendor_displaycolor_service)
+
+add_service(hal_graphics_composer_default, hal_pixel_display_service)
+binder_use(hal_graphics_composer_default)
+get_prop(hal_graphics_composer_default, boot_status_prop);
+
+# allow HWC to access vendor log file
+allow hal_graphics_composer_default vendor_log_file:file create_file_perms;
+
+# allow HWC to output to dumpstate via pipe fd
+allow hal_graphics_composer_default hal_dumpstate_default:fifo_file { append write };
+allow hal_graphics_composer_default hal_dumpstate_default:fd use;
--- a/sepolicy/gs101-sepolicy.mk
+++ b/sepolicy/gs101-sepolicy.mk
@ -0,0 +1,32 @@
+# sepolicy that are shared among devices using whitechapel
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/whitechapel/vendor/google
+
+# unresolved SELinux error log with bug tracking
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/tracking_denials
+
+PRODUCT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/private
+
+# Display
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/common
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/display/gs101
+
+# system_ext
+SYSTEM_EXT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/public
+SYSTEM_EXT_PRIVATE_SEPOLICY_DIRS += device/google/gs101-sepolicy/system_ext/private
+
+#
+# Pixel-wide
+#
+#   PowerStats HAL
+BOARD_SEPOLICY_DIRS += hardware/google/pixel-sepolicy/powerstats
+
+# Public
+PRODUCT_PUBLIC_SEPOLICY_DIRS += device/google/gs101-sepolicy/public
+
+# pKVM
+ifeq ($(TARGET_PKVM_ENABLED),true)
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/pkvm
+endif
+
+# Health HAL
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/health
--- a/sepolicy/health/file_contexts
+++ b/sepolicy/health/file_contexts
@ -0,0 +1 @@
+/vendor/bin/hw/android\.hardware\.health-service\.gs101  u:object_r:hal_health_default_exec:s0
--- a/sepolicy/modem/user/dmd.te
+++ b/sepolicy/modem/user/dmd.te
@ -0,0 +1,29 @@
+type dmd, domain;
+type dmd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(dmd)
+
+# Grant to access serial device for external logging tool
+allow dmd serial_device:chr_file rw_file_perms;
+
+# Grant to access radio device
+allow dmd radio_device:chr_file rw_file_perms;
+
+# Grant to access slog dir/file
+allow dmd vendor_slog_file:dir create_dir_perms;
+allow dmd vendor_slog_file:file create_file_perms;
+
+# Grant to access tcp socket
+allow dmd node:tcp_socket node_bind;
+allow dmd self:tcp_socket { create_socket_perms_no_ioctl listen accept bind };
+
+# Grant to access log related properties
+set_prop(dmd, vendor_diag_prop)
+set_prop(dmd, vendor_slog_prop)
+set_prop(dmd, vendor_modem_prop)
+
+get_prop(dmd, vendor_persist_config_default_prop)
+
+# Grant to access hwservice manager
+get_prop(dmd, hwservicemanager_prop)
+
+binder_call(dmd, hwservicemanager)
--- a/sepolicy/modem/user/file.te
+++ b/sepolicy/modem/user/file.te
@ -0,0 +1 @@
+type vendor_slog_file, file_type, data_file_type, mlstrustedobject;
--- a/sepolicy/modem/user/file_contexts
+++ b/sepolicy/modem/user/file_contexts
@ -0,0 +1,2 @@
+/data/vendor/slog(/.*)?      u:object_r:vendor_slog_file:s0
+/vendor/bin/dmd              u:object_r:dmd_exec:s0
--- a/sepolicy/modem/user/property.te
+++ b/sepolicy/modem/user/property.te
@ -0,0 +1,3 @@
+vendor_internal_prop(vendor_diag_prop)
+vendor_internal_prop(vendor_slog_prop)
+vendor_internal_prop(vendor_modem_prop)
--- a/sepolicy/modem/user/property_contexts
+++ b/sepolicy/modem/user/property_contexts
@ -0,0 +1,14 @@
+# for dmd
+persist.vendor.sys.dm.       u:object_r:vendor_diag_prop:s0
+persist.vendor.sys.diag.     u:object_r:vendor_diag_prop:s0
+vendor.sys.dmd.              u:object_r:vendor_diag_prop:s0
+vendor.sys.diag.             u:object_r:vendor_diag_prop:s0
+
+# for modem
+persist.vendor.modem.        u:object_r:vendor_modem_prop:s0
+vendor.modem.                u:object_r:vendor_modem_prop:s0
+vendor.sys.modem.            u:object_r:vendor_modem_prop:s0
+ro.vendor.sys.modem.         u:object_r:vendor_modem_prop:s0
+vendor.sys.exynos.modempath  u:object_r:vendor_modem_prop:s0
+persist.vendor.sys.modem.    u:object_r:vendor_modem_prop:s0
+
--- a/sepolicy/modem/userdebug/file_contexts
+++ b/sepolicy/modem/userdebug/file_contexts
@ -0,0 +1 @@
+/vendor/bin/vcd                u:object_r:vcd_exec:s0
--- a/sepolicy/modem/userdebug/vcd.te
+++ b/sepolicy/modem/userdebug/vcd.te
@ -0,0 +1,11 @@
+type vcd, domain;
+type vcd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(vcd)
+
+get_prop(vcd, vendor_rild_prop);
+get_prop(vcd, vendor_persist_config_default_prop);
+
+allow vcd serial_device:chr_file rw_file_perms;
+allow vcd radio_device:chr_file rw_file_perms;
+allow vcd self:tcp_socket { create_socket_perms_no_ioctl listen accept };
+allow vcd node:tcp_socket node_bind;
--- a/sepolicy/oriole-sepolicy.mk
+++ b/sepolicy/oriole-sepolicy.mk
@ -0,0 +1,2 @@
+# Oriole only sepolicy
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/oriole
--- a/sepolicy/oriole/euiccpixel_app.te
+++ b/sepolicy/oriole/euiccpixel_app.te
@ -0,0 +1,6 @@
+# EuiccSupportPixel app
+
+userdebug_or_eng(`
+    allow euiccpixel_app sysfs_touch:dir search;
+')
+
--- a/sepolicy/oriole/grilservice_app.te
+++ b/sepolicy/oriole/grilservice_app.te
@ -0,0 +1 @@
+allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;
--- a/sepolicy/pkvm/file_contexts
+++ b/sepolicy/pkvm/file_contexts
@ -0,0 +1 @@
+/vendor/bin/pkvm_enabler             u:object_r:vendor_misc_writer_exec:s0
--- a/sepolicy/pkvm/vendor_misc_writer.te
+++ b/sepolicy/pkvm/vendor_misc_writer.te
@ -0,0 +1,2 @@
+# Allow pkvm_enabler to execute misc_writer.
+allow vendor_misc_writer vendor_misc_writer_exec:file execute_no_trans;
--- a/sepolicy/private/gmscore_app.te
+++ b/sepolicy/private/gmscore_app.te
@ -0,0 +1,3 @@
+# b/177389198
+dontaudit gmscore_app adbd_prop:file *;
+dontaudit gmscore_app proc_vendor_sched:file write;
--- a/sepolicy/private/hal_dumpstate_default.te
+++ b/sepolicy/private/hal_dumpstate_default.te
@ -0,0 +1,2 @@
+# b/176868217
+dontaudit hal_dumpstate adbd_prop:file *;
--- a/sepolicy/private/incidentd.te
+++ b/sepolicy/private/incidentd.te
@ -0,0 +1,14 @@
+# b/174961589
+dontaudit incidentd adbd_config_prop:file open ;
+dontaudit incidentd adbd_prop:file getattr ;
+dontaudit incidentd adbd_prop:file open ;
+dontaudit incidentd adbd_config_prop:file open ;
+dontaudit incidentd adbd_config_prop:file getattr ;
+dontaudit incidentd adbd_config_prop:file map ;
+dontaudit incidentd adbd_prop:file open ;
+dontaudit incidentd adbd_prop:file getattr ;
+dontaudit incidentd adbd_prop:file map ;
+dontaudit incidentd apexd_prop:file open ;
+dontaudit incidentd adbd_config_prop:file getattr ;
+dontaudit incidentd adbd_config_prop:file map ;
+dontaudit incidentd adbd_prop:file map ;
--- a/sepolicy/private/lpdumpd.te
+++ b/sepolicy/private/lpdumpd.te
@ -0,0 +1,7 @@
+# b/177176997
+dontaudit lpdumpd block_device:blk_file getattr ;
+dontaudit lpdumpd block_device:blk_file getattr ;
+dontaudit lpdumpd block_device:blk_file read ;
+dontaudit lpdumpd block_device:blk_file getattr ;
+dontaudit lpdumpd block_device:blk_file read ;
+dontaudit lpdumpd block_device:blk_file read ;
--- a/sepolicy/private/permissioncontroller_app.te
+++ b/sepolicy/private/permissioncontroller_app.te
@ -0,0 +1,3 @@
+allow permissioncontroller_app proc_vendor_sched:dir r_dir_perms;
+allow permissioncontroller_app proc_vendor_sched:file w_file_perms;
+
--- a/sepolicy/private/priv_app.te
+++ b/sepolicy/private/priv_app.te
@ -0,0 +1,20 @@
+# b/178433525
+dontaudit priv_app adbd_prop:file { map };
+dontaudit priv_app adbd_prop:file { getattr };
+dontaudit priv_app adbd_prop:file { open };
+dontaudit priv_app ab_update_gki_prop:file { map };
+dontaudit priv_app ab_update_gki_prop:file { getattr };
+dontaudit priv_app ab_update_gki_prop:file { open };
+dontaudit priv_app aac_drc_prop:file { map };
+dontaudit priv_app aac_drc_prop:file { getattr };
+dontaudit priv_app aac_drc_prop:file { open };
+dontaudit priv_app adbd_prop:file { map };
+dontaudit priv_app aac_drc_prop:file { open };
+dontaudit priv_app aac_drc_prop:file { getattr };
+dontaudit priv_app aac_drc_prop:file { map };
+dontaudit priv_app ab_update_gki_prop:file { open };
+dontaudit priv_app ab_update_gki_prop:file { getattr };
+dontaudit priv_app ab_update_gki_prop:file { map };
+dontaudit priv_app adbd_prop:file { open };
+dontaudit priv_app adbd_prop:file { getattr };
+dontaudit priv_app proc_vendor_sched:file write;
--- a/sepolicy/private/radio.te
+++ b/sepolicy/private/radio.te
@ -0,0 +1 @@
+add_service(radio, uce_service)
--- a/sepolicy/private/service_contexts
+++ b/sepolicy/private/service_contexts
@ -0,0 +1 @@
+telephony.oem.oemrilhook        u:object_r:radio_service:s0
--- a/sepolicy/private/untrusted_app_25.te
+++ b/sepolicy/private/untrusted_app_25.te
@ -0,0 +1,2 @@
+# b/177389321
+dontaudit untrusted_app_25 adbd_prop:file *;
--- a/sepolicy/private/wait_for_keymaster.te
+++ b/sepolicy/private/wait_for_keymaster.te
@ -0,0 +1,2 @@
+# b/188114822
+dontaudit wait_for_keymaster servicemanager:binder transfer;
--- a/sepolicy/raven-sepolicy.mk
+++ b/sepolicy/raven-sepolicy.mk
@ -0,0 +1,2 @@
+# Ravne only sepolicy
+BOARD_SEPOLICY_DIRS += device/google/gs101-sepolicy/raven
--- a/sepolicy/raven/cccdk_timesync_app.te
+++ b/sepolicy/raven/cccdk_timesync_app.te
@ -0,0 +1 @@
+allow vendor_cccdktimesync_app hal_bluetooth_coexistence_service:service_manager find;
--- a/sepolicy/raven/euiccpixel_app.te
+++ b/sepolicy/raven/euiccpixel_app.te
@ -0,0 +1,6 @@
+# EuiccSupportPixel app
+
+userdebug_or_eng(`
+    allow euiccpixel_app sysfs_touch:dir search;
+')
+
--- a/sepolicy/raven/grilservice_app.te
+++ b/sepolicy/raven/grilservice_app.te
@ -0,0 +1 @@
+allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;
--- a/sepolicy/system_ext/private/con_monitor.te
+++ b/sepolicy/system_ext/private/con_monitor.te
@ -0,0 +1,7 @@
+typeattribute con_monitor_app coredomain;
+
+app_domain(con_monitor_app)
+
+set_prop(con_monitor_app, radio_prop)
+allow con_monitor_app app_api_service:service_manager find;
+allow con_monitor_app radio_service:service_manager find;
--- a/sepolicy/system_ext/private/euicc_app.te
+++ b/sepolicy/system_ext/private/euicc_app.te
@ -0,0 +1,13 @@
+type euicc_app, domain, coredomain;
+app_domain(euicc_app)
+net_domain(euicc_app)
+bluetooth_domain(euicc_app)
+
+allow euicc_app app_api_service:service_manager find;
+allow euicc_app radio_service:service_manager find;
+allow euicc_app cameraserver_service:service_manager find;
+
+get_prop(euicc_app, camera_config_prop)
+get_prop(euicc_app, bootloader_prop)
+get_prop(euicc_app, exported_default_prop)
+get_prop(euicc_app, esim_modem_prop)
--- a/sepolicy/system_ext/private/hbmsvmanager_app.te
+++ b/sepolicy/system_ext/private/hbmsvmanager_app.te
@ -0,0 +1,11 @@
+typeattribute hbmsvmanager_app coredomain;
+
+app_domain(hbmsvmanager_app);
+
+allow hbmsvmanager_app proc_vendor_sched:dir r_dir_perms;
+allow hbmsvmanager_app proc_vendor_sched:file w_file_perms;
+
+# Standard system services
+allow hbmsvmanager_app app_api_service:service_manager find;
+
+allow hbmsvmanager_app cameraserver_service:service_manager find;
--- a/sepolicy/system_ext/private/pixelntnservice_app.te
+++ b/sepolicy/system_ext/private/pixelntnservice_app.te
@ -0,0 +1,5 @@
+typeattribute pixelntnservice_app coredomain;
+
+app_domain(pixelntnservice_app);
+allow pixelntnservice_app app_api_service:service_manager find;
+set_prop(pixelntnservice_app, telephony_modem_prop)
--- a/sepolicy/system_ext/private/platform_app.te
+++ b/sepolicy/system_ext/private/platform_app.te
@ -0,0 +1,5 @@
+# allow systemui to set boot animation colors
+set_prop(platform_app, bootanim_system_prop);
+
+# allow systemui to access fingerprint
+hal_client_domain(platform_app, hal_fingerprint)
--- a/sepolicy/system_ext/private/property.te
+++ b/sepolicy/system_ext/private/property.te
@ -0,0 +1,5 @@
+neverallow {
+  domain
+  -init
+  -vendor_init
+} esim_modem_prop:property_service set;
--- a/sepolicy/system_ext/private/property_contexts
+++ b/sepolicy/system_ext/private/property_contexts
@ -0,0 +1,9 @@
+# Fingerprint (UDFPS) GHBM/LHBM toggle
+persist.fingerprint.ghbm    u:object_r:fingerprint_ghbm_prop:s0    exact    bool
+
+# Properties for euicc
+persist.modem.esim_profiles_exist            u:object_r:esim_modem_prop:s0    exact    string
+
+# Telephony
+telephony.TnNtn.image_switch u:object_r:telephony_modem_prop:s0    exact enum ntn tn
+telephony.ril.silent_reset    u:object_r:telephony_ril_prop:s0    exact    bool
--- a/sepolicy/system_ext/private/seapp_contexts
+++ b/sepolicy/system_ext/private/seapp_contexts
@ -0,0 +1,11 @@
+# Domain for EuiccGoogle
+user=_app isPrivApp=true  name=com.google.android.euicc domain=euicc_app type=privapp_data_file levelFrom=user
+
+# Domain for connectivity monitor
+user=_app isPrivApp=true seinfo=platform name=com.google.android.connectivitymonitor domain=con_monitor_app type=app_data_file levelFrom=all
+
+# HbmSVManager
+user=_app seinfo=platform name=com.android.hbmsvmanager domain=hbmsvmanager_app type=app_data_file levelFrom=all
+
+# PixelNtnService
+user=system seinfo=platform name=com.google.android.satellite domain=pixelntnservice_app type=app_data_file levelFrom=all
--- a/sepolicy/system_ext/public/con_monitor.te
+++ b/sepolicy/system_ext/public/con_monitor.te
@ -0,0 +1,2 @@
+# ConnectivityMonitor app
+type con_monitor_app, domain;
--- a/sepolicy/system_ext/public/hbmsvmanager_app.te
+++ b/sepolicy/system_ext/public/hbmsvmanager_app.te
@ -0,0 +1 @@
+type hbmsvmanager_app, domain;
--- a/sepolicy/system_ext/public/pixelntnservice_app.te
+++ b/sepolicy/system_ext/public/pixelntnservice_app.te
@ -0,0 +1 @@
+type pixelntnservice_app, domain;
--- a/sepolicy/system_ext/public/property.te
+++ b/sepolicy/system_ext/public/property.te
@ -0,0 +1,13 @@
+# Fingerprint (UDFPS) GHBM/LHBM toggle
+system_vendor_config_prop(fingerprint_ghbm_prop)
+
+# eSIM properties
+system_vendor_config_prop(esim_modem_prop)
+
+# Telephony
+system_public_prop(telephony_ril_prop)
+system_restricted_prop(telephony_modem_prop)
+
+userdebug_or_eng(`
+  set_prop(shell, telephony_ril_prop)
+')
--- a/sepolicy/telephony/pktrouter/device.te
+++ b/sepolicy/telephony/pktrouter/device.te
@ -0,0 +1 @@
+type pktrouter_device, dev_type;
--- a/sepolicy/telephony/pktrouter/file_contexts
+++ b/sepolicy/telephony/pktrouter/file_contexts
@ -0,0 +1,4 @@
+# WFC
+/vendor/bin/wfc-pkt-router     u:object_r:pktrouter_exec:s0
+
+/dev/umts_wfc[01]              u:object_r:pktrouter_device:s0
--- a/sepolicy/telephony/pktrouter/netutils_wrapper.te
+++ b/sepolicy/telephony/pktrouter/netutils_wrapper.te
@ -0,0 +1,7 @@
+allow netutils_wrapper pktrouter:fd use;
+allow netutils_wrapper pktrouter:fifo_file write;
+allow netutils_wrapper pktrouter:netlink_route_socket { read write };
+allow netutils_wrapper pktrouter:packet_socket { read write };
+allow netutils_wrapper pktrouter:rawip_socket { read write };
+allow netutils_wrapper pktrouter:udp_socket { read write };
+allow netutils_wrapper pktrouter_device:chr_file rw_file_perms;
--- a/sepolicy/telephony/pktrouter/pktrouter.te
+++ b/sepolicy/telephony/pktrouter/pktrouter.te
@ -0,0 +1,14 @@
+type pktrouter, domain;
+type pktrouter_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(pktrouter)
+net_domain(pktrouter)
+
+domain_auto_trans(pktrouter, netutils_wrapper_exec, netutils_wrapper);
+
+allow pktrouter pktrouter_device:chr_file rw_file_perms;
+allow pktrouter radio_device:chr_file r_file_perms;
+allow pktrouter self:netlink_route_socket nlmsg_write;
+allow pktrouter self:packet_socket { bind create read write getattr shutdown};
+allow pktrouter self:capability net_raw;
+
+get_prop(pktrouter, vendor_ims_prop);
--- a/sepolicy/telephony/pktrouter/property.te
+++ b/sepolicy/telephony/pktrouter/property.te
@ -0,0 +1 @@
+vendor_internal_prop(vendor_ims_prop)
--- a/sepolicy/telephony/pktrouter/property_contexts
+++ b/sepolicy/telephony/pktrouter/property_contexts
@ -0,0 +1,3 @@
+# for ims service
+vendor.pktrouter              u:object_r:vendor_ims_prop:s0
+
--- a/sepolicy/telephony/pktrouter/vendor_init.te
+++ b/sepolicy/telephony/pktrouter/vendor_init.te
@ -0,0 +1 @@
+set_prop(vendor_init, vendor_ims_prop)
--- a/sepolicy/telephony/user/file_contexts
+++ b/sepolicy/telephony/user/file_contexts
@ -0,0 +1,3 @@
+# ECC List
+/vendor/bin/init\.radio\.sh     u:object_r:init_radio_exec:s0
+
--- a/sepolicy/telephony/user/init_radio.te
+++ b/sepolicy/telephony/user/init_radio.te
@ -0,0 +1,8 @@
+type init_radio, domain;
+type init_radio_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(init_radio);
+
+allow init_radio vendor_toolbox_exec:file execute_no_trans;
+allow init_radio radio_vendor_data_file:dir create_dir_perms;
+allow init_radio radio_vendor_data_file:file create_file_perms;
--- a/sepolicy/tracking_denials/bug_map
+++ b/sepolicy/tracking_denials/bug_map
@ -0,0 +1,23 @@
+
+chre vendor_data_file dir b/301948771
+dump_display sysfs file b/340722772
+hal_power_default hal_power_default capability b/240632824
+hal_sensors_default sysfs file b/340723303
+hal_vibrator_default default_android_service service_manager b/317316478
+incidentd debugfs_wakeup_sources file b/282626428
+incidentd incidentd anon_inode b/282626428
+kernel dm_device blk_file b/315907959
+kernel kernel capability b/340722537
+kernel kernel capability b/340723030
+kernel tmpfs chr_file b/315907959
+rfsd vendor_cbd_prop file b/317734418
+shell sysfs_net file b/329380904
+surfaceflinger selinuxfs file b/313804340
+untrusted_app nativetest_data_file dir b/305600845
+untrusted_app shell_test_data_file dir b/305600845
+untrusted_app system_data_root_file dir b/305600845
+untrusted_app userdebug_or_eng_prop file b/305600845
+vendor_init debugfs_trace_marker file b/340723222
+vendor_init default_prop file b/315104713
+vendor_init default_prop file b/316817111
+vendor_init default_prop property_service b/315104713
--- a/sepolicy/tracking_denials/dmd.te
+++ b/sepolicy/tracking_denials/dmd.te
@ -0,0 +1,2 @@
+#b/303391666
+dontaudit dmd servicemanager:binder { call };
--- a/sepolicy/tracking_denials/dumpstate.te
+++ b/sepolicy/tracking_denials/dumpstate.te
@ -0,0 +1,2 @@
+# b/277155042
+dontaudit dumpstate hal_power_stats_vendor_service:service_manager { find };
--- a/sepolicy/tracking_denials/rebalance_interrupts_vendor.te
+++ b/sepolicy/tracking_denials/rebalance_interrupts_vendor.te
@ -0,0 +1,2 @@
+# b/189275648
+dontaudit rebalance_interrupts_vendor rebalance_interrupts_vendor:capability dac_override;
--- a/sepolicy/tracking_denials/servicemanager.te
+++ b/sepolicy/tracking_denials/servicemanager.te
@ -0,0 +1,2 @@
+# b/305600595
+dontaudit servicemanager hal_thermal_default:binder call;
--- a/sepolicy/trusty_metricsd/file_contexts
+++ b/sepolicy/trusty_metricsd/file_contexts
@ -0,0 +1 @@
+/vendor/bin/trusty_metricsd          u:object_r:trusty_metricsd_exec:s0
--- a/sepolicy/trusty_metricsd/trusty_metricsd.te
+++ b/sepolicy/trusty_metricsd/trusty_metricsd.te
@ -0,0 +1,11 @@
+type trusty_metricsd, domain;
+type trusty_metricsd_exec, exec_type, vendor_file_type, file_type;
+
+init_daemon_domain(trusty_metricsd)
+
+allow trusty_metricsd tee_device:chr_file rw_file_perms;
+
+# For Suez metrics collection
+binder_use(trusty_metricsd)
+binder_call(trusty_metricsd, system_server)
+allow trusty_metricsd fwk_stats_service:service_manager find;
--- a/sepolicy/whitechapel/vendor/google/attributes
+++ b/sepolicy/whitechapel/vendor/google/attributes
@ -0,0 +1 @@
+attribute vendor_persist_type;
--- a/sepolicy/whitechapel/vendor/google/audioserver.te
+++ b/sepolicy/whitechapel/vendor/google/audioserver.te
@ -0,0 +1,3 @@
+# allow access to ALSA MMAP FDs for AAudio API
+allow audioserver audio_device:chr_file r_file_perms;
+allow audioserver audio_service:service_manager find;
--- a/sepolicy/whitechapel/vendor/google/bipchmgr.te
+++ b/sepolicy/whitechapel/vendor/google/bipchmgr.te
@ -0,0 +1,9 @@
+type bipchmgr, domain;
+type bipchmgr_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(bipchmgr)
+
+get_prop(bipchmgr, hwservicemanager_prop);
+
+allow bipchmgr hal_exynos_rild_hwservice:hwservice_manager find;
+hwbinder_use(bipchmgr)
+binder_call(bipchmgr, rild)
--- a/sepolicy/whitechapel/vendor/google/bluetooth.te
+++ b/sepolicy/whitechapel/vendor/google/bluetooth.te
@ -0,0 +1,3 @@
+allow bluetooth proc_vendor_sched:dir search;
+allow bluetooth proc_vendor_sched:file w_file_perms;
+
--- a/sepolicy/whitechapel/vendor/google/bootanim.te
+++ b/sepolicy/whitechapel/vendor/google/bootanim.te
@ -0,0 +1,5 @@
+# TODO(b/62954877). On Android Wear, bootanim reads the time
+# during boot to display. It currently gets that time from a file
+# in /data/system. This should be moved. In the meantime, suppress
+# this denial on phones since this functionality is not used.
+dontaudit bootanim system_data_file:dir r_dir_perms;
--- a/sepolicy/whitechapel/vendor/google/bootdevice_sysdev.te
+++ b/sepolicy/whitechapel/vendor/google/bootdevice_sysdev.te
@ -0,0 +1 @@
+allow bootdevice_sysdev sysfs:filesystem associate;
--- a/sepolicy/whitechapel/vendor/google/bug_map
+++ b/sepolicy/whitechapel/vendor/google/bug_map
@ -0,0 +1,3 @@
+permissioncontroller_app proc_vendor_sched file b/190671898
+vendor_ims_app default_prop file b/194281028
+hal_fingerprint_default default_prop property_service b/215640468
--- a/sepolicy/whitechapel/vendor/google/cbd.te
+++ b/sepolicy/whitechapel/vendor/google/cbd.te
@ -0,0 +1,65 @@
+type cbd, domain;
+type cbd_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(cbd)
+
+set_prop(cbd, vendor_modem_prop)
+set_prop(cbd, vendor_cbd_prop)
+set_prop(cbd, vendor_rild_prop)
+get_prop(cbd, telephony_modem_prop)
+
+# Allow cbd to setuid from root to radio
+# TODO: confirming with vendor via b/182334947
+allow cbd self:capability { setgid setuid };
+
+allow cbd mnt_vendor_file:dir r_dir_perms;
+
+allow cbd kmsg_device:chr_file rw_file_perms;
+
+allow cbd vendor_shell_exec:file execute_no_trans;
+allow cbd vendor_toolbox_exec:file execute_no_trans;
+
+# Allow cbd to access modem block device
+allow cbd block_device:dir search;
+allow cbd modem_block_device:blk_file r_file_perms;
+
+# Allow cbd to access sysfs chosen files
+allow cbd sysfs_chosen:file r_file_perms;
+allow cbd sysfs_chosen:dir r_dir_perms;
+
+allow cbd radio_device:chr_file rw_file_perms;
+
+allow cbd proc_cmdline:file r_file_perms;
+
+allow cbd persist_modem_file:dir create_dir_perms;
+allow cbd persist_modem_file:file create_file_perms;
+allow cbd persist_file:dir search;
+
+allow cbd radio_vendor_data_file:dir create_dir_perms;
+allow cbd radio_vendor_data_file:file create_file_perms;
+
+# Allow cbd to operate with modem EFS file/dir
+allow cbd modem_efs_file:dir create_dir_perms;
+allow cbd modem_efs_file:file create_file_perms;
+
+# Allow cbd to operate with modem userdata file/dir
+allow cbd modem_userdata_file:dir create_dir_perms;
+allow cbd modem_userdata_file:file create_file_perms;
+
+# Allow cbd to access modem image file/dir
+allow cbd modem_img_file:dir r_dir_perms;
+allow cbd modem_img_file:file r_file_perms;
+allow cbd modem_img_file:lnk_file r_file_perms;
+
+# Allow cbd to collect crash info
+allow cbd sscoredump_vendor_data_crashinfo_file:dir create_dir_perms;
+allow cbd sscoredump_vendor_data_crashinfo_file:file create_file_perms;
+
+userdebug_or_eng(`
+  r_dir_file(cbd, vendor_slog_file)
+
+  allow cbd kernel:system syslog_read;
+
+  allow cbd sscoredump_vendor_data_coredump_file:dir create_dir_perms;
+  allow cbd sscoredump_vendor_data_coredump_file:file create_file_perms;
+')
+
--- a/sepolicy/whitechapel/vendor/google/cbrs_setup.te
+++ b/sepolicy/whitechapel/vendor/google/cbrs_setup.te
@ -0,0 +1,13 @@
+# GoogleCBRS app
+type cbrs_setup_app, domain;
+
+userdebug_or_eng(`
+  app_domain(cbrs_setup_app)
+  net_domain(cbrs_setup_app)
+
+  allow cbrs_setup_app app_api_service:service_manager find;
+  allow cbrs_setup_app cameraserver_service:service_manager find;
+  allow cbrs_setup_app radio_service:service_manager find;
+  set_prop(cbrs_setup_app, radio_prop)
+  set_prop(cbrs_setup_app, vendor_rild_prop)
+')
--- a/sepolicy/whitechapel/vendor/google/cccdk_timesync_app.te
+++ b/sepolicy/whitechapel/vendor/google/cccdk_timesync_app.te
@ -0,0 +1,10 @@
+type vendor_cccdktimesync_app, domain;
+app_domain(vendor_cccdktimesync_app)
+
+allow vendor_cccdktimesync_app app_api_service:service_manager find;
+
+binder_call(vendor_cccdktimesync_app, hal_bluetooth_btlinux)
+allow vendor_cccdktimesync_app hal_bluetooth_coexistence_hwservice:hwservice_manager find;
+
+# allow the HAL to call our registered callbacks
+binder_call(hal_bluetooth_btlinux, vendor_cccdktimesync_app)
--- a/sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem
+++ b/sepolicy/whitechapel/vendor/google/certs/EuiccSupportPixel.x509.pem
@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF2zCCA8OgAwIBAgIVAIFP2e+Gh4wn4YFsSI7fRB6AXjIsMA0GCSqGSIb3DQEBCwUAMH4xCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEaMBgGA1UEAxMRRXVpY2NTdXBw
+b3J0UGl4ZWwwHhcNMTkwMjI4MTkyMjE4WhcNNDkwMjI4MTkyMjE4WjB+MQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29v
+Z2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxGjAYBgNVBAMTEUV1aWNjU3VwcG9ydFBpeGVsMIIC
+IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqklePqeltzqnyXVch9eJRXFBRQQIBIJWhcXb
+WIP/kZ28ISnQ2SrZisdxqtvRIeInxb7lU1rRQDfqCFSp/vMZ3l25Ryn6OVLFP4bxV1vO797t7Ef/
+amYA1mFKBsD4KLaIGj0/2RpGesneCOb0jWl2yRgIO2Ez7Y4YgWU/IoickZDLp1u6/7e7E/Qq9OXK
+aXvtBSzooGrYC7eyKn7O21FOfz5cQRo4BipjJqXG5Ez8Vi+m/dL1IFRZheYttEf3v390vBcb0oJ0
+oYPzLxmnb1LchjZC3yLAknRA0hNt8clvJ3tjXFjtzCGKsQsT4rnvvGFFABJTCf3EdEiwBNS5U4ho
+9+EtH7PpuoC+uVv2rLv/Gb7stlGQGx32KmK2CfKED3PdNqoT7WRx6nvVjCk3i7afdUcxQxcS9td
+5r80CB1bQEhS2sWLWB21PJrfMugWUJO5Bwz6u0es8dP+4FAHojIaF6iwB5ZYIuHGcEaOviHm4jOK
+rrGMlLqTwuEhq2aVIP55u7XRV98JLs2hlE5DJOWCIsPxybUDiddFvR+yzi/4FimsxJlEmaQAQcki
+uJ9DceVP03StPzFJSDRlqa4yF6xkZW5piNoANQ4MyI67V2Qf8g/L1UPYAi4hUMxQGo7Clw2hBRag
+ZTm65Xc7+ovBYxl5YaXAmNoJbss34Lw8tdrn4EECAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNV
+HQ4EFgQU+hQdFrOGuCDI+bbebssw9TL5FcYwHwYDVR0jBBgwFoAU+hQdFrOGuCDI+bbebssw9TL5
+FcYwDQYJKoZIhvcNAQELBQADggIBAGmyZHXddei/zUUMowiyi/MTtqXf9hKDEN4zhAXkuiuHxqA9
+Ii0J1Sxz2dd5NkqMmtePKYFSGA884yVm1KAne/uoCWj57IK3jswiRYnKhXa293DxA/K9wY27IGbp
+ulSuuxbpjjV2tqGUuoNQGKX7Oy6s0GcibyZFc+LpD7ttGk5QoLC9qQdpXZgUv/yG2B99ERSXLCaL
+EWMNP/oVZQOCQGfsFM1fPLn3X0ZuCOQg9bljxFf3jTl+H6PIAhpCjKeeUQYLc41eQkCyR/f67aRB
+GvO4YDpXLn9eH23B+26rjPyFiVtMJ/jJZ7UEPeJ3XBj1COS/X7p9gGRS5rtfr9z7XxuMxvG0JU9U
+XA+bMfOOfCqflvw6IyUg+oxjBFIhgiP4fxna51+BqpctvB0OeRwUm6y4nN06AwqtD8SteQrEn0b0
+IDWOKlVeh0lJWrDDEHr55dXSF+CbOPUDmMxmGoulOEOy/qSWIQi8BfvdX+e88CmracNRYVffLuQj
+pRYN3TeiCJd+6/X9/x1Q8VLW7vOAb6uRyE2lOjX40DYBxK3xSq6J7Vp38f6z0vtQm2sAAQ4xqqon
+A9tB5p+nJlYHgSxXOZx3C13Rs/eMmiGCKkSpCTnGCgBC7PfJDdMK6SLw5Gn4oyGoZo4fXbADuHrU
+0JD1T1qdCm3aUSEmFgEA4rOL/0K3
+-----END CERTIFICATE-----
--- a/sepolicy/whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem
+++ b/sepolicy/whitechapel/vendor/google/certs/com_google_android_apps_camera_services.x509.pem
@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIGCzCCA/OgAwIBAgIVAIHtywgrR7O/EgQ+PeYSfHDaUDt8MA0GCSqGSIb3DQEBCwUAMIGUMQsw
+CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEU
+MBIGA1UEChMLR29vZ2xlIEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxMDAuBgNVBAMMJ2NvbV9nb29n
+bGVfYW5kcm9pZF9hcHBzX2NhbWVyYV9zZXJ2aWNlczAgFw0yMTA2MzAyMzI2MThaGA8yMDUxMDYz
+MDIzMjYxOFowgZQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
+b3VudGFpbiBWaWV3MRQwEgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEwMC4G
+A1UEAwwnY29tX2dvb2dsZV9hbmRyb2lkX2FwcHNfY2FtZXJhX3NlcnZpY2VzMIICIjANBgkqhkiG
+9w0BAQEFAAOCAg8AMIICCgKCAgEAof2MqYxoQkV05oUZULYlNLDIJKryWjC8ha300YUktBNNVBSP
+1y33+ZTBldm7drcBGo54S1JE1lCIP1dMxby0rNTJ8/Zv2bMVMjXX0haF5vULt64itDcR0SqUDfFR
+UsHapPVmRmMpDOMOUYUbN7gjU7iYAc9oWBo6BFfckdpwwKfzYY/sgieen1E/MN7Zpzmefct3WDU5
+4Dc8mpoNsen3oqquieYAgv9FOw5gCIgsDaOfYFBgvAE08Pqo3J/zU6dAuqUJztNH8EhgTNbcaNVL
+jCmofa+iIAjSpmP69jcgaUyfmH0EE3/m55qouVRJzqARvmEO/M7LEr3n1ZKKhDZdO6TJysMzP9g8
+pONPO8/3hTQ+GP+7fOQooNQJEGNgJuZOHSyNL/8nGCgHBZKgZdZPKk8HV2M578UDf8yNyV5AYpx0
+VK1JdoBtNMzp0cv7Q6TTugIuDEzT3jmgGGp6WmXE6B9dJOq+cnVC7cSYva8wctFS3RpoqT79vkW3
+A7g2b26bM5GMQ8KcGC4qm4pJkrX5kKZWZGWXjm0F8gRJQ5D0S/AcUw3B+sG/AmfQzLm8SCK36HhO
+sFnPsQJ/VdL7kg9HHWrQYVexNaQnD/QLOCenk09COUzSwexws+kQhUH45OSbQFjOJwPbS4YAn9qV
+eV+DPlvemZEFYF5+MVlDwOGQ3JsCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtjMO
+nlaC4nsk4PwT+fcIYpg52JQwHwYDVR0jBBgwFoAUtjMOnlaC4nsk4PwT+fcIYpg52JQwDQYJKoZI
+hvcNAQELBQADggIBABhYDqPD2yWiXNCVtHk6h7Kb2H2U3rc8G7Or1/mwrXSCEgqHnCkpiWeb1h/5
+YNS9fRrexQD+O0hukCpjvIFccQvk8EkZdWpn4kDlrUqfakWpASzlwEqRviS31Hiybn/+QUpYuDTm
+FYorrHzDzPiNttzxVK0ENt4T4ETDWVqiGB7tbTlLPr6tz/oxDjRH8y4iS/For7SkfdI512txJgDr
+njvRVY9WJykySs+AAqwS1PIMXGoI03UmLJUsFNUjHehaqguPS1uiewlKiQq07blWbnQXdcyH7QTI
+hOUPY2rRBh8ciXu4L0Uk4To7+DP/8nHSGC7qXPvP6W3gqW1hj0d6GviMEfJ9fBSUEzaCRF3aL/5e
+JOGQQKxh7Jsl/zZs4+MYg0Q2cyg/BQVNNOhESG4et4OV5go9W+1oAy20FV0NgtdPoeb9ABNoi4T3
+IrKLgxOsbACpoDt3zPhncqiJhX3feFtyVV4oRiylydiiYO927qNdfMGmcnGFSG4814kUxSdpkoCA
+V7WCQD42zfBYj4pkdZwiJW4yZSaPWN/Eodi3PBsV+10Y1O1WOvebJuTGmcvWWMCPGtFQJDijUy4H
+r8rDe3ZmRGQ+vEGPJZC8nx9+qxLQ314ZCzdS0R1HwRRuOji3fCSCnaPQuCFe3YlzhB2j6fRGNf7F
+DB17LhMLl0GxX9j1
+-----END CERTIFICATE-----
--- a/sepolicy/whitechapel/vendor/google/certs/com_google_mds.x509.pem
+++ b/sepolicy/whitechapel/vendor/google/certs/com_google_mds.x509.pem
@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIVAPZ4KZV2jpxRBCoVAidCu62l3cDqMA0GCSqGSIb3DQEBCwUAMHsxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEXMBUGA1UEAwwOY29tX2dvb2ds
+ZV9tZHMwHhcNMTkwNDIyMTQ1NzA1WhcNNDkwNDIyMTQ1NzA1WjB7MQswCQYDVQQGEwJVUzETMBEG
+A1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLR29vZ2xl
+IEluYy4xEDAOBgNVBAsTB0FuZHJvaWQxFzAVBgNVBAMMDmNvbV9nb29nbGVfbWRzMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAqgNC0hhI3NzaPUllJfe01hCTuEpl35D02+DKJ5prPFxv
+6KGTk6skjZOwV87Zf2pyj/cbnv28ioDjwvqMBe4ntFdKtH9gl2tTAVl69HMKXF4Iny/wnrt2mxzh
+WxFUd5PuW+mWug+UQw/NGUuaf5d/yys/RrchHKM1+zBV6aOzH6BXiwDoOF2i43d5GlNQ/tFuMySW
+LJftJN0QULFelxNDFFJZhw2P3c4opxjmF2yCoIiDfBEIhTZFKUbHX6YDLXmtUpXl35q+cxK4TCxP
+URyzwdfiyheF3TTxagfzhvXNg/ifrY67S4qCGfzoEMPxrTz02gS0u3D6r/2+hl9vAJChLKDNdIs6
+TqIw+YnABrELiZLLFnaABnjQ7xC3xv1s3W6dWxaxnoVMtC1YvdgwhC5gSpJ4A+AGcCLv96hoeB1I
+IoGV9Yt0Z97MFpXeHFpAxFZ1F9feBqwOCDbu50dmdKZvqGHZ4Ts3uy7ukDQ08dquHpT+NmqkmmW5
+GGhkuyZS3HHpU/QeVsZiyJCJBbDe5lz6NGXK56ruuF9ILeGHtldjQm40oYRc01ESScyVjSU0kpMO
+C7hn1B7rKAm8xxG7eH04ieQrNnbbee7atOO4C3157W5CqujfLMeo6OCRVtcYkYIuSi8hIPNySu/q
+OaEtEP4owVNZR0H6mCHy5pANsyBofMkCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
+gk8pmLx8yP3RILwR5am1G10PBEowHwYDVR0jBBgwFoAUgk8pmLx8yP3RILwR5am1G10PBEowDQYJ
+KoZIhvcNAQELBQADggIBAC9iQ1huo6CzjcsB1IIw3WYPYVfHtvG7fiB49QO6cjth8fxM36YOxnMz
+K9Zh89cnFx7BeXG4MdbR3lAWO+wTbEpM/5azAQfqHB/ZEEAo1THtqS58C1bTwJ5zxkA+wL/x1ucT
+EV0QZtPHC1K5nIV5FuICiJjui5FHfj2HYu2A5a5729rdZ7sL8Vgx6TUFKpEPs5iCrlx5X/E+/wJa
+DM5iIjVvrGJJq0VWHHeDJEE+Sw1CDxWYRzvu1WvCvhk149hf4LlfrR0A5t8QJRGx0WwF10DLGgJx
+7epMBpzhMIXc529FTIx4Rx2PcufjTZC9EN7PkLgVfYahWEkt/YIfV/0F6U6viLxdNC5O0pimSV57
+vT6HIthX1OC34eZca0cPqH1kOuhRDKOhbP4yIgdYX6knpvw8aXsYcyTfAmDyrt0EWffeBPedaxMo
+xfijdlsBQUymviUQ8qBbfl1Ew9VoC+VEsiobK7Ubog0IK+82LQ7FOLMoNYnhk5wJ63i1kVvBVAgH
+64PMME2KG//BwYFfKK6jUXibabyNke72+1Jr0xpw1BHJPxNJ8Q8yCBLF0wmXmFJSM+9lSDd10Bni
+FJeMFMQ0T1Sf8GUSIxYYbMK5pDguRs+JOYkUID02ylJ3L6GAnxXCjGWzpdxw29/WWJc+qsYFEIbP
+kKzTUNQHaaLHmcLK22Ht
+-----END CERTIFICATE-----
--- a/sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem
+++ b/sepolicy/whitechapel/vendor/google/certs/com_qorvo_uwb.x509.pem
@ -0,0 +1,29 @@
+-----BEGIN CERTIFICATE-----
+MIIF1TCCA72gAwIBAgIVALSpAFqvtr1ntTS7YgB0Y5R6WqEtMA0GCSqGSIb3DQEBCwUAMHoxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQw
+EgYDVQQKEwtHb29nbGUgSW5jLjEQMA4GA1UECxMHQW5kcm9pZDEWMBQGA1UEAwwNY29tX3FvcnZv
+X3V3YjAgFw0yMTA1MDQwNTAyMDlaGA8yMDUxMDUwNDA1MDIwOVowejELMAkGA1UEBhMCVVMxEzAR
+BgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC0dvb2ds
+ZSBJbmMuMRAwDgYDVQQLEwdBbmRyb2lkMRYwFAYDVQQDDA1jb21fcW9ydm9fdXdiMIICIjANBgkq
+hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAyoe1/UDAyMZd5iWqaKPDKN0cCESsWBTTkuLFpzMfcTEa
+IyMORaIYriuAxvWhNzidPQvvRPyw0XQbl7GZLjXLF004G5xPTXFHIdtWv/scuC53INqTerppcHeW
+fP4hfJPbZMQNcDB9EHa2bhA0wPdfoJD4cz8T7sgQcbRirdR8KoiOVWYe5UTSdk0df2IbiMZav2DJ
+KhFql323emi4QHoDeUMAYy35mTh5vhfJ8NrCRAUwMh0zlw6LwZw/Dr8AbzDXl4Mo6Ij2pTn3/1zW
+BPNkJonvONiMvuUUDl6LnP/41qhxYSg9RBp3wBJLknmfD/hEaXxTSLdkJyF43t61sU12mDQbLu4s
+ZoiQKeKMJ0VpC56gUzkpnx3pzusq+/bAlTXf8Tfqrm7nizwR/69kntNYp8iaUJnvQQzlChc2lg2X
+QNzf6zShPptpPqJIgmWawH6DL8JPHgkpguWyz47dWHCLnTfp8miEZPrQkPKL13SCMYCwxmlNYNWG
+gUFPX5UJfnNVH4y2gPpXssROyKQKp/ArZkWb2zURrC1RUvNFADvvFt+hb2iXXVnfVeEtKAkSdhOj
+RHwXhc/EtraSMMYUeO/uhUiPmPFR0FVLxCIm6i91/xqgWhKgRN0uatornO3lSNgzk4c7b0JCncEn
+iArWJ516/nqWIvEdYjcqIBDAdSx8S1sCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU
+EGKtCMO6w0UKLbAmd/laZERZZrkwHwYDVR0jBBgwFoAUEGKtCMO6w0UKLbAmd/laZERZZrkwDQYJ
+KoZIhvcNAQELBQADggIBAIRowmuGiFeZdyDsbYi0iYISNW2HID4uLM3Pp8CEx5swlntJu1Z19R9t
+fzzY9lvcMgdbdVJYnGrHzUGUCVqbhfDH7GxP9ybg1QUqYxi6AvZU3wrRqjoUoDw7HlecNBXFZI6z
+0f2J3XSzST3kq5lCuUaEKGHkU8jVgwqVGMcz1foLGzBXQhMgIKl966c5DWoXsLToBCXrNgDokkHe
+cj9tI1ufsWrSxl5/AT0/DMjHkcBmZk78RiTcGJtSZU8YwqNIQa+U2hpDE34iy2LC6YEqMKggjCm0
+6nOBbIH0EXnrr0iBX3YJmDM8O4a9eDpI7FSjabPx9YvfQne08pNwYkExOMafibyAwt7Du0cpxNkg
+NE3xeDZ+TVr+4I10HF1gKpJ+rQsBOIYVTWLKATO4TMQxLNLY9oy2gt12PcsCdkOIThX4bAHXq1eY
+ulAxoA7Hba2xq/wnh2JH5VZIjz3yZBJXX/GyFeHkqv7wFRVrx4DjZC1s5uTdqDh6y8pfM49w9/Zp
+BKtz5B+37bC9FmM+ux39MElqx+kbsITzBDtDWa2Q8onWQR0R4WHI43n1mJSvW4cdR6Xf/a1msPXh
+NHc3XCJYq4WvlMuXWEGVka20LPJXIjiuU3sB088YpjAG1+roSn//CL8N9iDWHCRXy+UKElIbhWLz
+lHV8gmlwBAuAx9ITcTJr
+-----END CERTIFICATE-----
--- a/sepolicy/whitechapel/vendor/google/charger_vendor.te
+++ b/sepolicy/whitechapel/vendor/google/charger_vendor.te
@ -0,0 +1,10 @@
+allow charger_vendor mnt_vendor_file:dir search;
+allow charger_vendor sysfs_batteryinfo:file w_file_perms;
+allow charger_vendor persist_file:dir search;
+allow charger_vendor persist_battery_file:dir search;
+allow charger_vendor persist_battery_file:file rw_file_perms;
+allow charger_vendor sysfs_scsi_devices_0000:file r_file_perms;
+allow charger_vendor sysfs_thermal:file w_file_perms;
+allow charger_vendor sysfs_thermal:lnk_file read;
+allow charger_vendor thermal_link_device:dir search;
+set_prop(charger_vendor, vendor_battery_defender_prop)
--- a/sepolicy/whitechapel/vendor/google/chre.te
+++ b/sepolicy/whitechapel/vendor/google/chre.te
@ -0,0 +1,31 @@
+type chre, domain;
+type chre_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(chre)
+
+# Permit communication with AoC
+allow chre aoc_device:chr_file rw_file_perms;
+
+# Allow CHRE to determine AoC's current clock
+allow chre sysfs_aoc:dir search;
+allow chre sysfs_aoc_boottime:file r_file_perms;
+
+# Allow CHRE to create thread to watch AOC's device
+allow chre device:dir r_dir_perms;
+
+# Allow CHRE to use the USF low latency transport
+usf_low_latency_transport(chre)
+
+# Allow CHRE to talk to the WiFi HAL
+allow chre hal_wifi_ext:binder { call transfer };
+allow chre hal_wifi_ext_hwservice:hwservice_manager find;
+allow chre hal_wifi_ext_service:service_manager find;
+
+# Allow CHRE host to talk to stats service
+allow chre fwk_stats_service:service_manager find;
+binder_call(chre, stats_service_server)
+
+# Allow CHRE to use WakeLock
+wakelock_use(chre)
+
+# Allow CHRE to block suspend, which is required to use EPOLLWAKEUP.
+allow chre self:global_capability2_class_set block_suspend;
--- a/sepolicy/whitechapel/vendor/google/con_monitor.te
+++ b/sepolicy/whitechapel/vendor/google/con_monitor.te
@ -0,0 +1,2 @@
+allow con_monitor_app radio_vendor_data_file:dir rw_dir_perms;
+allow con_monitor_app radio_vendor_data_file:file create_file_perms;
--- a/sepolicy/whitechapel/vendor/google/device.te
+++ b/sepolicy/whitechapel/vendor/google/device.te
@ -0,0 +1,41 @@
+# Block Devices
+type efs_block_device, dev_type;
+type modem_block_device, dev_type;
+type modem_userdata_block_device, dev_type;
+type persist_block_device, dev_type;
+type mfg_data_block_device, dev_type;
+
+# Exynos devices
+type vendor_toe_device, dev_type;
+type custom_ab_block_device, dev_type;
+
+# usbpd
+type logbuffer_device, dev_type;
+
+#cpuctl
+type cpuctl_device, dev_type;
+
+# LWIS (Lightweight Imaging Subsystem) devices, used by Lyric camera HAL
+type lwis_device, dev_type;
+
+# RLS device
+type rls_device, dev_type;
+
+# sensor direct DMA-BUF heap
+type sensor_direct_heap_device, dmabuf_heap_device_type, dev_type;
+
+#faceauth DMA-BUF heaps
+type faceauth_heap_device, dmabuf_heap_device_type, dev_type;
+
+#vscaler-secure DMA-BUF heap
+type vscaler_heap_device, dmabuf_heap_device_type, dev_type;
+
+# Fingerprint device
+type fingerprint_device, dev_type;
+
+# SecureElement SPI device
+type st54spi_device, dev_type;
+type st33spi_device, dev_type;
+
+# GPS
+type vendor_gnss_device, dev_type;
--- a/sepolicy/whitechapel/vendor/google/disable-contaminant-detection-sh.te
+++ b/sepolicy/whitechapel/vendor/google/disable-contaminant-detection-sh.te
@ -0,0 +1,7 @@
+type disable-contaminant-detection-sh, domain;
+type disable-contaminant-detection-sh_exec, vendor_file_type, exec_type, file_type;
+init_daemon_domain(disable-contaminant-detection-sh)
+
+allow disable-contaminant-detection-sh vendor_toolbox_exec:file execute_no_trans;
+allow disable-contaminant-detection-sh sysfs_batteryinfo:dir r_dir_perms;
+allow disable-contaminant-detection-sh sysfs_batteryinfo:file rw_file_perms;
--- a/sepolicy/whitechapel/vendor/google/dmd.te
+++ b/sepolicy/whitechapel/vendor/google/dmd.te
@ -0,0 +1,5 @@
+allow dmd hidl_base_hwservice:hwservice_manager add;
+allow dmd hal_vendor_oem_hwservice:hwservice_manager { add find };
+binder_call(dmd, modem_diagnostic_app)
+binder_call(dmd, modem_logging_control)
+binder_call(dmd, vendor_telephony_app)
--- a/sepolicy/whitechapel/vendor/google/domain.te
+++ b/sepolicy/whitechapel/vendor/google/domain.te
@ -0,0 +1,6 @@
+allow {domain -appdomain -rs} proc_vendor_sched:dir r_dir_perms;
+allow {domain -appdomain -rs} proc_vendor_sched:file w_file_perms;
+
+# Mali
+get_prop(domain, vendor_arm_runtime_option_prop)
+
--- a/sepolicy/whitechapel/vendor/google/dump_gs101.te
+++ b/sepolicy/whitechapel/vendor/google/dump_gs101.te
@ -0,0 +1,32 @@
+pixel_bugreport(dump_gs101)
+allow dump_gs101 sysfs_pixel_stat:dir r_dir_perms;
+allow dump_gs101 sysfs_pixel_stat:file r_file_perms;
+allow dump_gs101 vendor_toolbox_exec:file execute_no_trans;
+allow dump_gs101 vendor_camera_data_file:dir r_dir_perms;
+allow dump_gs101 vendor_camera_data_file:file r_file_perms;
+allow dump_gs101 sysfs_acpm_stats:dir r_dir_perms;
+allow dump_gs101 sysfs_acpm_stats:file r_file_perms;
+allow dump_gs101 sysfs_batteryinfo:dir r_dir_perms;
+allow dump_gs101 sysfs_bcl:dir r_dir_perms;
+allow dump_gs101 sysfs_bcl:file r_file_perms;
+allow dump_gs101 sysfs_cpu:file r_file_perms;
+allow dump_gs101 logbuffer_device:chr_file r_file_perms;
+allow dump_gs101 sysfs_batteryinfo:file r_file_perms;
+allow dump_gs101 sysfs:dir r_dir_perms;
+allow dump_gs101 sysfs_wlc:dir r_dir_perms;
+allow dump_gs101 sysfs_wlc:file r_file_perms;
+userdebug_or_eng(`
+  allow dump_gs101 vendor_battery_debugfs:dir r_dir_perms;
+  allow dump_gs101 vendor_battery_debugfs:file r_file_perms;
+  allow dump_gs101 vendor_charger_debugfs:dir r_dir_perms;
+  allow dump_gs101 vendor_charger_debugfs:file r_file_perms;
+  allow dump_gs101 vendor_pm_genpd_debugfs:file r_file_perms;
+  allow dump_gs101 vendor_usb_debugfs:dir r_dir_perms;
+  allow dump_gs101 vendor_usb_debugfs:file r_file_perms;
+  allow dump_gs101 debugfs:dir r_dir_perms;
+  allow dump_gs101 vendor_maxfg_debugfs:dir r_dir_perms;
+  allow dump_gs101 vendor_maxfg_debugfs:file r_file_perms;
+  allow dump_gs101 vendor_votable_debugfs:dir r_dir_perms;
+  allow dump_gs101 vendor_votable_debugfs:file r_file_perms;
+')
+
--- a/sepolicy/whitechapel/vendor/google/dumpstate.te
+++ b/sepolicy/whitechapel/vendor/google/dumpstate.te
@ -0,0 +1,16 @@
+dump_hal(hal_telephony)
+dump_hal(hal_graphics_composer)
+dump_hal(hal_uwb_vendor)
+
+userdebug_or_eng(`
+  allow dumpstate media_rw_data_file:file append;
+')
+
+allow dumpstate sysfs_scsi_devices_0000:file r_file_perms;
+allow dumpstate persist_file:dir r_dir_perms;
+
+allow dumpstate modem_efs_file:dir getattr;
+allow dumpstate modem_img_file:dir getattr;
+allow dumpstate modem_userdata_file:dir getattr;
+allow dumpstate fuse:dir search;
+allow dumpstate rlsservice:binder call;
--- a/sepolicy/whitechapel/vendor/google/e2fs.te
+++ b/sepolicy/whitechapel/vendor/google/e2fs.te
@ -0,0 +1,8 @@
+allow e2fs persist_block_device:blk_file rw_file_perms;
+allow e2fs efs_block_device:blk_file rw_file_perms;
+allow e2fs modem_userdata_block_device:blk_file rw_file_perms;
+allowxperm e2fs { persist_block_device efs_block_device modem_userdata_block_device }:blk_file ioctl {
+  BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
+};
+allow e2fs sysfs_scsi_devices_0000:dir r_dir_perms;
+allow e2fs sysfs_scsi_devices_0000:file r_file_perms;
--- a/sepolicy/whitechapel/vendor/google/euiccpixel_app.te
+++ b/sepolicy/whitechapel/vendor/google/euiccpixel_app.te
@ -0,0 +1,28 @@
+# EuiccSupportPixel app
+
+type euiccpixel_app, domain;
+app_domain(euiccpixel_app)
+
+allow euiccpixel_app app_api_service:service_manager find;
+allow euiccpixel_app radio_service:service_manager find;
+allow euiccpixel_app nfc_service:service_manager find;
+allow euiccpixel_app surfaceflinger_service:service_manager find;
+
+set_prop(euiccpixel_app, vendor_secure_element_prop)
+set_prop(euiccpixel_app, vendor_modem_prop)
+get_prop(euiccpixel_app, dck_prop)
+
+userdebug_or_eng(`
+    net_domain(euiccpixel_app)
+
+    # Access to directly upgrade firmware on st54spi_device used for engineering devices
+    typeattribute st54spi_device mlstrustedobject;
+    allow euiccpixel_app st54spi_device:chr_file rw_file_perms;
+    # Access to directly upgrade firmware on st33spi_device used for engineering devices
+    typeattribute st33spi_device mlstrustedobject;
+    allow euiccpixel_app st33spi_device:chr_file rw_file_perms;
+
+    allow euiccpixel_app sysfs_st33spi:dir search;
+    allow euiccpixel_app sysfs_st33spi:file rw_file_perms;
+')
+
--- a/sepolicy/whitechapel/vendor/google/exo_camera_injection/dumpstate.te
+++ b/sepolicy/whitechapel/vendor/google/exo_camera_injection/dumpstate.te
@ -0,0 +1,2 @@
+# For collecting bugreports.
+dump_hal(hal_camera)
--- a/sepolicy/whitechapel/vendor/google/exo_camera_injection/exo_app.te
+++ b/sepolicy/whitechapel/vendor/google/exo_camera_injection/exo_app.te
@ -0,0 +1,3 @@
+# Allow exo app to find and bind exo camera injection hal.
+allow exo_app hal_exo_camera_injection_hwservice:hwservice_manager find;
+binder_call(exo_app, hal_exo_camera_injection)
--- a/sepolicy/whitechapel/vendor/google/exo_camera_injection/file_contexts
+++ b/sepolicy/whitechapel/vendor/google/exo_camera_injection/file_contexts
@ -0,0 +1 @@
+/vendor/bin/hw/vendor\.google\.exo_camera_injection@1\.1-service  u:object_r:hal_exo_camera_injection_exec:s0
--- a/sepolicy/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te
+++ b/sepolicy/whitechapel/vendor/google/exo_camera_injection/hal_exo_camera_injection.te
@ -0,0 +1,10 @@
+# TODO(b/180558115): It will moved to pixel-sepolicy after pixel 6 launches.
+type hal_exo_camera_injection, domain;
+hal_server_domain(hal_exo_camera_injection, hal_camera)
+
+type hal_exo_camera_injection_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_exo_camera_injection)
+
+hwbinder_use(hal_exo_camera_injection)
+add_hwservice(hal_exo_camera_injection, hal_exo_camera_injection_hwservice)
+allow hal_exo_camera_injection hal_graphics_mapper_hwservice:hwservice_manager find;
--- a/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice.te
+++ b/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice.te
@ -0,0 +1 @@
+type hal_exo_camera_injection_hwservice, hwservice_manager_type;
--- a/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts
+++ b/sepolicy/whitechapel/vendor/google/exo_camera_injection/hwservice_contexts
@ -0,0 +1 @@
+vendor.google.exo_camera_injection::IExoCameraInjection         u:object_r:hal_exo_camera_injection_hwservice:s0
--- a/sepolicy/whitechapel/vendor/google/fastbootd.te
+++ b/sepolicy/whitechapel/vendor/google/fastbootd.te
@ -0,0 +1,8 @@
+# Required by the bootcontrol HAL for the 'set_active' command.
+recovery_only(`
+allow fastbootd st54spi_device:chr_file rw_file_perms;
+allow fastbootd devinfo_block_device:blk_file rw_file_perms;
+allow fastbootd sda_block_device:blk_file rw_file_perms;
+allow fastbootd sysfs_ota:file rw_file_perms;
+allow fastbootd custom_ab_block_device:blk_file rw_file_perms;
+')
--- a/sepolicy/whitechapel/vendor/google/file.te
+++ b/sepolicy/whitechapel/vendor/google/file.te
@ -0,0 +1,167 @@
+# Exynos Data Files
+#type vendor_data_file, file_type, data_file_type;
+type vendor_cbd_boot_file, file_type, data_file_type;
+
+# Exynos Log Files
+type vendor_log_file, file_type, data_file_type;
+type vendor_cbd_log_file, file_type, data_file_type;
+type vendor_dmd_log_file, file_type, data_file_type;
+type vendor_rfsd_log_file, file_type, data_file_type;
+type vendor_dump_log_file, file_type, data_file_type;
+type vendor_rild_log_file, file_type, data_file_type;
+type vendor_sced_log_file, file_type, data_file_type;
+type vendor_telephony_log_file, file_type, data_file_type;
+
+# app data files
+type vendor_test_data_file, file_type, data_file_type;
+type vendor_telephony_data_file, file_type, data_file_type;
+type vendor_ims_data_file, file_type, data_file_type;
+type vendor_misc_data_file, file_type, data_file_type;
+type vendor_rpmbmock_data_file, file_type, data_file_type;
+
+# Exynos debugfs
+type vendor_ion_debugfs, fs_type, debugfs_type;
+type vendor_mali_debugfs, fs_type, debugfs_type;
+type vendor_pm_genpd_debugfs, fs_type, debugfs_type;
+type vendor_regmap_debugfs, fs_type, debugfs_type;
+type vendor_usb_debugfs, fs_type, debugfs_type;
+type vendor_maxfg_debugfs, fs_type, debugfs_type;
+type vendor_charger_debugfs, fs_type, debugfs_type;
+type vendor_votable_debugfs, fs_type, debugfs_type;
+type vendor_battery_debugfs, fs_type, debugfs_type;
+
+# Exynos Firmware
+type vendor_fw_file, vendor_file_type, file_type;
+
+# ACPM
+type sysfs_acpm_stats, sysfs_type, fs_type;
+
+# Vendor tools
+type vendor_dumpsys, vendor_file_type, file_type;
+
+# Sensors
+type nanohub_lock_file, file_type, data_file_type;
+type sensor_vendor_data_file, file_type, data_file_type, mlstrustedobject;
+type sensors_cal_file, file_type;
+type sysfs_nanoapp_cmd, sysfs_type, fs_type;
+
+# Fingerprint
+type sysfs_fingerprint, sysfs_type, fs_type;
+
+# CHRE
+type chre_data_file, file_type, data_file_type;
+type chre_socket, file_type;
+
+# BT
+type vendor_bt_data_file, file_type, data_file_type;
+
+# IOMMU
+type sysfs_iommu, sysfs_type, fs_type;
+
+type sysfs_devicetree, sysfs_type, fs_type;
+type sysfs_mem, sysfs_type, fs_type;
+
+# WiFi
+type sysfs_wifi, sysfs_type, fs_type;
+
+# All files under /data/vendor/firmware/wifi
+type updated_wifi_firmware_data_file, file_type, data_file_type;
+
+# Widevine DRM
+type mediadrm_vendor_data_file, file_type, data_file_type;
+
+# Storage Health HAL
+type proc_f2fs, proc_type, fs_type;
+
+type bootdevice_sysdev, dev_type;
+
+# ZRam
+type per_boot_file, file_type, data_file_type, core_data_file_type;
+
+# RILD
+type rild_vendor_data_file, file_type, data_file_type;
+
+# Modem
+type modem_stat_data_file, file_type, data_file_type;
+type modem_efs_file, file_type;
+type modem_userdata_file, file_type;
+type sysfs_modem, sysfs_type, fs_type;
+type persist_modem_file, file_type, vendor_persist_type;
+
+
+type modem_img_file, contextmount_type, file_type, vendor_file_type;
+allow modem_img_file self:filesystem associate;
+
+# Pca
+type sysfs_pca, sysfs_type, fs_type;
+
+# Camera
+type persist_camera_file, file_type;
+type vendor_camera_tuning_file, vendor_file_type, file_type;
+type sysfs_camera, sysfs_type, fs_type;
+
+# GPS
+type vendor_gps_file, file_type, data_file_type;
+userdebug_or_eng(`
+    typeattribute vendor_gps_file mlstrustedobject;
+')
+
+# Backlight
+type sysfs_backlight, sysfs_type, fs_type;
+
+# Charger
+type sysfs_chargelevel, sysfs_type, fs_type;
+
+# ODPM
+type powerstats_vendor_data_file, file_type, data_file_type;
+type sysfs_odpm, sysfs_type, fs_type;
+
+# bcl
+type sysfs_bcl, sysfs_type, fs_type;
+
+# Chosen
+type sysfs_chosen, sysfs_type, fs_type;
+
+# Battery
+type persist_battery_file, file_type, vendor_persist_type;
+
+# Fabric
+type sysfs_fabric, sysfs_type, fs_type;
+
+# Memory
+type sysfs_memory, sysfs_type, fs_type;
+
+# bcmdhd (Broadcom FullMAC wireless cards support)
+type sysfs_bcmdhd, sysfs_type, fs_type;
+
+# UWB vendor
+type uwb_vendor_data_file, file_type, data_file_type, app_data_file_type;
+type persist_uwb_file, file_type, vendor_persist_type;
+type uwb_data_vendor, file_type, data_file_type;
+
+# WLC FW
+type vendor_wlc_fwupdata_file, vendor_file_type, file_type;
+
+#USB-C throttling stats
+type sysfs_usbc_throttling_stats, sysfs_type, fs_type;
+
+# SJTAG
+type sysfs_sjtag, fs_type, sysfs_type;
+userdebug_or_eng(`
+    typeattribute sysfs_sjtag mlstrustedobject;
+')
+
+# SecureElement
+type sysfs_st33spi, sysfs_type, fs_type;
+userdebug_or_eng(`
+    typeattribute sysfs_st33spi mlstrustedobject;
+')
+
+# Trusty
+type sysfs_trusty, sysfs_type, fs_type;
+
+# BootControl
+type sysfs_bootctl, sysfs_type, fs_type;
+
+# WLC
+type sysfs_wlc, sysfs_type, fs_type;
--- a/sepolicy/whitechapel/vendor/google/file_contexts
+++ b/sepolicy/whitechapel/vendor/google/file_contexts
@ -0,0 +1,377 @@
+#
+# Exynos HAL
+#
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm(@[0-9]+\.[0-9]+)?-service\.widevine       u:object_r:hal_drm_widevine_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.drm@[0-9]+\.[0-9]+-service\.clearkey          u:object_r:hal_drm_clearkey_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb@1\.0-service32                            u:object_r:hal_usb_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.ExynosHWCServiceTW@1\.0-service  u:object_r:hal_vendor_hwcservice_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.power@1\.0-service               u:object_r:hal_power_default_exec:s0
+/(vendor|system/vendor)/bin/hw/vendor\.samsung_slsi\.hardware\.configstore@1\.0-service         u:object_r:hal_configstore_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb-service\.gs101                            u:object_r:hal_usb_impl_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.usb\.gadget-service\.gs101                    u:object_r:hal_usb_gadget_impl_exec:s0
+/(vendor|system/vendor)/lib(64)?/libion_exynos\.so                                              u:object_r:same_process_hal_file:s0
+
+/(vendor|system/vendor)/lib(64)?/libOpenCL\.so                                                  u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libOpenCL-pixel\.so                                            u:object_r:same_process_hal_file:s0
+/(vendor|system/vendor)/lib(64)?/libgpudataproducer\.so                                         u:object_r:same_process_hal_file:s0
+
+/vendor/bin/dumpsys                                                                             u:object_r:vendor_dumpsys:s0
+/vendor/bin/dump/dump_gs101.sh                                                                  u:object_r:dump_gs101_exec:s0
+
+#
+# HALs
+#
+/(vendor|system/vendor)/bin/hw/android\.hardware\.dumpstate-service\.gs101                      u:object_r:hal_dumpstate_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.power\.stats@1\.0-service\.gs101              u:object_r:hal_power_stats_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.memtrack-service\.pixel                       u:object_r:hal_memtrack_default_exec:s0
+
+# Wireless charger HAL
+/(vendor|system/vendor)/bin/hw/vendor\.google\.wireless_charger@1\.3-service-vendor             u:object_r:hal_wlc_exec:s0
+
+# Vendor Firmwares
+/(vendor|system/vendor)/firmware(/.*)?                        u:object_r:vendor_fw_file:s0
+
+# Gralloc
+/(vendor|system/vendor)/lib(64)?/hw/mapper\.pixel\.so         u:object_r:same_process_hal_file:s0
+
+#
+# Exynos Block Devices
+#
+/dev/block/platform/14700000\.ufs/by-name/cache               u:object_r:cache_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/efs                 u:object_r:efs_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/efs_backup          u:object_r:efs_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/modem_userdata      u:object_r:modem_userdata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/modem_[ab]          u:object_r:modem_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/modem               u:object_r:modem_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/persist             u:object_r:persist_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/system              u:object_r:system_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/userdata            u:object_r:userdata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/frp                 u:object_r:frp_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/misc                u:object_r:misc_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/devinfo             u:object_r:devinfo_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/abl_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/acpm_test_[ab]      u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl1_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl2_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/bl31_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/boot_[ab]           u:object_r:boot_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dram_train_[ab]     u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dtb_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/dtbo_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/ect_test_[ab]       u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/gsa_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/hypervisor_[ab]     u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/keystorage_[ab]     u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/ldfw_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/metadata            u:object_r:metadata_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/pbl_[ab]            u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/pvmfw_[ab]          u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/reclaim_[ab]        u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/super               u:object_r:super_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/tzsw_[ab]           u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vbmeta_[ab]         u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vbmeta_system_[ab]  u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vbmeta_vendor_[ab]  u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/vendor_boot_[ab]    u:object_r:custom_ab_block_device:s0
+/dev/block/platform/14700000\.ufs/by-name/mfg_data            u:object_r:mfg_data_block_device:s0
+/dev/block/sda                                                u:object_r:sda_block_device:s0
+/dev/sys/block/bootdevice(/.*)?                               u:object_r:bootdevice_sysdev:s0
+
+#
+# Exynos Devices
+#
+/dev/gnss_ipc                  u:object_r:vendor_gnss_device:s0
+/dev/bbd_pwrstat               u:object_r:power_stats_device:s0
+/dev/radio0                    u:object_r:radio_device:s0
+/dev/dri/card0                 u:object_r:graphics_device:s0
+/dev/fimg2d                    u:object_r:graphics_device:s0
+/dev/g2d                       u:object_r:graphics_device:s0
+/dev/tsmux                     u:object_r:video_device:s0
+/dev/repeater                  u:object_r:video_device:s0
+/dev/scsc_h4_0                 u:object_r:radio_device:s0
+/dev/umts_boot0                u:object_r:radio_device:s0
+/dev/logbuffer_tcpm            u:object_r:logbuffer_device:s0
+/dev/logbuffer_usbpd           u:object_r:logbuffer_device:s0
+/dev/logbuffer_pogo_transport  u:object_r:logbuffer_device:s0
+/dev/logbuffer_ssoc            u:object_r:logbuffer_device:s0
+/dev/logbuffer_wireless        u:object_r:logbuffer_device:s0
+/dev/logbuffer_ttf             u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxq            u:object_r:logbuffer_device:s0
+/dev/logbuffer_rtx             u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg           u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg_base      u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg_flip      u:object_r:logbuffer_device:s0
+/dev/logbuffer_pca9468_tcpm    u:object_r:logbuffer_device:s0
+/dev/logbuffer_pca9468         u:object_r:logbuffer_device:s0
+/dev/logbuffer_cpm             u:object_r:logbuffer_device:s0
+/dev/logbuffer_bd              u:object_r:logbuffer_device:s0
+/dev/logbuffer_cpif            u:object_r:logbuffer_device:s0
+
+/dev/logbuffer_maxfg_monitor        u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg_base_monitor   u:object_r:logbuffer_device:s0
+/dev/logbuffer_maxfg_flip_monitor   u:object_r:logbuffer_device:s0
+
+# DM tools device
+/dev/umts_dm0                  u:object_r:radio_device:s0
+/dev/umts_router               u:object_r:radio_device:s0
+
+# EdgeTPU device (DarwiNN)
+/dev/abrolhos                  u:object_r:edgetpu_device:s0
+
+# OEM IPC device
+/dev/oem_ipc[0-7]              u:object_r:radio_device:s0
+
+# SIPC RIL device
+/dev/umts_ipc0                 u:object_r:radio_device:s0
+/dev/umts_ipc1                 u:object_r:radio_device:s0
+/dev/umts_rfs0                 u:object_r:radio_device:s0
+/dev/ttyGS[0-3]                u:object_r:serial_device:s0
+/dev/watchdog0                 u:object_r:watchdog_device:s0
+
+# GPU device
+/dev/mali0                     u:object_r:gpu_device:s0
+
+#
+# Exynos Daemon Exec
+#
+/(vendor|system/vendor)/bin/cbd                u:object_r:cbd_exec:s0
+/(vendor|system/vendor)/bin/hw/rild_exynos     u:object_r:rild_exec:s0
+/(vendor|system/vendor)/bin/rfsd               u:object_r:rfsd_exec:s0
+/(vendor|system/vendor)/bin/sced               u:object_r:sced_exec:s0
+/(vendor|system/vendor)/bin/bipchmgr           u:object_r:bipchmgr_exec:s0
+
+#
+# Exynos Log Files
+#
+/data/vendor/log(/.*)?       u:object_r:vendor_log_file:s0
+/data/vendor/log/cbd(/.*)?   u:object_r:vendor_cbd_log_file:s0
+/data/vendor/log/dmd(/.*)?   u:object_r:vendor_dmd_log_file:s0
+/data/vendor/log/rfsd(/.*)?  u:object_r:vendor_rfsd_log_file:s0
+/data/vendor/log/dump(/.*)?  u:object_r:vendor_dump_log_file:s0
+/data/vendor/log/rild(/.*)?  u:object_r:vendor_rild_log_file:s0
+/data/vendor/log/sced(/.*)?  u:object_r:vendor_sced_log_file:s0
+
+/persist/sensorcal\.json     u:object_r:sensors_cal_file:s0
+
+# data files
+/data/vendor/mediadrm(/.*)?  u:object_r:mediadrm_vendor_data_file:s0
+/data/vendor/bluetooth(/.*)? u:object_r:vendor_bt_data_file:s0
+
+# Camera
+/vendor/bin/hw/android\.hardware\.camera\.provider@2\.7-service-google  u:object_r:hal_camera_default_exec:s0
+/vendor/lib64/camera                                                    u:object_r:vendor_camera_tuning_file:s0
+/vendor/lib64/camera/ghawb_para_lut\.bin                                u:object_r:vendor_camera_tuning_file:s0
+/vendor/lib64/camera/slider_.*\.binarypb                                u:object_r:vendor_camera_tuning_file:s0
+/vendor/bin/rlsservice                                                  u:object_r:rlsservice_exec:s0
+/mnt/vendor/persist/camera(/.*)?                                        u:object_r:persist_camera_file:s0
+/vendor/lib(64)?/lib_aion_buffer\.so                                    u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libGralloc4Wrapper\.so                                 u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/pixel-power-ext-V1-ndk\.so                             u:object_r:same_process_hal_file:s0
+
+/dev/stmvl53l1_ranging                                                  u:object_r:rls_device:s0
+
+/dev/lwis-act0                                                          u:object_r:lwis_device:s0
+/dev/lwis-act1                                                          u:object_r:lwis_device:s0
+/dev/lwis-act-ak7377                                                    u:object_r:lwis_device:s0
+/dev/lwis-act-lc898129                                                  u:object_r:lwis_device:s0
+/dev/lwis-act-sem1215sa                                                 u:object_r:lwis_device:s0
+/dev/lwis-csi                                                           u:object_r:lwis_device:s0
+/dev/lwis-dpm                                                           u:object_r:lwis_device:s0
+/dev/lwis-eeprom0                                                       u:object_r:lwis_device:s0
+/dev/lwis-eeprom1                                                       u:object_r:lwis_device:s0
+/dev/lwis-eeprom2                                                       u:object_r:lwis_device:s0
+/dev/lwis-eeprom-lc898128                                               u:object_r:lwis_device:s0
+/dev/lwis-eeprom-lc898129                                               u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64s                                                u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64s-imx355-inner                                   u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64s-imx355-outer                                   u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64s-rear                                           u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64s-front                                          u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x                                                u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x-imx386                                         u:object_r:lwis_device:s0
+/dev/lwis-eeprom-m24c64x-imx663                                         u:object_r:lwis_device:s0
+/dev/lwis-eeprom-sem1215sa                                              u:object_r:lwis_device:s0
+/dev/lwis-flash0                                                        u:object_r:lwis_device:s0
+/dev/lwis-flash-lm3644                                                  u:object_r:lwis_device:s0
+/dev/lwis-g3aa                                                          u:object_r:lwis_device:s0
+/dev/lwis-gdc0                                                          u:object_r:lwis_device:s0
+/dev/lwis-gdc1                                                          u:object_r:lwis_device:s0
+/dev/lwis-gtnr-align                                                    u:object_r:lwis_device:s0
+/dev/lwis-gtnr-merge                                                    u:object_r:lwis_device:s0
+/dev/lwis-ipp                                                           u:object_r:lwis_device:s0
+/dev/lwis-itp                                                           u:object_r:lwis_device:s0
+/dev/lwis-mcsc                                                          u:object_r:lwis_device:s0
+/dev/lwis-ois-lc898128                                                  u:object_r:lwis_device:s0
+/dev/lwis-ois-lc898129                                                  u:object_r:lwis_device:s0
+/dev/lwis-ois-sem1215sa                                                 u:object_r:lwis_device:s0
+/dev/lwis-pdp                                                           u:object_r:lwis_device:s0
+/dev/lwis-scsc                                                          u:object_r:lwis_device:s0
+/dev/lwis-sensor0                                                       u:object_r:lwis_device:s0
+/dev/lwis-sensor1                                                       u:object_r:lwis_device:s0
+/dev/lwis-sensor2                                                       u:object_r:lwis_device:s0
+/dev/lwis-sensor-gn1                                                    u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx355                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx355-inner                                           u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx355-outer                                           u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx355-rear                                            u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx355-front                                           u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx363                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx386                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx471                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx586                                                 u:object_r:lwis_device:s0
+/dev/lwis-sensor-imx663                                                 u:object_r:lwis_device:s0
+/dev/lwis-slc                                                           u:object_r:lwis_device:s0
+/dev/lwis-top                                                           u:object_r:lwis_device:s0
+/dev/lwis-votf                                                          u:object_r:lwis_device:s0
+
+# VIDEO
+/vendor/bin/hw/google\.hardware\.media\.c2@1\.0-service                 u:object_r:mediacodec_exec:s0
+
+# IMS VoWiFi
+/data/vendor/misc(/.*)?                u:object_r:vendor_misc_data_file:s0
+/data/vendor/VoWiFi(/.*)?              u:object_r:vendor_ims_data_file:s0
+
+# Sensors
+/data/vendor/sensor(/.*)?              u:object_r:sensor_vendor_data_file:s0
+
+# Contexthub
+/(vendor|system/vendor)/bin/chre                                            u:object_r:chre_exec:s0
+/dev/socket/chre                                                            u:object_r:chre_socket:s0
+/data/vendor/chre(/.*)?                                                     u:object_r:chre_data_file:s0
+
+# Modem logging
+/vendor/bin/modem_logging_control   u:object_r:modem_logging_control_exec:s0
+
+# TCP logging
+/vendor/bin/tcpdump_logger          u:object_r:tcpdump_logger_exec:s0
+
+# modem_svc_sit files
+/vendor/bin/modem_svc_sit           u:object_r:modem_svc_sit_exec:s0
+/data/vendor/modem_stat(/.*)?       u:object_r:modem_stat_data_file:s0
+
+# modem mnt files
+/mnt/vendor/efs(/.*)?                                         u:object_r:modem_efs_file:s0
+/mnt/vendor/efs_backup(/.*)?                                  u:object_r:modem_efs_file:s0
+/mnt/vendor/modem_img(/.*)?                                   u:object_r:modem_img_file:s0
+/mnt/vendor/modem_userdata(/.*)?                              u:object_r:modem_userdata_file:s0
+/mnt/vendor/persist/modem(/.*)?                               u:object_r:persist_modem_file:s0
+
+# Kernel modules related
+/vendor/bin/init\.display\.sh   u:object_r:init-display-sh_exec:s0
+
+# USB
+/vendor/bin/hw/disable_contaminant_detection\.sh  u:object_r:disable-contaminant-detection-sh_exec:s0
+
+# NFC
+/(vendor|system/vendor)/bin/hw/android\.hardware\.nfc-service\.st                     u:object_r:hal_nfc_default_exec:s0
+/dev/st21nfc                                                                          u:object_r:nfc_device:s0
+/data/nfc(/.*)?                                                                       u:object_r:nfc_data_file:s0
+
+# SecureElement
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto     u:object_r:hal_secure_element_st54spi_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-service-gto-ese2    u:object_r:hal_secure_element_st33spi_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.2-uicc-service    u:object_r:hal_secure_element_default_exec:s0
+/dev/st54spi                                                                          u:object_r:st54spi_device:s0
+/dev/st33spi                                                                          u:object_r:st33spi_device:s0
+
+# Bluetooth
+/dev/logbuffer_btlpm                u:object_r:logbuffer_device:s0
+/dev/logbuffer_tty16                u:object_r:logbuffer_device:s0
+
+# Trusty
+/vendor/bin/storageproxyd            u:object_r:tee_exec:s0
+/vendor/bin/trusty_apploader         u:object_r:trusty_apploader_exec:s0
+/vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service\.trusty                u:object_r:hal_gatekeeper_default_exec:s0
+/vendor/bin/hw/android\.hardware\.gatekeeper-service\.trusty                     u:object_r:hal_gatekeeper_default_exec:s0
+/vendor/bin/hw/android\.hardware\.keymaster@4\.0-service\.trusty                 u:object_r:hal_keymaster_default_exec:s0
+/vendor/bin/hw/android\.hardware\.security\.keymint-service\.trusty              u:object_r:hal_keymint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.security\.secretkeeper\.trusty                 u:object_r:hal_secretkeeper_default_exec:s0
+/dev/trusty-ipc-dev0                 u:object_r:tee_device:s0
+/data/vendor/ss(/.*)?                u:object_r:tee_data_file:s0
+/mnt/vendor/persist/ss(/.*)?         u:object_r:persist_ss_file:s0
+
+# Battery
+/mnt/vendor/persist/battery(/.*)?    u:object_r:persist_battery_file:s0
+
+# GRIL
+/vendor/bin/hw/vendor\.google\.radioext@1\.0-service                 u:object_r:hal_radioext_default_exec:s0
+
+# Uwb
+# R4
+/vendor/bin/hw/android\.hardware\.qorvo\.uwb\.service                u:object_r:hal_uwb_vendor_default_exec:s0
+/vendor/bin/init\.uwb\.calib\.sh                                     u:object_r:vendor_uwb_init_exec:s0
+/mnt/vendor/persist/uwb(/.*)?                                        u:object_r:persist_uwb_file:s0
+/data/vendor/uwb(/.*)?                                               u:object_r:uwb_data_vendor:s0
+
+# RILD files
+/data/vendor/rild(/.*)?                                                     u:object_r:rild_vendor_data_file:s0
+
+# Tetheroffload Service
+/dev/dit2                      u:object_r:vendor_toe_device:s0
+/vendor/bin/hw/vendor\.samsung_slsi\.hardware\.tetheroffload@1\.[0-9]-service     u:object_r:hal_tetheroffload_default_exec:s0
+
+# battery history
+/dev/battery_history                                                                  u:object_r:battery_history_device:s0
+
+# Display
+/vendor/lib(64)?/libion_google\.so                                               u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/libdrm\.so                                                      u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/gralloc\.gs101\.so                                           u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/hw/vulkan\.mali\.so                                             u:object_r:same_process_hal_file:s0
+/vendor/lib(64)?/arm\.graphics-V1-ndk\.so                                        u:object_r:same_process_hal_file:s0
+
+# Fingerprint
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.goodix        u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.goodix             u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint@2\.1-service\.fpc           u:object_r:hal_fingerprint_default_exec:s0
+/vendor/bin/hw/android\.hardware\.biometrics\.fingerprint-service\.fpc                u:object_r:hal_fingerprint_default_exec:s0
+
+# Zram
+/data/per_boot(/.*)?                                                          u:object_r:per_boot_file:s0
+
+# cpuctl
+/dev/cpuctl(/.*)?	                                                      u:object_r:cpuctl_device:s0
+
+# ODPM
+/data/vendor/powerstats(/.*)?                                              u:object_r:powerstats_vendor_data_file:s0
+
+# sensor direct DMA-BUF heap
+/dev/dma_heap/sensor_direct_heap                                               u:object_r:sensor_direct_heap_device:s0
+
+# Console
+/dev/ttySAC0                                                                   u:object_r:tty_device:s0
+
+# faceauth DMA-BUF heaps
+/dev/dma_heap/faceauth_tpu-secure                                              u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/faimg-secure                                                     u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/famodel-secure                                                   u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/faprev-secure                                                    u:object_r:faceauth_heap_device:s0
+/dev/dma_heap/farawimg-secure                                                  u:object_r:faceauth_heap_device:s0
+
+# vframe-secure DMA-BUF heap
+/dev/dma_heap/vframe-secure                                                    u:object_r:dmabuf_system_secure_heap_device:s0
+
+# vscaler-secure DMA-BUF heap
+/dev/dma_heap/vscaler-secure                                                   u:object_r:vscaler_heap_device:s0
+
+# vstream-secure DMA-BUF heap
+/dev/dma_heap/vstream-secure                                                   u:object_r:dmabuf_system_secure_heap_device:s0
+
+# BigOcean
+/dev/bigocean                                                                  u:object_r:video_device:s0
+
+# Fingerprint
+/dev/goodix_fp                                                                 u:object_r:fingerprint_device:s0
+/data/vendor/fingerprint(/.*)?                                                 u:object_r:fingerprint_vendor_data_file:s0
+
+# Wifi Firmware config update
+/data/vendor/firmware/wifi(/.*)?                                               u:object_r:updated_wifi_firmware_data_file:s0
+
+# WLC FW update
+/vendor/bin/wlc_upt/p9412_mtp            u:object_r:vendor_wlc_fwupdata_file:s0
+/vendor/bin/wlc_upt/wlc_fw_update\.sh    u:object_r:wlcfwupdate_exec:s0
+
+# Statsd service to support EdgeTPU metrics logging service.
+/vendor/lib64/android\.frameworks\.stats-V1-ndk\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/vendor-pixelatoms-cpp\.so u:object_r:same_process_hal_file:s0
+/vendor/lib64/libprotobuf-cpp-lite-(\d+\.){2,3}so u:object_r:same_process_hal_file:s0
--- a/sepolicy/whitechapel/vendor/google/fsck.te
+++ b/sepolicy/whitechapel/vendor/google/fsck.te
@ -0,0 +1,5 @@
+allow fsck persist_block_device:blk_file rw_file_perms;
+allow fsck efs_block_device:blk_file rw_file_perms;
+allow fsck modem_userdata_block_device:blk_file rw_file_perms;
+allow fsck sysfs_scsi_devices_0000:dir r_dir_perms;
+allow fsck sysfs_scsi_devices_0000:file r_file_perms;
--- a/Show more
+++ b/Show more
				`@ -0,0 +1 @@`
				`type persist_display_file, file_type, vendor_persist_type;`
				`@ -0,0 +1 @@`
				`/mnt/vendor/persist/display(/.*)? u:object_r:persist_display_file:s0`
				`@ -0,0 +1 @@`
				`/vendor/bin/hw/android\.hardware\.health-service\.gs101 u:object_r:hal_health_default_exec:s0`
				`@ -0,0 +1 @@`
				`type vendor_slog_file, file_type, data_file_type, mlstrustedobject;`
				`@ -0,0 +1 @@`
				`allow grilservice_app hal_bluetooth_coexistence_service:service_manager find;`
				`@ -0,0 +1 @@`
				`/vendor/bin/pkvm_enabler u:object_r:vendor_misc_writer_exec:s0`
				`@ -0,0 +1 @@`
				`telephony.oem.oemrilhook u:object_r:radio_service:s0`
				`@ -0,0 +1 @@`
				`allow vendor_cccdktimesync_app hal_bluetooth_coexistence_service:service_manager find;`
				`@ -0,0 +1 @@`
				`/vendor/bin/trusty_metricsd u:object_r:trusty_metricsd_exec:s0`
				`@ -0,0 +1 @@`
				`allow bootdevice_sysdev sysfs:filesystem associate;`